| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 4 Apr 2018 12:01:45 +0200 From: Daniel Borkmann <daniel@...earbox.net> To: Lorenz Bauer <lmb@...udflare.com>, ast@...nel.org Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: PROBLEM: Using BPF_PROG_TEST_RUN with data_out != NULL is unsafe On 04/04/2018 11:04 AM, Lorenz Bauer wrote: > Hello, > > I’ve encountered an issue when using BPF_PROG_TEST_RUN and capturing the output. > The kernel copies data into user space without checking the length of > the destination buffer. > > In bpf_test_finish(), size is the amount of data in the XDP buffer / > skb after the program is run. This can be larger than data_size_in due > to bpf_xdp_adjust_head() and friends. > bpf_test_finish doesn’t clamp size to data_size_out, which is what I > was expecting. > > What is the correct way to use this interface? Yeah, so XDP has a headroom of XDP_PACKET_HEADROOM + NET_IP_ALIGN which in case of x86 is 256 bytes (NET_IP_ALIGN being 0 there). This means that attr.test.data_out buffer needs to be 256 bytes larger than attr.test.data_in in case the BPF prog calls bpf_xdp_adjust_head() or bpf_xdp_adjust_meta(). In case you point data_in and data_out to the same address, then the total buffer size therefore has to be attr.test.data_size_in + 256 in order to not overrun anything while not being aware of the BPF test program. The XDP_PACKET_HEADROOM is exposed to user space in linux/bpf.h.
Powered by blists - more mailing lists