diff mbox series

[net,1/2] ipv6: make exception cache less predictible

Message ID 20210829221615.2057201-2-eric.dumazet@gmail.com
State New
Headers show
Series inet: make exception handling less predictible | expand

Commit Message

Eric Dumazet Aug. 29, 2021, 10:16 p.m. UTC
From: Eric Dumazet <edumazet@google.com>

Even after commit 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()"),
an attacker can still use brute force to learn some secrets from a victim
linux host.

One way to defeat these attacks is to make the max depth of the hash
table bucket a random value.

Before this patch, each bucket of the hash table used to store exceptions
could contain 6 items under attack.

After the patch, each bucket would contains a random number of items,
between 6 and 10. The attacker can no longer infer secrets.

This is slightly increasing memory size used by the hash table,
we do not expect this to be a problem.

Following patch is dealing with the same issue in IPv4.

Fixes: 35732d01fe31 ("ipv6: introduce a hash table to store dst cache")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Keyu Man <kman001@ucr.edu>
Cc: Wei Wang <weiwan@google.com>
Cc: Martin KaFai Lau <kafai@fb.com>
---
 net/ipv6/route.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

David Ahern Aug. 30, 2021, 12:39 a.m. UTC | #1
On 8/29/21 3:16 PM, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@google.com>

> 

> Even after commit 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()"),

> an attacker can still use brute force to learn some secrets from a victim

> linux host.

> 

> One way to defeat these attacks is to make the max depth of the hash

> table bucket a random value.

> 

> Before this patch, each bucket of the hash table used to store exceptions

> could contain 6 items under attack.

> 

> After the patch, each bucket would contains a random number of items,

> between 6 and 10. The attacker can no longer infer secrets.

> 

> This is slightly increasing memory size used by the hash table,

> we do not expect this to be a problem.

> 

> Following patch is dealing with the same issue in IPv4.

> 

> Fixes: 35732d01fe31 ("ipv6: introduce a hash table to store dst cache")

> Signed-off-by: Eric Dumazet <edumazet@google.com>

> Reported-by: Keyu Man <kman001@ucr.edu>

> Cc: Wei Wang <weiwan@google.com>

> Cc: Martin KaFai Lau <kafai@fb.com>

> ---

>  net/ipv6/route.c | 5 ++++-

>  1 file changed, 4 insertions(+), 1 deletion(-)

> 


Reviewed-by: David Ahern <dsahern@kernel.org>
Wei Wang Aug. 30, 2021, 3:54 p.m. UTC | #2
On Sun, Aug 29, 2021 at 5:39 PM David Ahern <dsahern@gmail.com> wrote:
>

> On 8/29/21 3:16 PM, Eric Dumazet wrote:

> > From: Eric Dumazet <edumazet@google.com>

> >

> > Even after commit 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()"),

> > an attacker can still use brute force to learn some secrets from a victim

> > linux host.

> >

> > One way to defeat these attacks is to make the max depth of the hash

> > table bucket a random value.

> >

> > Before this patch, each bucket of the hash table used to store exceptions

> > could contain 6 items under attack.

> >

> > After the patch, each bucket would contains a random number of items,

> > between 6 and 10. The attacker can no longer infer secrets.

> >

> > This is slightly increasing memory size used by the hash table,

> > we do not expect this to be a problem.

> >

> > Following patch is dealing with the same issue in IPv4.

> >

> > Fixes: 35732d01fe31 ("ipv6: introduce a hash table to store dst cache")

> > Signed-off-by: Eric Dumazet <edumazet@google.com>

> > Reported-by: Keyu Man <kman001@ucr.edu>

> > Cc: Wei Wang <weiwan@google.com>

> > Cc: Martin KaFai Lau <kafai@fb.com>

> > ---

> >  net/ipv6/route.c | 5 ++++-

> >  1 file changed, 4 insertions(+), 1 deletion(-)

> >

>

> Reviewed-by: David Ahern <dsahern@kernel.org>

>

Reviewed-by: Wei Wang <weiwan@google.com>


Thanks Eric!
diff mbox series

Patch

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index c5e8ecb96426bda619fe242351e40dcf6ff68bcf..60334030210192660a7fa141163f36af7489d0ae 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1657,6 +1657,7 @@  static int rt6_insert_exception(struct rt6_info *nrt,
 	struct in6_addr *src_key = NULL;
 	struct rt6_exception *rt6_ex;
 	struct fib6_nh *nh = res->nh;
+	int max_depth;
 	int err = 0;
 
 	spin_lock_bh(&rt6_exception_lock);
@@ -1711,7 +1712,9 @@  static int rt6_insert_exception(struct rt6_info *nrt,
 	bucket->depth++;
 	net->ipv6.rt6_stats->fib_rt_cache++;
 
-	if (bucket->depth > FIB6_MAX_DEPTH)
+	/* Randomize max depth to avoid some side channels attacks. */
+	max_depth = FIB6_MAX_DEPTH + prandom_u32_max(FIB6_MAX_DEPTH);
+	while (bucket->depth > max_depth)
 		rt6_exception_remove_oldest(bucket);
 
 out: