From: Doug Ledford <dledford@redhat.com>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Tom Talpey <tom@talpey.com>,
"'Christoph Hellwig'" <hch@infradead.org>,
Sagi Grimberg <sagig@dev.mellanox.co.il>,
Steve Wise <swise@opengridcomputing.com>,
sagig@mellanox.com, ogerlitz@mellanox.com, roid@mellanox.com,
linux-rdma@vger.kernel.org, eli@mellanox.com,
target-devel@vger.kernel.org, linux-nfs@vger.kernel.org,
trond.myklebust@primarydata.com, bfields@fieldses.org,
Oren Duer <oren@mellanox.com>
Subject: Re: [PATCH V3 1/5] RDMA/core: Transport-independent access flags
Date: Fri, 10 Jul 2015 18:27:59 -0400 [thread overview]
Message-ID: <55A046EF.1060800@redhat.com> (raw)
In-Reply-To: <20150710205706.GA7883@obsidianresearch.com>
[-- Attachment #1: Type: text/plain, Size: 2772 bytes --]
On 07/10/2015 04:57 PM, Jason Gunthorpe wrote:
> On Fri, Jul 10, 2015 at 01:56:36PM -0400, Doug Ledford wrote:
>
>> Are there security issues? Yes. Are we going to solve them in this
>> patch set? No. Especially since those security issues extend beyond
>> iSER + iWARP.
>
> I think my biggest concern is we don't inadvertently open a security
> hole on a machine that just happens to have an iwarp card installed,
> but has nothing to do with HPC.
Given the number of Chelsio cards utilized in things like TCP Offload
and iSCSI offload situations versus HPC, this isn't an unreasonable
thing to consider. However, the attack vector is limited to a situation
where all of the below are true:
1) An RDMA connection exists or can be created (TOE and iSCSI offload do
not do this, so something else would have to be listening and accepting
incoming RDMA connections)
2) A global rkey exists (so it's not sufficient that any old RDMA app be
running, at least one app/ULP *must* create the global writable rkey)
3) The QP of the RDMA connection belongs to the same PD as the global
rkey (so our attack surface is limited to the bad server app/ULP and the
existence of this does not put other apps/ULPs at risk)
4) For maximum damage, the global rkey must also belong to an app/ULP
with elevated privilege or direct memory access (kernel ULPs are prime
targets, as a user app would have a mapped address space and the global
rkey in its domain would apply to it's process space, limiting the
damage that can be done).
Given all these requirements, I don't see this as a possibility. In
order to be at risk, there *must* be a listening app/ULP, and we should
be able to print out a nice, dire warning in dmesg if that app/ULP opens
itself up in this way.
> The clearest scary path I see is a server listening on a QP and using
> IB_ACCESS_REMOTE_WRITE. That sure looks easy to exploit.
This goes back to the trust domain. For a server, you simply can't
allow untrusted clients. Period. But that's easy enough to do with
access controls and connection filtering. The app/ULP itself doesn't
even need to be filter aware as you can do the filtering in the TCP
stack on the primary listening socket using the netfilter tools. And
that goes back to the kernel warning I referred to in my previous email.
Let users know what module is making this risky decision and it becomes
easy to filter any ports that module's services are listening on.
> A client doing this.. It is alot harder to exploit.. iSER is client
> only, so less worrying. Can anyone else think of a way to attack the
> client?
TCP injection only is all I've got.
--
Doug Ledford <dledford@redhat.com>
GPG KeyID: 0E572FDD
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 884 bytes --]
next prev parent reply other threads:[~2015-07-10 22:28 UTC|newest]
Thread overview: 132+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-05 23:21 [PATCH V3 0/5] Transport-independent MRs Steve Wise
2015-07-05 23:22 ` [PATCH V3 1/5] RDMA/core: Transport-independent access flags Steve Wise
2015-07-06 5:25 ` Christoph Hellwig
2015-07-06 14:23 ` Steve Wise
2015-07-07 8:58 ` 'Christoph Hellwig'
2015-07-06 7:09 ` Haggai Eran
2015-07-06 14:29 ` Steve Wise
2015-07-07 14:17 ` Steve Wise
2015-07-07 14:34 ` Haggai Eran
2015-07-07 14:46 ` Steve Wise
2015-07-07 15:07 ` Haggai Eran
2015-07-06 7:53 ` Sagi Grimberg
2015-07-06 14:37 ` Steve Wise
2015-07-06 16:17 ` Sagi Grimberg
2015-07-06 16:55 ` Steve Wise
2015-07-07 9:00 ` Christoph Hellwig
2015-07-07 9:14 ` Sagi Grimberg
2015-07-07 14:05 ` Steve Wise
2015-07-07 16:17 ` Jason Gunthorpe
2015-07-07 16:27 ` Sagi Grimberg
2015-07-07 21:36 ` Jason Gunthorpe
2015-07-08 7:29 ` Sagi Grimberg
2015-07-08 8:13 ` 'Christoph Hellwig'
2015-07-08 10:05 ` Sagi Grimberg
2015-07-08 10:20 ` 'Christoph Hellwig'
2015-07-08 11:08 ` Sagi Grimberg
2015-07-08 17:14 ` Hefty, Sean
2015-07-09 8:46 ` Sagi Grimberg
2015-07-09 13:52 ` Chuck Lever
2015-07-10 19:34 ` Christoph Hellwig
2015-07-12 7:49 ` Sagi Grimberg
2015-07-13 16:50 ` Jason Gunthorpe
2015-07-14 8:06 ` Sagi Grimberg
2015-07-14 12:24 ` Tom Talpey
2015-07-14 13:21 ` Sagi Grimberg
2015-07-23 0:43 ` Hefty, Sean
2015-07-08 19:08 ` Jason Gunthorpe
2015-07-08 20:32 ` 'Christoph Hellwig'
2015-07-08 20:37 ` 'Christoph Hellwig'
2015-07-09 0:03 ` Jason Gunthorpe
2015-07-09 8:00 ` 'Christoph Hellwig'
2015-07-09 8:58 ` Sagi Grimberg
2015-07-09 22:18 ` Doug Ledford
2015-07-09 22:53 ` Jason Gunthorpe
2015-07-10 13:22 ` Tom Talpey
2015-07-10 16:11 ` Jason Gunthorpe
2015-07-10 17:56 ` Doug Ledford
2015-07-10 18:34 ` Chuck Lever
2015-07-10 18:42 ` Tom Talpey
2015-07-10 19:54 ` Jason Gunthorpe
2015-07-10 20:48 ` Jason Gunthorpe
2015-07-10 22:33 ` Doug Ledford
2015-07-11 10:17 ` 'Christoph Hellwig'
2015-07-13 16:57 ` Jason Gunthorpe
2015-07-14 7:25 ` 'Christoph Hellwig'
2015-07-14 9:05 ` Sagi Grimberg
2015-07-14 15:35 ` 'Christoph Hellwig'
2015-07-14 17:26 ` Jason Gunthorpe
2015-07-15 7:10 ` Sagi Grimberg
2015-07-10 22:30 ` Doug Ledford
2015-07-10 20:57 ` Jason Gunthorpe
2015-07-10 22:27 ` Doug Ledford [this message]
[not found] ` <20150710233417.GA8919@obsidianresearch.com>
2015-07-11 3:10 ` Doug Ledford
2015-07-13 17:18 ` Jason Gunthorpe
2015-07-13 22:23 ` Tom Talpey
2015-07-11 16:37 ` Steve Wise
2015-07-12 10:46 ` Sagi Grimberg
2015-07-14 19:25 ` Steve Wise
2015-07-14 19:29 ` Jason Gunthorpe
2015-07-14 19:32 ` Steve Wise
2015-07-14 19:37 ` Jason Gunthorpe
2015-07-14 19:55 ` 'Christoph Hellwig'
2015-07-14 20:10 ` Steve Wise
2015-07-14 20:29 ` Jason Gunthorpe
2015-07-14 20:40 ` Steve Wise
2015-07-14 20:44 ` Jason Gunthorpe
2015-07-14 20:54 ` Steve Wise
2015-07-14 20:59 ` Jason Gunthorpe
2015-07-14 20:50 ` Tom Talpey
2015-07-15 6:50 ` 'Christoph Hellwig'
2015-07-15 19:12 ` Jason Gunthorpe
2015-07-16 6:41 ` Jason Gunthorpe
2015-07-16 8:04 ` 'Christoph Hellwig'
2015-07-16 16:13 ` Jason Gunthorpe
2015-07-15 8:47 ` Sagi Grimberg
2015-07-15 12:19 ` 'Christoph Hellwig'
2015-07-15 19:17 ` Jason Gunthorpe
2015-07-14 20:46 ` Tom Talpey
2015-07-14 19:45 ` 'Christoph Hellwig'
2015-07-14 19:57 ` Jason Gunthorpe
2015-07-14 19:58 ` Steve Wise
2015-07-14 20:41 ` Jason Gunthorpe
2015-07-14 20:51 ` Steve Wise
2015-07-14 21:01 ` Steve Wise
2015-07-14 21:14 ` Jason Gunthorpe
2015-07-23 18:53 ` Hefty, Sean
2015-07-23 19:03 ` Steve Wise
2015-07-23 23:30 ` Hefty, Sean
2015-07-23 23:53 ` Jason Gunthorpe
2015-07-24 0:18 ` Hefty, Sean
2015-07-24 4:46 ` Jason Gunthorpe
2015-07-09 8:47 ` Sagi Grimberg
2015-07-08 21:38 ` Tom Talpey
2015-07-08 23:36 ` Jason Gunthorpe
2015-07-09 11:02 ` Sagi Grimberg
2015-07-09 17:01 ` Jason Gunthorpe
2015-07-09 20:00 ` Tom Talpey
2015-07-09 21:16 ` Jason Gunthorpe
2015-07-11 10:25 ` 'Christoph Hellwig'
2015-07-13 16:35 ` Jason Gunthorpe
2015-07-13 19:36 ` Tom Talpey
2015-07-13 20:15 ` Jason Gunthorpe
2015-07-14 9:10 ` Sagi Grimberg
2015-07-14 15:36 ` 'Christoph Hellwig'
2015-07-14 15:47 ` Tom Talpey
2015-07-14 16:22 ` Jason Gunthorpe
2015-07-14 7:37 ` 'Christoph Hellwig'
2015-07-14 9:22 ` Sagi Grimberg
2015-07-14 12:12 ` Tom Talpey
2015-07-14 13:23 ` Sagi Grimberg
2015-07-14 14:45 ` Steve Wise
2015-07-14 15:40 ` 'Christoph Hellwig'
2015-07-08 8:11 ` 'Christoph Hellwig'
2015-07-06 7:58 ` Sagi Grimberg
2015-07-06 14:39 ` Steve Wise
2015-07-05 23:22 ` [PATCH V3 2/5] RDMA/iser: Use transport independent MR allocation Steve Wise
2015-07-05 23:22 ` [PATCH V3 3/5] RDMA/isert: " Steve Wise
2015-07-05 23:22 ` [PATCH V3 4/5] svcrdma: " Steve Wise
2015-07-05 23:22 ` [PATCH V3 5/5] xprtrdma: " Steve Wise
2015-07-06 5:25 ` [PATCH V3 0/5] Transport-independent MRs Christoph Hellwig
2015-07-06 14:24 ` Steve Wise
2015-07-07 9:01 ` 'Christoph Hellwig'
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55A046EF.1060800@redhat.com \
--to=dledford@redhat.com \
--cc=bfields@fieldses.org \
--cc=eli@mellanox.com \
--cc=hch@infradead.org \
--cc=jgunthorpe@obsidianresearch.com \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=ogerlitz@mellanox.com \
--cc=oren@mellanox.com \
--cc=roid@mellanox.com \
--cc=sagig@dev.mellanox.co.il \
--cc=sagig@mellanox.com \
--cc=swise@opengridcomputing.com \
--cc=target-devel@vger.kernel.org \
--cc=tom@talpey.com \
--cc=trond.myklebust@primarydata.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).