| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_152195E35781D102C443834B219FACA04B07@qq.com>
Date: Tue, 11 Feb 2025 18:34:24 +0800
From: Rong Tao <rtoax@...mail.com>
To: Quentin Monnet <qmo@...nel.org>, ast@...nel.org, daniel@...earbox.net
Cc: rongtao@...tc.cn, Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman
<eddyz87@...il.com>, Song Liu <song@...nel.org>,
Yonghong Song <yonghong.song@...ux.dev>,
John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>,
Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>,
Jiri Olsa <jolsa@...nel.org>,
"open list:BPF [TOOLING] (bpftool)" <bpf@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH bpf-next] bpftool: Check map name length when map create
On 2/11/25 18:20, Quentin Monnet wrote:
> 2025-02-11 16:45 UTC+0800 ~ Rong Tao <rtoax@...mail.com>
>> From: Rong Tao <rongtao@...tc.cn>
>>
>> The size of struct bpf_map::name is BPF_OBJ_NAME_LEN (16).
>>
>> bpf(2) {
>> map_create() {
>> bpf_obj_name_cpy(map->name, attr->map_name, sizeof(attr->map_name));
>> }
>> }
>>
>> When specifying a map name using bpftool map create name, no error is
>> reported if the name length is greater than 15.
>>
>> $ sudo bpftool map create /sys/fs/bpf/12345678901234567890 \
>> type array key 4 value 4 entries 5 name 12345678901234567890
>>
>> Users will think that 12345678901234567890 is legal, but this name cannot
>> be used to index a map.
>>
>> $ sudo bpftool map show name 12345678901234567890
>> Error: can't parse name
>>
>> $ sudo bpftool map show
>> ...
>> 1249: array name 123456789012345 flags 0x0
>> key 4B value 4B max_entries 5 memlock 304B
>>
>> $ sudo bpftool map show name 123456789012345
>> 1249: array name 123456789012345 flags 0x0
>> key 4B value 4B max_entries 5 memlock 304B
>>
>> The map name provided in the command line is truncated, but no error is
>> reported. This submission checks the length of the map name.
>>
>> Signed-off-by: Rong Tao <rongtao@...tc.cn>
>> ---
>> tools/bpf/bpftool/map.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/tools/bpf/bpftool/map.c b/tools/bpf/bpftool/map.c
>> index ed4a9bd82931..fa00f7865065 100644
>> --- a/tools/bpf/bpftool/map.c
>> +++ b/tools/bpf/bpftool/map.c
>> @@ -1330,6 +1330,12 @@ static int do_create(int argc, char **argv)
>> goto exit;
>> }
>>
>> + if (strlen(map_name) > BPF_OBJ_NAME_LEN - 1) {
>> + p_err("The map name is too long, should be less than %d\n",
>
> Nit: I'd drop "The" (and the capital letter) for consistency with other
> messages in bpftool; and I'd replace "less than ..." with "no longer
> than %d characters\n" to make it explicit and avoid confusion between
> "strictly less" and "less or equal".
Thanks, i'll submit another patch.
Rong Tao.
>
>> + BPF_OBJ_NAME_LEN - 1);
>> + goto exit;
>> + }
>> +
>> set_max_rlimit();
>>
>> fd = bpf_map_create(map_type, map_name, key_size, value_size, max_entries, &attr);
>
> There's no need to defer the check until after we've parsed all
> arguments. Can you move it to the location where we retrieve the name,
> please?:
>
> [...]
> } else if (is_prefix(*argv, "name")) {
> NEXT_ARG();
> map_name = GET_ARG();
> } else ...
>
> pw-bot: cr
>
> Apart from these, it's a good idea to fix it, thank you!
> Quentin
Powered by blists - more mailing lists