git.baikalelectronics.ru Git - kernel.git/commit

author	Eric Dumazet <edumazet@google.com>
	Sun, 29 Aug 2021 22:16:15 +0000 (15:16 -0700)
committer	David S. Miller <davem@davemloft.net>
	Mon, 30 Aug 2021 11:21:38 +0000 (12:21 +0100)
commit	66a61928e42abf7edf9d78bf92024aaba8203d77
tree	f9544d94912791a46a5c3c281ae1771b091f8770	tree \| snapshot
parent	2fffd75b2aaab385dc9d904e32ebd742b8b44ed3	commit \| diff

ipv4: make exception cache less predictible

Even after commit 1523a359e47c ("ipv4: use siphash instead of Jenkins in
fnhe_hashfun()"), an attacker can still use brute force to learn
some secrets from a victim linux host.

One way to defeat these attacks is to make the max depth of the hash
table bucket a random value.

Before this patch, each bucket of the hash table used to store exceptions
could contain 6 items under attack.

After the patch, each bucket would contains a random number of items,
between 6 and 10. The attacker can no longer infer secrets.

This is slightly increasing memory size used by the hash table,
by 50% in average, we do not expect this to be a problem.

This patch is more complex than the prior one (IPv6 equivalent),
because IPv4 was reusing the oldest entry.
Since we need to be able to evict more than one entry per
update_or_create_fnhe() call, I had to replace
fnhe_oldest() with fnhe_remove_oldest().

Also note that we will queue extra kfree_rcu() calls under stress,
which hopefully wont be a too big issue.

Fixes: 529f0ee8559d ("ipv4: Add FIB nexthop exceptions.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Keyu Man <kman001@ucr.edu>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Reviewed-by: David Ahern <dsahern@kernel.org>
Tested-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>