Received: by 2002:a05:6358:bb9e:b0:b9:5105:a5b4 with SMTP id df30csp5939703rwb; Wed, 7 Sep 2022 10:06:47 -0700 (PDT) X-Google-Smtp-Source: AA6agR7AEycIgGcktLLc0ooT5IK0biwh8VAtqGBXg3IOIpmha6Dl0DQid4ZXHVJgdSILa6yIopQk X-Received: by 2002:a17:90b:1b08:b0:1f5:b65:9654 with SMTP id nu8-20020a17090b1b0800b001f50b659654mr5093752pjb.77.1662570407590; Wed, 07 Sep 2022 10:06:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662570407; cv=none; d=google.com; s=arc-20160816; b=MvUIOo5IMs2Z3Ol9cqvPduDrGay8DlPeY19mXIP24f3m0u8YzOi6NhO1ZGA0gSLfCM YdmGmFyQYE8O8+VuE3ZnI/EKB1fKmGuCBedRbsA7SaetxroU7HqzMhA0nbHokm/C8x82 Qo5IzP1HphEZjWi3odF5Tkt30wm8dyY/jLJd86NeyfdtLzgrcSdCg9IZMLiJj+E/OyiC 58Oxx3L7xCGk/LRK6FBZyeM9sm0oG4GBbNJGBAW3t3+dCW6kcGnjczMSO9XKQe5dW48e Q4Gv8GmItStdHt3P+KxvSCQ1quqLGPns0dawGKJyeNnwcHqH3iLf9aVn85CHvs33WZKh pZIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=hLyrjDAXFGcKrBQvO2vsySR9eSdav05DqWhM1DrTM6w=; b=pB2z22JEw2BqChdOZD32ZXczpln+MTyMmFyuK2nfNOkwoAtLLU0NrEvwI16eaJYsA1 bz+7qKpi3OkPHeiZld+i/ypgmjMQ97MosM69mRCRQuNOrAJRwqxTzcXrFzTUUio3Qrdq iZ9oruukby0h+Reaa6Gf+L83zqR2Wm4CjJl6J94o+nbzpa/dQB/1X9jaRRVc6EqZeVFD FE8BEfLm9k65ENVcCzdAYsyRJEykxXqkQW0HoOCY0r1NK+3L/Z/pjscC40oQj/WLS8bK M+POIn8fb9+SEZAyntRVFmQjmu9tc+VlTFmyTLzBz8YaRby5cYDmQlIpa4Gj0k0ImgyX 3mAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=kzTpMwIC; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f24-20020a631f18000000b0043447486c84si11039303pgf.875.2022.09.07.10.06.06; Wed, 07 Sep 2022 10:06:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=kzTpMwIC; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230049AbiIGREo (ORCPT + 99 others); Wed, 7 Sep 2022 13:04:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230077AbiIGREn (ORCPT ); Wed, 7 Sep 2022 13:04:43 -0400 Received: from mail-yw1-x112f.google.com (mail-yw1-x112f.google.com [IPv6:2607:f8b0:4864:20::112f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD6B3D105 for ; Wed, 7 Sep 2022 10:04:40 -0700 (PDT) Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-3452214cec6so92543457b3.1 for ; Wed, 07 Sep 2022 10:04:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=hLyrjDAXFGcKrBQvO2vsySR9eSdav05DqWhM1DrTM6w=; b=kzTpMwICMFv0pmARBUEcUnfZg1NJ3terhdZgPs0jgweZObfTivz+51xhwcI+eGtziI SPo4Vt3ENKnX06k7No8dIPawE+AXH8ekiD5rpIOH5Tah0qXfmTbVx6ip1lP8sNcTD0bw tDJ2CbO0PAu9y4Y4mAfjPn/5Ve7iQ+LwEhahTG3JUP2t6Xnze7VGpnyD+Kh35+Hvn/vl wIQhj/fLXTyoj/SR5oczmY0rKeQvGC4mROOVeES80WaiTiNcSSNP8ux08F4+S9FTpfiF 6a0e7HrNRcWPh3UEylSZYZGNb2wKeE/KFU3tU+qHsBjwoKot5MHwRb83I8G5IHuxrC3f ft7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=hLyrjDAXFGcKrBQvO2vsySR9eSdav05DqWhM1DrTM6w=; b=MF1ZpjmQITwIzVfgnuh8PmgJeOGaAqytXrwffRaGSpbVvbcWPfLdMNpUO2nNx9vAOj lrQCIs+qkCrrygRF/NuYodzFMW3acuW/hZgEZ1ArIVZFqFe9ZI0Ar6/rMUb6XmjQZnJa IiO9eQ8Ke+YdXTQVvmfGz6m+CcACp7KlVWi+S6vsZvPHPRASUMrDbmtcpKt+bTL/NUC4 yAM3L8UaHY5HxJa70dAy4L7gjpK2JYOMMXjwrLxzR1YDoajHwzk0Jlt5GeaMhYUJlsuE EKzMP7yZ1nMtTYai8sDwHdq0VTUHXqqMurHY1s9wH8YIfahYoh6E5QQM+7KwmkPgwjE1 ra7w== X-Gm-Message-State: ACgBeo1kfwcXTAY4FgLnrvByRhzKghYUxAjuzI/YiKgiM+5xyzjCj/pO d/fUwNwK4WrVE5Da7HqGyaH2b5bhjhzGoEKzkThC1g== X-Received: by 2002:a81:4fce:0:b0:344:fba8:cb88 with SMTP id d197-20020a814fce000000b00344fba8cb88mr4110212ywb.278.1662570279401; Wed, 07 Sep 2022 10:04:39 -0700 (PDT) MIME-Version: 1.0 References: <298e4e87ce3a822b4217b309438483959082e6bb.1662361354.git.cdleonard@gmail.com> In-Reply-To: From: Eric Dumazet Date: Wed, 7 Sep 2022 10:04:28 -0700 Message-ID: Subject: Re: [PATCH v8 08/26] tcp: authopt: Disable via sysctl by default To: Leonard Crestez Cc: David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Philip Paeps , Shuah Khan , "David S. Miller" , Herbert Xu , Kuniyuki Iwashima , Hideaki YOSHIFUJI , Jakub Kicinski , Yuchung Cheng , Mat Martineau , Christoph Paasch , Ivan Delalande , Caowangbao , Priyaranjan Jha , netdev , "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" , "open list:KERNEL SELFTEST FRAMEWORK" , LKML Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, Sep 7, 2022 at 9:53 AM Leonard Crestez wrote: > > On 9/7/22 02:11, Eric Dumazet wrote: > > On Mon, Sep 5, 2022 at 12:06 AM Leonard Crestez wrote: > >> > >> This is mainly intended to protect against local privilege escalations > >> through a rarely used feature so it is deliberately not namespaced. > >> > >> Enforcement is only at the setsockopt level, this should be enough to > >> ensure that the tcp_authopt_needed static key never turns on. > >> > >> No effort is made to handle disabling when the feature is already in > >> use. > >> > >> Signed-off-by: Leonard Crestez > >> --- > >> Documentation/networking/ip-sysctl.rst | 6 ++++ > >> include/net/tcp_authopt.h | 1 + > >> net/ipv4/sysctl_net_ipv4.c | 39 ++++++++++++++++++++++++++ > >> net/ipv4/tcp_authopt.c | 25 +++++++++++++++++ > >> 4 files changed, 71 insertions(+) > >> > >> diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst > >> index a759872a2883..41be0e69d767 100644 > >> --- a/Documentation/networking/ip-sysctl.rst > >> +++ b/Documentation/networking/ip-sysctl.rst > >> @@ -1038,10 +1038,16 @@ tcp_challenge_ack_limit - INTEGER > >> Note that this per netns rate limit can allow some side channel > >> attacks and probably should not be enabled. > >> TCP stack implements per TCP socket limits anyway. > >> Default: INT_MAX (unlimited) > >> > >> +tcp_authopt - BOOLEAN > >> + Enable the TCP Authentication Option (RFC5925), a replacement for TCP > >> + MD5 Signatures (RFC2835). > >> + > >> + Default: 0 > >> + > > ... > > >> +#ifdef CONFIG_TCP_AUTHOPT > >> +static int proc_tcp_authopt(struct ctl_table *ctl, > >> + int write, void *buffer, size_t *lenp, > >> + loff_t *ppos) > >> +{ > >> + int val = sysctl_tcp_authopt; > > > > val = READ_ONCE(sysctl_tcp_authopt); > > > >> + struct ctl_table tmp = { > >> + .data = &val, > >> + .mode = ctl->mode, > >> + .maxlen = sizeof(val), > >> + .extra1 = SYSCTL_ZERO, > >> + .extra2 = SYSCTL_ONE, > >> + }; > >> + int err; > >> + > >> + err = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); > >> + if (err) > >> + return err; > >> + if (sysctl_tcp_authopt && !val) { > > > > READ_ONCE(sysctl_tcp_authopt) > > > > Note that this test would still be racy, because another cpu might > > change sysctl_tcp_authopt right after the read. > > What meaningful races are possible here? This is a variable that changes > from 0 to 1 at most once. Two cpus can issue writes of 0 and 1 values at the same time. Depending on scheduling writing the 0 can 'win' the race and overwrite the value back to 0. This is in clear violation of the claim you are making (that the sysctl can only go once from 0 to 1) > > In theory if two processes attempt to assign "non-zero" at the same time > then one will "win" and the other will get an error but races between > userspace writing different values are possible for any sysctl. The > solution seems to be "write sysctls from a single place". > > All the checks are in sockopts - in theory if the sysctl is written on > one CPU then a sockopt can still fail on another CPU until caches are > flushed. Is this what you're worried about? > > In theory doing READ_ONCE might incur a slight penalty on sockopt but > not noticeable. Not at all. There is _no_ penalty using READ_ONCE(). Unless it is done in a loop and this prevents some compiler optimization. Please use WRITE_ONCE() and READ_ONCE() for all sysctl values used in TCP stack (and elsewhere) See all the silly patches we had recently. > > > > >> + net_warn_ratelimited("Enabling TCP Authentication Option is permanent\n"); > >> + return -EINVAL; > >> + } > >> + sysctl_tcp_authopt = val; > > > > WRITE_ONCE(sysctl_tcp_authopt, val), or even better: > > > > if (val) > > cmpxchg(&sysctl_tcp_authopt, 0, val); > > > >> + return 0; > >> +} > >> +#endif > >> + > > This would be useful if we did any sort of initialization here but we > don't. Crypto is initialized somewhere completely different.