Hi,
I think there might be a problem with the way the i40e driver checks
permissions for a non-trusted VF.
>From what I understand, the number of MACs a non-trusted VF can register is
>limited to 12 (defined by I40E_VC_MAX_MAC_ADDR_PER_VF).
This has security relevance, because otherwise a VF can snoop on traffic
addressed to someone else.
However, what I discovered is that a VF can register many more MACs. The
problem is that the vf counter (vf->num_mac) is updated after
the permissions are checked (line 2226 in i40e_virtchnl_pf.c, driver
i40e-2.4.3). So the driver will accept all the addresses in the current
message, even if they exceed the limit.
On the other hand, the message VIRTCHNL_OP_ADD_ETH_ADDR is created by the
watchdog task of i40evf. When it runs, it will collect
all the pending MAC addresses that have not been sent yet to the i40e driver on
the hypervisor. It can potentially put in the same message
as many as 510 distinct MAC addresses (see lines 443-444 in i40evf_virtchnl.c).
So even if the i40evf driver is good-willed, an evil program
running on the VF can quickly send many MACs to the driver, and successfully
register them all.
In fact, I have seen this exact scenario in practice, with more than a
hundred addresses checked by a non-trusted VF. This happened
because the application I was running was very quickly registering all of them.
Do you think this is a bug? I haven't found any limit in the Intel
documentation on how many MACs a non-trusted VF can register.
Best wishes,
Codrut
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
E1000-devel mailing list
E1000-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/e1000-devel
To learn more about Intel® Ethernet, visit
http://communities.intel.com/community/wired
