lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1398289142.29914.23.camel@edumazet-glaptop2.roam.corp.google.com>
Date:	Wed, 23 Apr 2014 14:39:02 -0700
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Alexei Starovoitov <ast@...mgrid.com>
Cc:	David Miller <davem@...emloft.net>,
	Daniel Borkmann <dborkman@...hat.com>,
	Network Development <netdev@...r.kernel.org>
Subject: Re: [PATCH net] net: filter: initialize A and X registers

On Wed, 2014-04-23 at 13:38 -0700, Alexei Starovoitov wrote:

> In this particular case we can indeed make verifier smarter to the point
> that once it detects uninitialized A/X in a filter, it will add explicit init
> after conversion, so we don't have to pay the penalty at run time.
> It's a very good suggestion.
> 
> At the same time I think 'ret A' falls into category of the 20 year old bug.
> The filters that using undocumented behavior are destined to be
> broken sooner or later. tcpdump doesn't generate such filters.
> Valid filters will not be affected by strict checking, but I think users
> will be actually happy to see kernel rejecting their buggy filters.
> I think we can have a global flag for bpf verifier whether to reject
> such filters or accept them by adding explicit inits under
> 'bpf_permissive_loading' flag.
> Thoughts?


I do not really understand the concerns and this discussion over this
bug.

BPF JIT does basic checks and forces A=0 if first instruction doesn't
set A.

( arch/x86/net/bpf_jit_comp.c line 263 )

X is forced to 0 anyway if X is ever used in the JITed filter.
( line 227, and we have a typo in comment : s/leek/leak/ )

This is not a big deal. If you want to 'optimize', fine, but don't break
programs.

There is no way you add a 'flag' to break a user program, even
if _you_ believe its broken.

Maybe it assumed initial X / A contents were 0.

Even if not documented, we cannot break this 20 years after the facts.


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ