carp: retire ioctl(2) API
ClosedPublic
Actions

Authored by glebius on Tue, Mar 10, 9:40 PM.

Details

Reviewers

kp
ed
pouria

Group Reviewers

network

Commits

rG72472e52e310: carp: retire ioctl(2) API

Summary

All supported stable branches use netlink(4) API to configure carp(4).
The deleted code also has kernel stack leak vulnerability, that requires
extra effort to fix.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

glebius created this revision.Tue, Mar 10, 9:40 PM

Herald added subscribers: melifaro, ae, imp. · View Herald TranscriptTue, Mar 10, 9:40 PM

Harbormaster completed remote builds in B71325: Diff 173537.Tue, Mar 10, 9:40 PM

glebius requested review of this revision.Tue, Mar 10, 9:40 PM

pouria added a subscriber: pouria.Tue, Mar 10, 9:43 PM

For the stable branches I don't see a value in investing time for a proper fix. Instead, for the stable/15 and stable/14 I'm thinking of just refusing wildcard SIOCGVH with error. This will close the security hole and if somebody uses ifconfig(8) from stable/13 on a supported stable system, they would still be able to configure CARP vhids. The wildcard SIOCGVH will return error instead of leaking kernel memory as a return value. So, it will actually be less broken then it is now.

P.S. I'm 99% sure that no software outside the tree use these ioctls.

Remove unneeded assignment.

Harbormaster completed remote builds in B71326: Diff 173538.Tue, Mar 10, 9:58 PM

Also, there are some references in carp(4) man page and ifconfig code.

OT: carp(4) could do with being refactored to use HMAC from opencrypto rather than rolling its own.

pouria added inline comments.Wed, Mar 11, 10:55 AM

sys/netinet/ip_carp.h
187	do we need this?

pouria added inline comments.Wed, Mar 11, 11:29 AM

sys/netinet/ip_carp.c
2586–2589	Shouldn't be more graceful? for example (dirty):

pouria added inline comments.Wed, Mar 11, 12:05 PM

sys/netinet/ip_carp.c
2628	As far as I can understand, this lock only used for write operations and we don't perform any write operation under nl_get. otherwise, we probably used it too late in other functions!

tested, works. LGTM

This revision is now accepted and ready to land.Wed, Mar 11, 12:38 PM

glebius marked an inline comment as done.Wed, Mar 11, 3:36 PM

glebius added inline comments.

sys/netinet/ip_carp.c
2586–2589	That would be functional change for the Netlink handler and the goal of this change is to just remove ioctl(2) and don't introduce any behavior changes to Netlink.
2628	Could be so, but again the goal is not introduce any logical changes to the netlink configuration path. For reading the lock is indeed almost not needed. The sc->sc_key can't be copied atomically, but we probably are protected by the carp_sx.