| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Jan 2019 08:37:47 -0800
From: Eric Dumazet <edumazet@...gle.com>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: Martin Lau <kafai@...com>, Alexei Starovoitov <ast@...nel.org>,
netdev <netdev@...r.kernel.org>,
Eric Dumazet <eric.dumazet@...il.com>,
Eddie Hao <eddieh@...gle.com>,
Vlad Dumitrescu <vladum@...gle.com>,
Xiaotian Pei <xiaotian@...gle.com>,
Yuchung Cheng <ycheng@...gle.com>
Subject: Re: [PATCH v2 bpf-next] bpf: allow BPF programs access
skb_shared_info->gso_segs field
On Wed, Jan 23, 2019 at 3:55 AM Daniel Borkmann <daniel@...earbox.net> wrote:
>
> On 01/18/2019 07:42 PM, Martin Lau wrote:
> > On Thu, Jan 17, 2019 at 03:31:57PM -0800, Eric Dumazet wrote:
> >> This adds the ability to read gso_segs from a BPF program.
> >>
> >> v2: refined Eddie Hao patch to address Alexei feedback.
> >>
> >> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> >> Cc: Eddie Hao <eddieh@...gle.com>
> >> Cc: Vlad Dumitrescu <vladum@...gle.com>
> >> Cc: Xiaotian Pei <xiaotian@...gle.com>
> >> Cc: Yuchung Cheng <ycheng@...gle.com>
> >> ---
> >> include/uapi/linux/bpf.h | 1 +
> >> net/core/filter.c | 21 ++++++++++++
> >> tools/include/uapi/linux/bpf.h | 1 +
> >> tools/testing/selftests/bpf/test_verifier.c | 36 +++++++++++++++++++++
> >> 4 files changed, 59 insertions(+)
> >>
> >> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> >> index 91c43884f295f60a85268ddf0020bf8aa47f8329..2940a9854f6d8e493518ca894e0c9c630ae4ab7a 100644
> >> --- a/include/uapi/linux/bpf.h
> >> +++ b/include/uapi/linux/bpf.h
> >> @@ -2540,6 +2540,7 @@ struct __sk_buff {
> >> __bpf_md_ptr(struct bpf_flow_keys *, flow_keys);
> >> __u64 tstamp;
> >> __u32 wire_len;
> >> + __u32 gso_segs;
> >> };
> >>
> >> struct bpf_tunnel_key {
> >> diff --git a/net/core/filter.c b/net/core/filter.c
> >> index 2b3b436ef5457bf44c99780d6dec0b5f403f005c..a6ff5d9a04cf06926ee75cbc523456d12baf25ae 100644
> >> --- a/net/core/filter.c
> >> +++ b/net/core/filter.c
> >> @@ -6700,6 +6700,27 @@ static u32 bpf_convert_ctx_access(enum bpf_access_type type,
> >> target_size));
> >> break;
> >>
> >> + case offsetof(struct __sk_buff, gso_segs):
> >> + /* si->dst_reg = skb_shinfo(SKB); */
> >> +#ifdef NET_SKBUFF_DATA_USES_OFFSET
> >> + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, head),
> >> + si->dst_reg, si->src_reg,
> >> + offsetof(struct sk_buff, head));
> >> + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, end),
> >> + BPF_REG_TMP, si->src_reg,
> >> + offsetof(struct sk_buff, end));
> > I am not sure BPF_REG_TMP can be used for non-classic BPF.
> > The earlier insn could be using BPF_REG_TMP (which is BPF_REG_2) and
> > R2 would become loss after this BPF_LDX_MEM.
>
> Yes, this will indeed corrupt R2 register. BPF_REG_TMP can only be used for
> reg mapping out of classic BPF.
>
> > Daniel, can BPF_REG_AX be used here as a tmp?
>
> BPF_REG_AX would work in this case, yes. Neither of the above insns are used
> in blinding nor would they collide with current verifier rewrites.
>
OK, I'll send a v3 using REG_AX then, thanks Daniel & Martin !
Powered by blists - more mailing lists