lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BYAPR10MB2680B63C684345098E6E7669E3070@BYAPR10MB2680.namprd10.prod.outlook.com>
Date:   Tue, 21 May 2019 23:52:43 +0000
From:   Matthew Cover <matthew.cover@...ckpath.com>
To:     Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Martin KaFai Lau <kafai@...com>,
        Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
        "David S. Miller" <davem@...emloft.net>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "bpf@...r.kernel.org" <bpf@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC:     Matthew Cover <werekraken@...il.com>
Subject: tc_classid access in skb bpf context

__sk_buff has a member tc_classid which I'm interested in accessing from the skb bpf context.

A bpf program which accesses skb->tc_classid compiles, but fails verification; the specific failure is "invalid bpf_context access".

if (skb->tc_classid != 0)
 return 1;
return 0;

Some of the tests in tools/testing/selftests/bpf/verifier/ (those on tc_classid) further confirm that this is, in all likelihood, intentional behavior.

The very similar bpf program which instead accesses skb->mark works as desired.

if (skb->mark != 0)
 return 1;
return 0;

I built a kernel (v5.1) with 4 instances of the following line removed from net/core/filter.c to test the behavior when the instructions pass verification.

    switch (off) {
-    case bpf_ctx_range(struct __sk_buff, tc_classid):
...
        return false;

It appears skb->tc_classid is always zero within my bpf program, even when I verify by other means (e.g. netfilter) that the value is set non-zero.

I gather that sk_buff proper sometimes (i.e. at some layers) has qdisc_skb_cb stored in skb->cb, but not always.

I suspect that the tc_classid is available at l3 (and therefore to utils like netfilter, ip route, tc), but not at l2 (and not to AF_PACKET).

Is it impractical to make skb->tc_classid available in this bpf context or is there just some plumbing which hasn't been connected yet?

Is my suspicion that skb->cb no longer contains qdisc_skb_cb due to crossing a layer boundary well founded?

I'm willing to look into hooking things together as time permits if it's a feasible task.

It's trivial to have iptables match on tc_classid and set a mark which is available to bpf at l2, but I'd like to better understand this.

Thanks,
Matt C.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ