aboutgitcodebugslistschat
Commit message (Collapse)AuthorAgeFilesLines
...
* arch: Pointer to local outside scope, CWE-562Stefano Brivio2022-04-071-5/+5
| | | | | | | | | Reported by Coverity: if we fail to run the AVX2 version, once execve() fails, we had already replaced argv[0] with the new stack-allocated path string, and that's then passed back to main(). Use a static variable instead. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* udp: Out-of-bounds read, CWE-125 in udp_timer()Stefano Brivio2022-04-071-1/+1
| | | | | | | Not an actual issue due to how it's typically stored, but udp_act can also be used for ports 65528-65535. Reported by Coverity. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: False "Out-of-bounds read" positive, CWE-125Stefano Brivio2022-04-071-1/+5
| | | | | | | Reported by Coverity: it doesn't see that tcp{4,6}_l2_buf_used are set to zero by tcp_l2_data_buf_flush(), repeat that explicitly here. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp, tcp_splice: False "Negative array index read" positives, CWE-129Stefano Brivio2022-04-072-12/+24
| | | | | | A flag or event bit is always set by callers. Reported by Coverity. Signed-by-off: Stefano Brivio <sbrivio@redhat.com>
* tcp_splice: Logically dead code, CWE-561Stefano Brivio2022-04-071-7/+1
| | | | | | Reported by Coverity. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Dereference null return value, CWE-476Stefano Brivio2022-04-071-1/+1
| | | | | | Not an issue with a sane kernel behaviour. Reported by Coverity. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, tap: False "Buffer not null terminated" positives, CWE-170Stefano Brivio2022-04-072-6/+6
| | | | | | | Those strings are actually guaranteed to be NULL-terminated. Reported by Coverity. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: False "Assign instead of compare" positive, CWE-481Stefano Brivio2022-04-071-1/+1
| | | | | | | This really just needs to be an assignment before line_read() -- turn it into a for loop. Reported by Coverity. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* treewide: Argument cannot be negative, CWE-687Stefano Brivio2022-04-074-22/+30
| | | | | | Actually harmless. Reported by Coverity. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Improper use of negative value (CWE-394)Stefano Brivio2022-04-071-5/+14
| | | | | | Reported by Coverity. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, packet: Operands don't affect result, CWE-569Stefano Brivio2022-04-072-3/+8
| | | | | | Reported by Coverity. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tap: Resource leak, CWE-404Stefano Brivio2022-04-071-1/+4
| | | | | | Reported by Coverity. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* treewide: Unchecked return value from library, CWE-252Stefano Brivio2022-04-078-55/+116
| | | | | | | All instances were harmless, but it might be useful to have some debug messages here and there. Reported by Coverity. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: False "Untrusted loop bound" positive, CWE-606Stefano Brivio2022-04-051-0/+2
| | | | | | | | Field doff in struct tcp_hdr is 4 bits wide, so optlen in tcp_tap_handler() is already bound, but make that explicit. Reported by Coverity. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Ignoring number of bytes read, CWE-252Stefano Brivio2022-04-051-2/+3
| | | | | | Harmless, assuming sane kernel behaviour. Reported by Coverity. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* treewide: Invalid type in argument to printf format specifier, CWE-686Stefano Brivio2022-04-054-32/+32
| | | | | | Harmless except for two bad debugging prints. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt.1, qrap.1: Update links to qemu out-of-tree patchStefano Brivio2022-04-012-2/+2
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README: Fix link to contrib/debianStefano Brivio2022-03-301-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* hooks: Copy .webp diagram versions tooStefano Brivio2022-03-301-0/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README: Drop red notice about early development phaseStefano Brivio2022-03-301-3/+1
| | | | | | Last famous words: it should be tested enough by now. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* contrib: Add example of Debian package filesStefano Brivio2022-03-307-1/+66
| | | | | | | ...using dh_apparmor to ship and apply AppArmor profiles. Tried on current Debian testing (Bookworm, 12). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* contrib: Add example spec file for FedoraStefano Brivio2022-03-301-0/+95
| | | | | | | ...with SELinux package, too. Tested on Fedora 35, but it should work on pretty much any version. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tap: Re-read from tap in tap_handler_pasta() on buffer fullStefano Brivio2022-03-301-2/+9
| | | | | | | | read() will return zero if we pass a zero length, which makes no sense: instead, track explicitly that we exhausted the buffer, flush packets to handlers and redo. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tap: Allow ioctl() and openat() for tap_ns_tun() re-initialisationStefano Brivio2022-03-302-1/+3
| | | | | | | If the tun interface disappears, we'll call tap_ns_tun() after the seccomp profile is applied: add ioctl() and openat() to it. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tap, tcp, udp, icmp: Cut down on some oversized buffersStefano Brivio2022-03-296-31/+72
| | | | | | | | | The existing sizes provide no measurable differences in throughput and packet rates at this point. They were probably needed as batched implementations were not complete, but they can be decreased quite a bit now. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Add examples of SELinux policy modulesStefano Brivio2022-03-297-0/+364
| | | | | | These should cover any reasonably common use case in distributions. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Add examples of AppArmor policiesStefano Brivio2022-03-292-0/+125
| | | | | | These should cover any reasonably common use case in distributions. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Fix warning by gcc 5.4 on ppc64le about comparison in CONN_OR_NULL()Stefano Brivio2022-03-291-13/+13
| | | | | | | ...we don't really need two extra bits, but it's easier to organise things differently than to silence this. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Accurate error reporting for sandbox()Stefano Brivio2022-03-291-10/+26
| | | | | | | It's actually quite easy to make it fail depending on the environment, accurately report errors here. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Allow implicit test for bugprone-suspicious-string-compare checkerStefano Brivio2022-03-291-4/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* treewide: Fix android-cloexec-* clang-tidy warnings, re-enable checksStefano Brivio2022-03-298-31/+30
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* udp: Move flags before ts in struct udp_tap_port, avoid end paddingStefano Brivio2022-03-291-3/+3
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* treewide: Mark constant references as constStefano Brivio2022-03-2929-168/+192
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* treewide: Add include guardsStefano Brivio2022-03-2915-0/+75
| | | | | | | ...at the moment, just for consistency with packet.h, icmp.h, tcp.h and udp.h. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* treewide: Packet abstraction with mandatory boundary checksStefano Brivio2022-03-2923-700/+999
| | | | | | | | | | | | | | | | | | | | Implement a packet abstraction providing boundary and size checks based on packet descriptors: packets stored in a buffer can be queued into a pool (without storage of its own), and data can be retrieved referring to an index in the pool, specifying offset and length. Checks ensure data is not read outside the boundaries of buffer and descriptors, and that packets added to a pool are within the buffer range with valid offset and indices. This implies a wider rework: usage of the "queueing" part of the abstraction mostly affects tap_handler_{passt,pasta}() functions and their callees, while the "fetching" part affects all the guest or tap facing implementations: TCP, UDP, ICMP, ARP, NDP, DHCP and DHCPv6 handlers. Suggested-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* util: Fix function declaration style of write_pidfile()Stefano Brivio2022-03-291-1/+2
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp, tcp_splice: Use less awkward syntax to swap in/out sockets from poolsStefano Brivio2022-03-292-12/+10
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* dhcp: Minimum option length implied by RFC 951 is 60 bytes, not 62Stefano Brivio2022-03-291-3/+5
| | | | | | | In section 3 ("Packet Format"), "vend" is 64 bytes long, minus the magic that's 60 bytes, not 62. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Fit struct tcp_conn into a single 64-byte cachelineStefano Brivio2022-03-292-137/+166
| | | | | | | | | | | | | | | | | | | | | | ...by: - storing the chained-hash next connection pointer as numeric reference rather than as pointer - storing the MSS as 14-bit value, and rounding it - using only the effective amount of bits needed to store the hash bucket number - explicitly limiting window scaling factors to 4-bit values (maximum factor is 14, from RFC 7323) - scaling SO_SNDBUF values, and using a 8-bit representation for the duplicate ACK sequence - keeping window values unscaled, as received and sent Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README: Update Interfaces and Availability sectionsStefano Brivio2022-03-291-4/+9
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README: Avoid "here" linksStefano Brivio2022-03-291-20/+19
| | | | | | They look a bit lame: rephrase sentences to avoid them. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test/perf: Work-around for virtio_net hang before long streams from guestStefano Brivio2022-03-292-0/+30
| | | | | | | I didn't have time to investigate the root cause for the virtio_net TX hang yet. Add a quick work-around for the moment being. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp_splice: Close sockets right away on high number of open filesStefano Brivio2022-03-295-7/+27
| | | | | | | | | | | | | We can't take for granted that the hard limit for open files is big enough as to allow to delay closing sockets to a timer. Store the value of RTLIMIT_NOFILE we set at start, and use it to understand if we're approaching the limit with pending, spliced TCP connections. If that's the case, close sockets right away as soon as they're not needed, instead of deferring this task to a timer. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Rework timers to use timerfd instead of periodic bitmap scanStefano Brivio2022-03-295-241/+288
| | | | | | | | | | | | | | | | | | With a lot of concurrent connections, the bitmap scan approach is not really sustainable. Switch to per-connection timerfd timers, set based on events and on two new flags, ACK_FROM_TAP_DUE and ACK_TO_TAP_DUE. Timers are added to the common epoll list, and implement the existing timeouts. While at it, drop the CONN_ prefix from flag names, otherwise they get quite long, and fix the logic to decide if a connection has a local, possibly unreachable endpoint: we shouldn't go through the rest of tcp_conn_from_tap() if we reset the connection due to a successful bind(2), and we'll get EACCES if the port number is low. Suggested by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp, udp, util: Enforce 24-bit limit on socket numbersStefano Brivio2022-03-295-1/+42
| | | | | | | This should never happen, but there are no formal guarantees: ensure socket numbers are below SOCKET_MAX. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test, seccomp, Makefile: Switch to valgrind runs for passt functional testsStefano Brivio2022-03-298-14/+99
| | | | | | | | | | | | | | Pass to seccomp.sh a list of additional syscalls valgrind needs as EXTRA_SYSCALLS in a new 'valgrind' make target, and add corresponding support in seccomp.sh itself. In test setup functions, start passt with valgrind, but not for performance tests. Add tests checking that valgrind exits without errors after all the other tests in the group are done. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test: Add asciinema(1) as requirement for CI in READMEStefano Brivio2022-03-281-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Makefile: Enable a few hardening flagsStefano Brivio2022-03-281-2/+8
| | | | | | | They don't have a measurable performance impact and make things a bit safer. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* udp: Use flags for local, loopback, and configured unicast bindsStefano Brivio2022-03-281-25/+23
| | | | | | | | | | | There's no value in keeping a separate timestamp for activity and for aging of local binds, given that they have the same timeout. Reduce that to a single timestamp, with a flag indicating the local bind. Also use flags instead of separate int fields for loopback and configured unicast address usage as source address. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* dhcpv6, tap, tcp: Use IN6_ARE_ADDR_EQUAL instead of open-coded memcmp()Stefano Brivio2022-03-283-9/+9
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>