lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230706100243.318109-1-liuxin350@huawei.com>
Date:   Thu, 6 Jul 2023 18:02:43 +0800
From:   Xin Liu <liuxin350@...wei.com>
To:     <daniel@...earbox.net>
CC:     <andrii@...nel.org>, <ast@...nel.org>, <bpf@...r.kernel.org>,
        <davem@...emloft.net>, <edumazet@...gle.com>, <hsinweih@....edu>,
        <jakub@...udflare.com>, <john.fastabend@...il.com>,
        <kuba@...nel.org>, <linux-kernel@...r.kernel.org>,
        <liuxin350@...wei.com>, <netdev@...r.kernel.org>,
        <pabeni@...hat.com>,
        <syzbot+49f6cef45247ff249498@...kaller.appspotmail.com>,
        <syzkaller-bugs@...glegroups.com>, <yanan@...wei.com>,
        <wuchangye@...wei.com>, <xiesongyang@...wei.com>,
        <kongweibin2@...wei.com>, <zhangmingyi5@...wei.com>
Subject: [PATCH bpf-next] bpf, sockops: Enhance the return capability of sockops

Since commit 2585cd62f098 ("bpf: Only reply field should be writeable"),
sockops is not allowd to modify the replylong field except replylong[0].
The reason is that the replylong[1] to replylong[3] field is not used
at that time.

But in actual use, we can call `BPF_CGROUP_RUN_PROG_SOCK_OPS` in the
kernel modules and expect sockops to return some useful data.

The design comment about bpf_sock_ops::replylong in 
include/uapi/linux/bpf.h is described as follows:

```
  struct bpf_sock_ops {
	__u32 op;
	union {
		__u32 args[4];		/* Optionally passed to bpf program */
		__u32 reply;		/* Returned by bpf program	    */
		__u32 replylong[4];	/* Optioznally returned by bpf prog  */
	};
  ...
```

It seems to contradict the purpose for which the field was originally
designed. Let's remove this restriction.

Fixes: 2585cd62f098 ("bpf: Only reply field should be writeable")

Signed-off-by: Xin Liu <liuxin350@...wei.com>
---
 net/core/filter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index 06ba0e56e369..4662d2d3a0af 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -9063,7 +9063,7 @@ static bool sock_ops_is_valid_access(int off, int size,
 
 	if (type == BPF_WRITE) {
 		switch (off) {
-		case offsetof(struct bpf_sock_ops, reply):
+		case bpf_ctx_range_till(struct bpf_sock_ops, reply, replylong[3]):
 		case offsetof(struct bpf_sock_ops, sk_txhash):
 			if (size != size_default)
 				return false;
-- 
2.33.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ