lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <cc7e4e49-b143-3c25-80c2-9c49c6975288@iogearbox.net>
Date:   Fri, 28 Sep 2018 15:34:49 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Joe Stringer <joe@...d.net.nz>
Cc:     netdev@...r.kernel.org, ast@...nel.org, john.fastabend@...il.com,
        tgraf@...g.ch, kafai@...com, nitin.hande@...il.com,
        mauricio.vasquez@...ito.it
Subject: Re: [PATCHv3 bpf-next 04/12] bpf: Add PTR_TO_SOCKET verifier type

On 09/28/2018 01:26 AM, Joe Stringer wrote:
> Teach the verifier a little bit about a new type of pointer, a
> PTR_TO_SOCKET. This pointer type is accessed from BPF through the
> 'struct bpf_sock' structure.
> 
> Signed-off-by: Joe Stringer <joe@...d.net.nz>
[...]
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 72db8afb7cb6..057af3dc9f08 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -5394,23 +5394,29 @@ static bool __sock_filter_check_size(int off, int size,
>  	return size == size_default;
>  }
>  
> -static bool sock_filter_is_valid_access(int off, int size,
> -					enum bpf_access_type type,
> -					const struct bpf_prog *prog,
> -					struct bpf_insn_access_aux *info)
> +bool bpf_sock_is_valid_access(int off, int size, enum bpf_access_type type,
> +			      struct bpf_insn_access_aux *info)
>  {
>  	if (off < 0 || off >= sizeof(struct bpf_sock))
>  		return false;
>  	if (off % size != 0)
>  		return false;
> -	if (!__sock_filter_check_attach_type(off, type,
> -					     prog->expected_attach_type))
> -		return false;
>  	if (!__sock_filter_check_size(off, size, info))
>  		return false;
>  	return true;
>  }
>  
> +static bool sock_filter_is_valid_access(int off, int size,
> +					enum bpf_access_type type,
> +					const struct bpf_prog *prog,
> +					struct bpf_insn_access_aux *info)
> +{
> +	if (!__sock_filter_check_attach_type(off, type,
> +					     prog->expected_attach_type))
> +		return false;
> +	return bpf_sock_is_valid_access(off, size, type, info);
> +}

This one here should also be swapped to make it more robust, meaning the
__sock_filter_check_attach_type() should come in a second step after basic
sanity checks have been completed, not before them. E.g. out of bounds read
access would then indicate a "good" access in the first one.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ