| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHM1nT13_AYoRydkGnKF8hbshUw2VMz8kgBK+_7-pJxuRDAHww@mail.gmail.com>
Date: Wed, 22 Aug 2018 23:39:59 -0700
From: IMBRIUS AGER <imbrius.ager@...il.com>
To: netdev@...r.kernel.org
Subject: Failed to call bpf_l3_csum_replace() twice for IPIP tunnel
hello, I am trying to modify the src addr (both inner and outer) of IPIP tunnel.
this is the testing code:
=======================================
void *data = (void *)(long)skb->data;
void *data_end = (void *)(long)skb->data_end;
struct ethhdr *eth = data;
struct iphdr *ip_outer = (void *)(eth + 1);
if (ip_outer->ihl != 5 || ip_outer + 1 > data_end)
return;
struct iphdr *ip_inner = (void *)(ip4_outer + 1);
if (ip_inner->ihl != 5 || ip_inner + 1 > data_end)
return;
src = 0x11111111;
/* First I modify the inner ip */
bpf_l3_csum_replace(skb, IP4_CSUM_OFF + sizeof(struct iphdr),
ip_inner->saddr, src, sizeof(src));
bpf_skb_store_bytes(skb, IP4_SRC_OFF + sizeof(struct iphdr), &src,
sizeof(src), 0);
/* Second I modify the outer ip */
bpf_l3_csum_replace(skb, IP4_CSUM_OFF, ip_outer->saddr, src, sizeof(src));
bpf_skb_store_bytes(skb, IP4_SRC_OFF, &src, sizeof(src), 0);
========================================
I found that I could only modify one of the src addr (inner or outer).
If both, the kernel always rejected the code at the first
bpf_l3_csum_replace():
========================================
Prog section '__xxxxx' rejected: Permission denied (13)!
- Type: 3
- Instructions: 171 (0 over limit)
- License: GPL
.....
96: (85) call bpf_l3_csum_replace#10
97: (61) r4 = *(u32 *)(r7 +0)
R0=inv(id=0) R6=ctx(id=0,off=0,imm=0)
R7=map_value(id=0,off=0,ks=4,vs=4,imm=0) R8=inv(id=0) R9=inv(id=0)
R10=fp0
98: (61) r3 = *(u32 *)(r9 +26)
R9 invalid mem access 'inv'
Error fetching program/map!
Unable to load program
========================================
I tried to validate the pointer again before the second modification.
But nothing good has happened.
if (ip_outer->ihl != 5 || ip_outer + 1 > data_end)
return;
/* Second I modify the outer ip */
bpf_l3_csum_replace(skb, IP4_CSUM_OFF, ip_outer->saddr, src, sizeof(src));
bpf_skb_store_bytes(skb, IP4_SRC_OFF, &src, sizeof(src), 0);
Any idea?
Thanks very much
Powered by blists - more mailing lists