firewall: send a read-only/non-capturable buffer to the TCP/IP stack.

hlef · davidchisnall · commit af597abd03da · 2024-11-01T08:28:02.000Z
The firewall currently sends a writable and capturable frame buffer
capability to the TCP/IP stack. This is bad because the TCP/IP stack can
keep the capability and alter the buffer at a later point when we re-use
it. Not sure what the exact impact is, but it sounds like the TCP/IP may
be able to use this to add endpoints to the firewall table.

Signed-off-by: Hugo Lefeuvre &lt;hugo.lefeuvre@ubc.ca&gt;
diff --git a/lib/firewall/firewall.cc b/lib/firewall/firewall.cc
@@ -1082,7 +1082,11 @@ void __cheri_compartment("Firewall") ethernet_run_driver()
 			auto &frame = *maybeFrame;
 			if (packet_filter_ingress(frame.buffer, frame.length))
 			{
-				ethernet_receive_frame(frame.buffer, frame.length);
+				// Send the frame buffer to the TCP/IP stack as
+				// a read-only, non-capturable capability.
+				CHERI::Capability frameBuffer{frame.buffer};
+				frameBuffer.permissions() &= CHERI::Permission::Load;
+				ethernet_receive_frame(frameBuffer, frame.length);
 			}
 		}
 		receivedCounter += packets;

Original file line number	Diff line number	Diff line change
`@@ -1082,7 +1082,11 @@ void __cheri_compartment("Firewall") ethernet_run_driver()`
`1082`	`1082`	`auto &frame = *maybeFrame;`
`1083`	`1083`	`if (packet_filter_ingress(frame.buffer, frame.length))`
`1084`	`1084`	`{`
`1085`		`- ethernet_receive_frame(frame.buffer, frame.length);`
	`1085`	`+ // Send the frame buffer to the TCP/IP stack as`
	`1086`	`+ // a read-only, non-capturable capability.`
	`1087`	`+ CHERI::Capability frameBuffer{frame.buffer};`
	`1088`	`+ frameBuffer.permissions() &= CHERI::Permission::Load;`
	`1089`	`+ ethernet_receive_frame(frameBuffer, frame.length);`
`1086`	`1090`	`}`
`1087`	`1091`	`}`
`1088`	`1092`	`receivedCounter += packets;`