| Message ID | 20210829221615.2057201-1-eric.dumazet@gmail.com |
|---|---|
| Headers | show |
| Series | inet: make exception handling less predictible | expand |
On 8/29/21 3:16 PM, Eric Dumazet wrote: > From: Eric Dumazet <edumazet@google.com> > > Even after commit 6457378fe796 ("ipv4: use siphash instead of Jenkins in > fnhe_hashfun()"), an attacker can still use brute force to learn > some secrets from a victim linux host. > > One way to defeat these attacks is to make the max depth of the hash > table bucket a random value. > > Before this patch, each bucket of the hash table used to store exceptions > could contain 6 items under attack. > > After the patch, each bucket would contains a random number of items, > between 6 and 10. The attacker can no longer infer secrets. > > This is slightly increasing memory size used by the hash table, > by 50% in average, we do not expect this to be a problem. > > This patch is more complex than the prior one (IPv6 equivalent), > because IPv4 was reusing the oldest entry. > Since we need to be able to evict more than one entry per > update_or_create_fnhe() call, I had to replace > fnhe_oldest() with fnhe_remove_oldest(). > > Also note that we will queue extra kfree_rcu() calls under stress, > which hopefully wont be a too big issue. > > Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions.") > Signed-off-by: Eric Dumazet <edumazet@google.com> > Reported-by: Keyu Man <kman001@ucr.edu> > Cc: Willy Tarreau <w@1wt.eu> > Signed-off-by: David S. Miller <davem@davemloft.net> > --- > net/ipv4/route.c | 44 +++++++++++++++++++++++++++++--------------- > 1 file changed, 29 insertions(+), 15 deletions(-) > Reviewed-by: David Ahern <dsahern@kernel.org> Tested-by: David Ahern <dsahern@kernel.org>
Thanks Eric and others for fixing the bug! Keyu Man On 8/29/2021 3:16 PM, Eric Dumazet wrote: > From: Eric Dumazet <edumazet@google.com> > > This second round of patches is addressing Keyu Man recommendations > to make linux hosts more robust against a class of brute force attacks. > > Eric Dumazet (2): > ipv6: make exception cache less predictible > ipv4: make exception cache less predictible > > net/ipv4/route.c | 44 +++++++++++++++++++++++++++++--------------- > net/ipv6/route.c | 5 ++++- > 2 files changed, 33 insertions(+), 16 deletions(-) >
From: Eric Dumazet <edumazet@google.com> This second round of patches is addressing Keyu Man recommendations to make linux hosts more robust against a class of brute force attacks. Eric Dumazet (2): ipv6: make exception cache less predictible ipv4: make exception cache less predictible net/ipv4/route.c | 44 +++++++++++++++++++++++++++++--------------- net/ipv6/route.c | 5 ++++- 2 files changed, 33 insertions(+), 16 deletions(-)