| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 2 Aug 2020 18:25:25 -0700
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Yonghong Song <yhs@...com>
Cc: bpf <bpf@...r.kernel.org>, Networking <netdev@...r.kernel.org>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Kernel Team <kernel-team@...com>
Subject: Re: [PATCH bpf-next 1/2] bpf: change uapi for bpf iterator map elements
On Sat, Aug 1, 2020 at 9:22 PM Yonghong Song <yhs@...com> wrote:
>
> Commit a5cbe05a6673 ("bpf: Implement bpf iterator for
> map elements") added bpf iterator support for
> map elements. The map element bpf iterator requires
> info to identify a particular map. In the above
> commit, the attr->link_create.target_fd is used
> to carry map_fd and an enum bpf_iter_link_info
> is added to uapi to specify the target_fd actually
> representing a map_fd:
> enum bpf_iter_link_info {
> BPF_ITER_LINK_UNSPEC = 0,
> BPF_ITER_LINK_MAP_FD = 1,
>
> MAX_BPF_ITER_LINK_INFO,
> };
>
> This is an extensible approach as we can grow
> enumerator for pid, cgroup_id, etc. and we can
> unionize target_fd for pid, cgroup_id, etc.
> But in the future, there are chances that
> more complex customization may happen, e.g.,
> for tasks, it could be filtered based on
> both cgroup_id and user_id.
>
> This patch changed the uapi to have fields
> __aligned_u64 iter_info;
> __u32 iter_info_len;
> for additional iter_info for link_create.
> The iter_info is defined as
> union bpf_iter_link_info {
> struct {
> __u32 map_fd;
> } map;
> };
>
> So future extension for additional customization
> will be easier. The bpf_iter_link_info will be
> passed to target callback to validate and generic
> bpf_iter framework does not need to deal it any
> more.
>
> Signed-off-by: Yonghong Song <yhs@...com>
> ---
> include/linux/bpf.h | 10 ++++---
> include/uapi/linux/bpf.h | 15 +++++-----
> kernel/bpf/bpf_iter.c | 52 +++++++++++++++-------------------
> kernel/bpf/map_iter.c | 37 ++++++++++++++++++------
> kernel/bpf/syscall.c | 2 +-
> net/core/bpf_sk_storage.c | 37 ++++++++++++++++++------
> tools/include/uapi/linux/bpf.h | 15 +++++-----
> 7 files changed, 104 insertions(+), 64 deletions(-)
>
[...]
> int bpf_iter_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
> {
> + union bpf_iter_link_info __user *ulinfo;
> struct bpf_link_primer link_primer;
> struct bpf_iter_target_info *tinfo;
> - struct bpf_iter_aux_info aux = {};
> + union bpf_iter_link_info linfo;
> struct bpf_iter_link *link;
> - u32 prog_btf_id, target_fd;
> + u32 prog_btf_id, linfo_len;
> bool existed = false;
> - struct bpf_map *map;
> int err;
>
> + memset(&linfo, 0, sizeof(union bpf_iter_link_info));
> +
> + ulinfo = u64_to_user_ptr(attr->link_create.iter_info);
> + linfo_len = attr->link_create.iter_info_len;
> + if (ulinfo && linfo_len) {
We probably want to be more strict here: if either pointer or len is
non-zero, both should be present and valid. Otherwise we can have
garbage in iter_info, as long as iter_info_len is zero.
> + err = bpf_check_uarg_tail_zero(ulinfo, sizeof(linfo),
> + linfo_len);
> + if (err)
> + return err;
> + linfo_len = min_t(u32, linfo_len, sizeof(linfo));
> + if (copy_from_user(&linfo, ulinfo, linfo_len))
> + return -EFAULT;
> + }
> +
> prog_btf_id = prog->aux->attach_btf_id;
> mutex_lock(&targets_mutex);
> list_for_each_entry(tinfo, &targets, list) {
> @@ -411,13 +425,6 @@ int bpf_iter_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
> if (!existed)
> return -ENOENT;
>
> - /* Make sure user supplied flags are target expected. */
> - target_fd = attr->link_create.target_fd;
> - if (attr->link_create.flags != tinfo->reg_info->req_linfo)
> - return -EINVAL;
> - if (!attr->link_create.flags && target_fd)
> - return -EINVAL;
> -
Please still ensure that no flags are specified.
> link = kzalloc(sizeof(*link), GFP_USER | __GFP_NOWARN);
> if (!link)
> return -ENOMEM;
> @@ -431,28 +438,15 @@ int bpf_iter_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
> return err;
> }
>
[...]
> -static int bpf_iter_check_map(struct bpf_prog *prog,
> - struct bpf_iter_aux_info *aux)
> +static int bpf_iter_attach_map(struct bpf_prog *prog,
> + union bpf_iter_link_info *linfo,
> + struct bpf_iter_aux_info *aux)
> {
> - struct bpf_map *map = aux->map;
> + struct bpf_map *map;
> + int err = -EINVAL;
>
> - if (map->map_type != BPF_MAP_TYPE_SK_STORAGE)
> + if (!linfo->map.map_fd)
> return -EINVAL;
This could be -EBADF?
>
> - if (prog->aux->max_rdonly_access > map->value_size)
> - return -EACCES;
> + map = bpf_map_get_with_uref(linfo->map.map_fd);
> + if (IS_ERR(map))
> + return PTR_ERR(map);
> +
> + if (map->map_type != BPF_MAP_TYPE_SK_STORAGE)
> + goto put_map;
> +
> + if (prog->aux->max_rdonly_access > map->value_size) {
> + err = -EACCES;
> + goto put_map;
> + }
[...]
Powered by blists - more mailing lists