| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Jan 2020 22:23:45 +0000
From: Martin Lau <kafai@...com>
To: Jakub Sitnicki <jakub@...udflare.com>
CC: "bpf@...r.kernel.org" <bpf@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"kernel-team@...udflare.com" <kernel-team@...udflare.com>,
Eric Dumazet <edumazet@...gle.com>,
"John Fastabend" <john.fastabend@...il.com>,
Lorenz Bauer <lmb@...udflare.com>
Subject: Re: [PATCH bpf-next v2 04/11] tcp_bpf: Don't let child socket inherit
parent protocol ops on copy
On Fri, Jan 10, 2020 at 11:50:20AM +0100, Jakub Sitnicki wrote:
> Prepare for cloning listening sockets that have their protocol callbacks
> overridden by sk_msg. Child sockets must not inherit parent callbacks that
> access state stored in sk_user_data owned by the parent.
>
> Restore the child socket protocol callbacks before the it gets hashed and
> any of the callbacks can get invoked.
>
> Signed-off-by: Jakub Sitnicki <jakub@...udflare.com>
> ---
> include/net/tcp.h | 1 +
> net/ipv4/tcp_bpf.c | 13 +++++++++++++
> net/ipv4/tcp_minisocks.c | 2 ++
> 3 files changed, 16 insertions(+)
>
> diff --git a/include/net/tcp.h b/include/net/tcp.h
> index 9dd975be7fdf..7cbf9465bb10 100644
> --- a/include/net/tcp.h
> +++ b/include/net/tcp.h
> @@ -2181,6 +2181,7 @@ int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
> int nonblock, int flags, int *addr_len);
> int __tcp_bpf_recvmsg(struct sock *sk, struct sk_psock *psock,
> struct msghdr *msg, int len, int flags);
> +void tcp_bpf_clone(const struct sock *sk, struct sock *child);
>
> /* Call BPF_SOCK_OPS program that returns an int. If the return value
> * is < 0, then the BPF op failed (for example if the loaded BPF
> diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
> index f6c83747c71e..6f96320fb7cf 100644
> --- a/net/ipv4/tcp_bpf.c
> +++ b/net/ipv4/tcp_bpf.c
> @@ -586,6 +586,19 @@ static void tcp_bpf_close(struct sock *sk, long timeout)
> saved_close(sk, timeout);
> }
>
> +/* If a child got cloned from a listening socket that had tcp_bpf
> + * protocol callbacks installed, we need to restore the callbacks to
> + * the default ones because the child does not inherit the psock state
> + * that tcp_bpf callbacks expect.
> + */
> +void tcp_bpf_clone(const struct sock *sk, struct sock *newsk)
> +{
> + struct proto *prot = newsk->sk_prot;
> +
> + if (prot->recvmsg == tcp_bpf_recvmsg)
A question not related to this patch (may be it is more for patch 6).
How tcp_bpf_recvmsg may be used for a listening sock (sk here)?
> + newsk->sk_prot = sk->sk_prot_creator;
> +}
> +
Powered by blists - more mailing lists