lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 4 Oct 2018 20:46:55 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Joe Stringer <joe@...d.net.nz>
Cc:     netdev <netdev@...r.kernel.org>, ast@...nel.org
Subject: Re: [PATCH bpf-next] net: core: Fix build with CONFIG_IPV6=m

On 10/04/2018 08:33 PM, Joe Stringer wrote:
> On Thu, 4 Oct 2018 at 01:48, Daniel Borkmann <daniel@...earbox.net> wrote:
>>
>> On 10/03/2018 07:32 AM, Joe Stringer wrote:
>>> Stephen Rothwell reports the following link failure with IPv6 as module:
>>>
>>>   x86_64-linux-gnu-ld: net/core/filter.o: in function `sk_lookup':
>>>   (.text+0x19219): undefined reference to `__udp6_lib_lookup'
>>>
>>> Fix the build by only enabling the IPv6 socket lookup if IPv6 support is
>>> compiled into the kernel.
>>>
>>> Signed-off-by: Joe Stringer <joe@...d.net.nz>
>>> ---
>>>  net/core/filter.c | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/net/core/filter.c b/net/core/filter.c
>>> index 591c698bc517..30c6b2d3ef16 100644
>>> --- a/net/core/filter.c
>>> +++ b/net/core/filter.c
>>> @@ -4838,7 +4838,7 @@ struct sock *sk_lookup(struct net *net, struct bpf_sock_tuple *tuple,
>>>                       sk = __udp4_lib_lookup(net, src4, tuple->ipv4.sport,
>>>                                              dst4, tuple->ipv4.dport,
>>>                                              dif, sdif, &udp_table, skb);
>>> -#if IS_ENABLED(CONFIG_IPV6)
>>> +#if IS_REACHABLE(CONFIG_IPV6)
>>>       } else {
>>>               struct in6_addr *src6 = (struct in6_addr *)&tuple->ipv6.saddr;
>>>               struct in6_addr *dst6 = (struct in6_addr *)&tuple->ipv6.daddr;
>>>
>>
>> Applied as a quick fix, thanks Joe, but ideally this should also work when ipv6
>> is compiled as a module. There's the ipv6_bpf_stub, which does that job for other
>> helpers that would call into v6 code out of the builtin filter.c, so I think we
>> should follow the same approach here as well. See commit d74bad4e74ee ("bpf:
>> Hooks for sys_connect").
> 
> Thanks for the pointers, I'll look into that.
> 
> To confirm my understanding, is it possible to unload the IPv6 module?
> I don't see any code that uninitializes "ipv6_bpf_stub". Seems like a
> simple conditional check on that variable should be enough to gate its
> usage from packet paths where sk_lookup could be invoked (Given that
> the system could receive any packets, including IPv6 when the module
> is not loaded).

No unload, this has been removed via 8ce440610357 ("ipv6: do not allow
ipv6 module to be removed").

Thanks,
Daniel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ