lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 08 Sep 2016 17:29:02 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     daniel@...earbox.net
Cc:     alexei.starovoitov@...il.com, tgraf@...g.ch, netdev@...r.kernel.org
Subject: Re: [PATCH net-next] bpf: fix range propagation on direct packet
 access

From: Daniel Borkmann <daniel@...earbox.net>
Date: Thu,  8 Sep 2016 01:03:42 +0200

> LLVM can generate code that tests for direct packet access via
> skb->data/data_end in a way that currently gets rejected by the
> verifier, example:
 ...
> The reason why this gets rejected despite a proper test is that we
> currently call find_good_pkt_pointers() only in case where we detect
> tests like rX > pkt_end, where rX is of type pkt(id=Y,off=Z,r=0) and
> derived, for example, from a register of type pkt(id=Y,off=0,r=0)
> pointing to skb->data. find_good_pkt_pointers() then fills the range
> in the current branch to pkt(id=Y,off=0,r=Z) on success.
> 
> For above case, we need to extend that to recognize pkt_end >= rX
> pattern and mark the other branch that is taken on success with the
> appropriate pkt(id=Y,off=0,r=Z) type via find_good_pkt_pointers().
> Since eBPF operates on BPF_JGT (>) and BPF_JGE (>=), these are the
> only two practical options to test for from what LLVM could have
> generated, since there's no such thing as BPF_JLT (<) or BPF_JLE (<=)
> that we would need to take into account as well.
> 
> After the fix:
 ...
> Verifier test cases are also added in this work, one that demonstrates
> the mentioned example here and one that tries a bad packet access for
> the current/fall-through branch (the one with types pkt(id=X,off=Y,r=0),
> pkt(id=X,off=0,r=0)), then a case with good and bad accesses, and two
> with both test variants (>, >=).
> 
> Fixes: 969bf05eb3ce ("bpf: direct packet access")
> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
> Acked-by: Alexei Starovoitov <ast@...nel.org>

Applied to net-next, thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ