lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 28 Apr 2016 11:31:31 +0200
From:	Jann Horn <jannh@...gle.com>
To:	Alexei Starovoitov <ast@...com>
Cc:	"David S . Miller" <davem@...emloft.net>,
	Daniel Borkmann <daniel@...earbox.net>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	netdev@...r.kernel.org, kernel-team@...com
Subject: Re: [PATCH net 2/3] bpf: fix check_map_func_compatibility logic

On Thu, Apr 28, 2016 at 3:56 AM, Alexei Starovoitov <ast@...com> wrote:
> The commit 35578d798400 ("bpf: Implement function bpf_perf_event_read() that get the selected hardware PMU conuter")
> introduced clever way to check bpf_helper<->map_type compatibility.
> Later on commit a43eec304259 ("bpf: introduce bpf_perf_event_output() helper") adjusted
> the logic and inadvertently broke it.
> Get rid of the clever bool compare and go back to two-way check
> from map and from helper perspective.
>
> Fixes: a43eec304259 ("bpf: introduce bpf_perf_event_output() helper")
> Reported-by: Jann Horn <jannh@...gle.com>
> Signed-off-by: Alexei Starovoitov <ast@...nel.org>
> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
> ---
>  kernel/bpf/verifier.c | 65 +++++++++++++++++++++++++++++++--------------------
>  1 file changed, 40 insertions(+), 25 deletions(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 89bcaa0966da..c5c17a62f509 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
[...]
> +       case BPF_MAP_TYPE_PROG_ARRAY:
> +               if (func_id != BPF_FUNC_tail_call)
> +                       goto error;
> +               break;
> +       case BPF_MAP_TYPE_PERF_EVENT_ARRAY:
> +               if (func_id != BPF_FUNC_perf_event_read &&
> +                   func_id != BPF_FUNC_perf_event_output)
> +                       goto error;
> +               break;
> +       case BPF_MAP_TYPE_STACK_TRACE:
> +               if (func_id != BPF_FUNC_get_stackid)
> +                       goto error;
> +               break;
> +       default:
> +               break;
> +       }
> +
> +       /* ... and second from the function itself. */
> +       switch (func_id) {
> +       case BPF_FUNC_tail_call:
> +               if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY)
> +                       goto error;
> +               break;
> +       case BPF_FUNC_perf_event_read:
> +       case BPF_FUNC_perf_event_output:
> +               if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY)
> +                       goto error;
> +               break;
> +       case BPF_FUNC_get_stackid:
> +               if (map->map_type != BPF_MAP_TYPE_STACK_TRACE)
> +                       goto error;
> +               break;
> +       default:
> +               break;
>         }

Looks good to me.

Powered by blists - more mailing lists