| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZxmnZWjSRVHgtbGZ@localhost.localdomain> Date: Thu, 24 Oct 2024 10:48:21 +0900 From: Byeonguk Jeong <jungbu2855@...il.com> To: Hou Tao <houtao@...weicloud.com> Cc: Daniel Borkmann <daniel@...earbox.net>, Yonghong Song <yonghong.song@...ux.dev>, bpf@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] bpf: Fix out-of-bounds write in trie_get_next_key() Hi, On Wed, Oct 23, 2024 at 05:59:53PM +0800, Hou Tao wrote: > Alexei suggested adding a bpf self-test for the patch. I think you > could reference the code in lpm_trie_map_batch_ops.c [1] or similar and > add a new file that uses bpf_map_get_next_key to demonstrate the > out-of-bound problem. The test can be run by ./test_maps. There is some > document for the procedure in [2]. > > [1]: tools/testing/selftests/bpf/map_tests/lpm_trie_map_batch_ops.c > [2]: > https://github.com/torvalds/linux/blob/master/Documentation/bpf/bpf_devel_QA.rst Okay, I will add a new test. Thanks for the detailed guideline. > Which procedure will return -ENOENT ? I think the element with > prefixlen=0 could still be found through the key with prefixlen = 0. I mean, BPF_MAP_GET_NEXT_KEY with .prefixlen = 0 would give us -ENOENT, as it follows postorder. BPF_MAP_LOOKUP_ELEM still find the element with prefixlen 0 through the key with prefixlen 0 as you said.
Powered by blists - more mailing lists