From: Edwin Peer <edwin.peer@broadcom.com>
To: David Ahern <dsahern@gmail.com>
Cc: netdev <netdev@vger.kernel.org>, Jakub Kicinski <kuba@kernel.org>,
Andrew Gospodarek <andrew.gospodarek@broadcom.com>,
Michael Chan <michael.chan@broadcom.com>,
Stephen Hemminger <stephen@networkplumber.org>,
Michal Kubecek <mkubecek@suse.cz>
Subject: Re: [PATCH net-next 1/4] netlink: truncate overlength attribute list in nla_nest_end()
Date: Sat, 23 Jan 2021 12:42:28 -0800 [thread overview]
Message-ID: <CAKOOJTwKK5AgTf+g5LS4MMwR_HwbdFS6U7SFH0jZe8FuJMgNgA@mail.gmail.com> (raw)
In-Reply-To: <1dc163b0-d4b0-8f6c-d047-7eae6dc918c4@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2672 bytes --]
On Sat, Jan 23, 2021 at 11:14 AM David Ahern <dsahern@gmail.com> wrote:
> > Marking truncated attributes, such that user space can determine
> > the precise attribute truncated, by means of an additional bit in
> > the nla_type was considered and rejected. The NLA_F_NESTED and
> > NLA_F_NET_BYTEORDER flags are supposed to be mutually exclusive.
> > So, in theory, the latter bit could have been redefined for nested
> > attributes in order to indicate truncation, but user space tools
> > (most notably iproute2) cannot be relied on to honor NLA_TYPE_MASK,
> > resulting in alteration of the perceived nla_type and subsequent
> > catastrophic failure.
>
> Did you look at using NETLINK_CB / netlink_skb_parms to keep a running
> length of nested attributes to avoid the need to trim?
I did not, but thinking about it now, I don't think that's necessarily
the way to go. We shouldn't be concerned about the cost of iterating
over the list and trimming the skb for what should be a rare exception
path. Ideally, we want to make sure at compile time (by having correct
code) that we don't ever exceed this limit at run time. Perhaps we
should investigate static analysis approaches to prove nla_len can't
be exceeded?
Tracking the outer nest length during nla_put() would provide for
convenient error indication at the precise location where things go
wrong, but that's a fair amount of housekeeping that isn't free of
complexity and run time cost either. Instead of rarely (if ever)
undoing work, we'll always do extra work that we hardly ever need.
Then, if nla_put() can detect nesting errors, there's the issue of
what to do in the case of errors. Case in point, the IFLA_VFINFO_LIST
scenario would now require explicit error handling in the generator
logic, because we can't fail hard at that point. We would need to be
sure we propagate all possible nesting errors up to a common location
(probably where the nest ends, which is where we're dealing with the
problem in this solution), set the truncated flag and carry on (for
the same net effect the trim in nla_nest_end() has). If there are
other cases we don't know about today, they might turn from soft fails
into hard errors, breaking existing user space. Truncating the list is
the only non-obtrusive solution to any existing brokenness that is
guaranteed to not make things worse, but we can't know where we need
to do that apriori and would need to explicitly handle each case as
they come up.
Hard errors on nest overflow can only reliably work for new code. That
is, assuming it is tested to the extremes when it goes in, not after
user space comes to rely on the broken behavior.
Regards,
Edwin Peer
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4160 bytes --]
next prev parent reply other threads:[~2021-01-23 20:44 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-23 4:53 [PATCH net-next 0/4] support for 256 VFs in RTM_GETLINK Edwin Peer
2021-01-23 4:53 ` [PATCH net-next 1/4] netlink: truncate overlength attribute list in nla_nest_end() Edwin Peer
2021-01-23 19:14 ` David Ahern
2021-01-23 20:42 ` Edwin Peer [this message]
2021-01-23 21:03 ` Edwin Peer
2021-01-26 4:56 ` David Ahern
2021-01-26 17:51 ` Edwin Peer
2023-06-05 7:28 ` Gal Pressman
2023-06-05 18:58 ` Jakub Kicinski
2023-06-05 19:27 ` Edwin Peer
2023-06-06 8:01 ` Gal Pressman
2023-06-06 16:17 ` Jakub Kicinski
2023-06-07 13:31 ` Gal Pressman
2023-06-07 16:33 ` Jakub Kicinski
2023-06-07 16:52 ` Stephen Hemminger
2023-06-07 17:29 ` Jakub Kicinski
2021-01-26 4:50 ` David Ahern
2021-01-26 1:43 ` Jakub Kicinski
2021-01-23 4:53 ` [PATCH net-next 2/4] rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO Edwin Peer
2021-01-26 1:55 ` Jakub Kicinski
2021-01-26 22:48 ` Edwin Peer
2021-01-23 4:53 ` [PATCH net-next 3/4] rtnetlink: refactor IFLA_VF_INFO stats into rtnl_fill_vfstats() Edwin Peer
2021-01-23 4:53 ` [PATCH net-next 4/4] rtnetlink: promote IFLA_VF_STATS to same level as IFLA_VF_INFO Edwin Peer
2021-01-26 2:01 ` Jakub Kicinski
2021-01-26 14:50 ` Edwin Peer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKOOJTwKK5AgTf+g5LS4MMwR_HwbdFS6U7SFH0jZe8FuJMgNgA@mail.gmail.com \
--to=edwin.peer@broadcom.com \
--cc=andrew.gospodarek@broadcom.com \
--cc=dsahern@gmail.com \
--cc=kuba@kernel.org \
--cc=michael.chan@broadcom.com \
--cc=mkubecek@suse.cz \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).