lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 May 2019 22:01:47 +0000 From: Martin Lau <kafai@...com> To: Eric Dumazet <eric.dumazet@...il.com> CC: "bpf@...r.kernel.org" <bpf@...r.kernel.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, Alexei Starovoitov <ast@...com>, Daniel Borkmann <daniel@...earbox.net>, Kernel Team <Kernel-team@...com>, Joe Stringer <joe@...valent.com> Subject: Re: [PATCH bpf] bpf: Check sk_fullsock() before returning from bpf_sk_lookup() On Fri, May 17, 2019 at 02:51:48PM -0700, Eric Dumazet wrote: > > > On 5/17/19 2:21 PM, Martin KaFai Lau wrote: > > The BPF_FUNC_sk_lookup_xxx helpers return RET_PTR_TO_SOCKET_OR_NULL. > > Meaning a fullsock ptr and its fullsock's fields in bpf_sock can be > > accessed, e.g. type, protocol, mark and priority. > > Some new helper, like bpf_sk_storage_get(), also expects > > ARG_PTR_TO_SOCKET is a fullsock. > > > > bpf_sk_lookup() currently calls sk_to_full_sk() before returning. > > However, the ptr returned from sk_to_full_sk() is not guaranteed > > to be a fullsock. For example, it cannot get a fullsock if sk > > is in TCP_TIME_WAIT. > > > > This patch checks for sk_fullsock() before returning. If it is not > > a fullsock, sock_gen_put() is called if needed and then returns NULL. > > > > Fixes: 6acc9b432e67 ("bpf: Add helper to retrieve socket in BPF") > > Cc: Joe Stringer <joe@...valent.com> > > Signed-off-by: Martin KaFai Lau <kafai@...com> > > --- > > net/core/filter.c | 16 ++++++++++++++-- > > 1 file changed, 14 insertions(+), 2 deletions(-) > > > > diff --git a/net/core/filter.c b/net/core/filter.c > > index 55bfc941d17a..85def5a20aaf 100644 > > --- a/net/core/filter.c > > +++ b/net/core/filter.c > > @@ -5337,8 +5337,14 @@ __bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len, > > struct sock *sk = __bpf_skc_lookup(skb, tuple, len, caller_net, > > ifindex, proto, netns_id, flags); > > > > - if (sk) > > + if (sk) { > > sk = sk_to_full_sk(sk); > > + if (!sk_fullsock(sk)) { > > + if (!sock_flag(sk, SOCK_RCU_FREE)) > > + sock_gen_put(sk); > > This looks a bit convoluted/weird. > > What about telling/asking __bpf_skc_lookup() to not return a non fullsock instead ? It is becausee some other helpers, like BPF_FUNC_skc_lookup_tcp, can return non fullsock. > > > + return NULL; > > + } > > + } > > > > return sk; > > } > > @@ -5369,8 +5375,14 @@ bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len, > > struct sock *sk = bpf_skc_lookup(skb, tuple, len, proto, netns_id, > > flags); > > > > - if (sk) > > + if (sk) { > > sk = sk_to_full_sk(sk); > > + if (!sk_fullsock(sk)) { > > + if (!sock_flag(sk, SOCK_RCU_FREE)) > > + sock_gen_put(sk); > > + return NULL; > > + } > > + } > > > > return sk; > > } > >
Powered by blists - more mailing lists