lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 4 Oct 2018 11:33:18 -0700
From:   Joe Stringer <joe@...d.net.nz>
To:     daniel@...earbox.net
Cc:     Joe Stringer <joe@...d.net.nz>, netdev <netdev@...r.kernel.org>,
        ast@...nel.org
Subject: Re: [PATCH bpf-next] net: core: Fix build with CONFIG_IPV6=m

On Thu, 4 Oct 2018 at 01:48, Daniel Borkmann <daniel@...earbox.net> wrote:
>
> On 10/03/2018 07:32 AM, Joe Stringer wrote:
> > Stephen Rothwell reports the following link failure with IPv6 as module:
> >
> >   x86_64-linux-gnu-ld: net/core/filter.o: in function `sk_lookup':
> >   (.text+0x19219): undefined reference to `__udp6_lib_lookup'
> >
> > Fix the build by only enabling the IPv6 socket lookup if IPv6 support is
> > compiled into the kernel.
> >
> > Signed-off-by: Joe Stringer <joe@...d.net.nz>
> > ---
> >  net/core/filter.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index 591c698bc517..30c6b2d3ef16 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -4838,7 +4838,7 @@ struct sock *sk_lookup(struct net *net, struct bpf_sock_tuple *tuple,
> >                       sk = __udp4_lib_lookup(net, src4, tuple->ipv4.sport,
> >                                              dst4, tuple->ipv4.dport,
> >                                              dif, sdif, &udp_table, skb);
> > -#if IS_ENABLED(CONFIG_IPV6)
> > +#if IS_REACHABLE(CONFIG_IPV6)
> >       } else {
> >               struct in6_addr *src6 = (struct in6_addr *)&tuple->ipv6.saddr;
> >               struct in6_addr *dst6 = (struct in6_addr *)&tuple->ipv6.daddr;
> >
>
> Applied as a quick fix, thanks Joe, but ideally this should also work when ipv6
> is compiled as a module. There's the ipv6_bpf_stub, which does that job for other
> helpers that would call into v6 code out of the builtin filter.c, so I think we
> should follow the same approach here as well. See commit d74bad4e74ee ("bpf:
> Hooks for sys_connect").

Thanks for the pointers, I'll look into that.

To confirm my understanding, is it possible to unload the IPv6 module?
I don't see any code that uninitializes "ipv6_bpf_stub". Seems like a
simple conditional check on that variable should be enough to gate its
usage from packet paths where sk_lookup could be invoked (Given that
the system could receive any packets, including IPv6 when the module
is not loaded).

Cheers,
Joe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ