| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 04 Jun 2014 10:51:38 +0200 From: Daniel Borkmann <dborkman@...hat.com> To: Chema Gonzalez <chema@...gle.com> CC: Alexei Starovoitov <ast@...mgrid.com>, Ingo Molnar <mingo@...nel.org>, Steven Rostedt <rostedt@...dmis.org>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Arnaldo Carvalho de Melo <acme@...radead.org>, Jiri Olsa <jolsa@...hat.com>, Thomas Gleixner <tglx@...utronix.de>, "H. Peter Anvin" <hpa@...or.com>, Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, David Miller <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Network Development <netdev@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org> Subject: Re: [PATCH v6 net-next 1/4] net: flow_dissector: avoid multiple calls in eBPF On 06/03/2014 11:12 PM, Chema Gonzalez wrote: ... > Your approach needs it too. Citing from your pseudo-code: > >> ld #5 <-- indicates to fill the first 5 slots of M[], so M[0] to M[4] >> ld #keys <-- triggers the extension to fill the M[] slots >> ld M[0] <-- loads nhoff from M[0] into accu > > How does the "ld M[0]" know that the actual flow dissector has already > been called? What if the insn just before the "ld #5" was "jmp +2" ? > In that case, the "ld #keys" would have never been called. But that case would be no different from doing something like ... [...] jmp foo ldi #42 st M[0] foo: ld M[0] [...] ... and would then not pass the checker in check_load_and_stores(), which, as others have already stated, would need to be extended, of course. It's one possible approach. >> Anyway as I said before I'm not excited about either. >> I don't think we should be adding classic BPF extensions any more. >> The long term headache of supporting classic BPF extensions >> outweighs the short term benefits. ... > I see a couple of issues with (effectively) freezing classic BPF > development while waiting for direct eBPF access to happen. The first > one is that the kernel has to accept it. I can see many questions > about this, especially security and usability (I'll send an email > about the "split BPF out of core later"). Now, the main issue is > whether/when the tools will support it. IMO, this is useful iff I can > quickly write/reuse filters and run tcpdump filters based on them. I'm > trying to get upstream libpcap to accept support for raw (classic) BPF > filters, and it's taking a long time. I can imagine how they may be > less receptive about supporting a Linux-only eBPF mechanism. Tools do > matter. Grepping through libpcap code, which tries to be platform independent, it seems after all the years, the only thing where you can see support for in their code is SKF_AD_PKTTYPE and SKF_AD_PROTOCOL. Perhaps they just don't care, perhaps they do, who knows, but it looks to me a bit that they are reluctant to these improvements, maybe for one reason that other OSes don't support it. That was also one of the reasons that led me to start writing bpf_asm (net/tools/) for having a small DSL for more easily trying out BPF code while having _full_ control over it. Maybe someone should start a binary-compatible Linux-only version of libpcap, where tcpdump will transparently make use of these low level improvements eventually. </rant> ;) Thanks, Daniel -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists