| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Feb 2021 16:20:56 +0100
From: Jesper Dangaard Brouer <brouer@...hat.com>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: bpf@...r.kernel.org, netdev@...r.kernel.org,
Daniel Borkmann <borkmann@...earbox.net>,
Alexei Starovoitov <alexei.starovoitov@...il.com>,
maze@...gle.com, lmb@...udflare.com, shaun@...era.io,
Lorenzo Bianconi <lorenzo@...nel.org>, marek@...udflare.com,
John Fastabend <john.fastabend@...il.com>,
Jakub Kicinski <kuba@...nel.org>, eyal.birger@...il.com,
colrack@...il.com, David Ahern <dsahern@...nel.org>,
brouer@...hat.com
Subject: Re: [PATCH bpf-next V15 2/7] bpf: fix bpf_fib_lookup helper MTU
check for SKB ctx
On Mon, 8 Feb 2021 14:57:13 +0100
Jesper Dangaard Brouer <brouer@...hat.com> wrote:
> On Fri, 5 Feb 2021 01:06:35 +0100
> Daniel Borkmann <daniel@...earbox.net> wrote:
>
> > On 2/2/21 5:26 PM, Jesper Dangaard Brouer wrote:
> > > BPF end-user on Cilium slack-channel (Carlo Carraro) wants to use
> > > bpf_fib_lookup for doing MTU-check, but *prior* to extending packet size,
> > > by adjusting fib_params 'tot_len' with the packet length plus the expected
> > > encap size. (Just like the bpf_check_mtu helper supports). He discovered
> > > that for SKB ctx the param->tot_len was not used, instead skb->len was used
> > > (via MTU check in is_skb_forwardable() that checks against netdev MTU).
> > >
> > > Fix this by using fib_params 'tot_len' for MTU check. If not provided (e.g.
> > > zero) then keep existing TC behaviour intact. Notice that 'tot_len' for MTU
> > > check is done like XDP code-path, which checks against FIB-dst MTU.
> > >
> > > V13:
> > > - Only do ifindex lookup one time, calling dev_get_by_index_rcu().
> > >
> > > V10:
> > > - Use same method as XDP for 'tot_len' MTU check
> > >
> > > Fixes: 4c79579b44b1 ("bpf: Change bpf_fib_lookup to return lookup status")
> > > Reported-by: Carlo Carraro <colrack@...il.com>
> > > Signed-off-by: Jesper Dangaard Brouer <brouer@...hat.com>
> > > Acked-by: John Fastabend <john.fastabend@...il.com>
> > [...]
> >
> > I was about to apply the series just now, but on a last double check there is
> > a subtle logic bug in here that still needs fixing unfortunately. :/ See below:
> >
> > > @@ -5568,7 +5565,9 @@ BPF_CALL_4(bpf_skb_fib_lookup, struct sk_buff *, skb,
> > > struct bpf_fib_lookup *, params, int, plen, u32, flags)
> > > {
> > > struct net *net = dev_net(skb->dev);
> > > + struct net_device *dev;
> > > int rc = -EAFNOSUPPORT;
> > > + bool check_mtu = false;
> > >
> > > if (plen < sizeof(*params))
> > > return -EINVAL;
> > > @@ -5576,23 +5575,30 @@ BPF_CALL_4(bpf_skb_fib_lookup, struct sk_buff *, skb,
> > > if (flags & ~(BPF_FIB_LOOKUP_DIRECT | BPF_FIB_LOOKUP_OUTPUT))
> > > return -EINVAL;
> > >
> > > + dev = dev_get_by_index_rcu(net, params->ifindex);
> > > + if (unlikely(!dev))
> > > + return -ENODEV;
> >
> > Based on your earlier idea, you try to avoid refetching the dev this way, so
> > here it's being looked up via params->ifindex provided from the BPF prog ...
> >
> > > + if (params->tot_len)
> > > + check_mtu = true;
> > > +
> > > switch (params->family) {
> > > #if IS_ENABLED(CONFIG_INET)
> > > case AF_INET:
> > > - rc = bpf_ipv4_fib_lookup(net, params, flags, false);
> > > + rc = bpf_ipv4_fib_lookup(net, dev, params, flags, check_mtu);
> >
> > ... however, bpf_ipv{4,6}_fib_lookup() might change params->ifindex here to
> > indicate nexthop output dev:
> >
> > [...]
> > dev = nhc->nhc_dev;
> >
> > params->rt_metric = res.fi->fib_priority;
> > params->ifindex = dev->ifindex;
> > [...]
>
> I want to hear David Ahern, what cases does this cover?
Let me answer this myself (as it should have be obvious to myself).
The ifindex that is used as part of return param, is "set to the device
index of the nexthop from the FIB lookup" (as man-page says). The
params->ifindex will *always* be updated, and will very likely be
another ifindex, as on "input" it is the ingress-device and on
"output" it will be egress-device (result of FIB lookup).
> > > break;
> > > #endif
> > > #if IS_ENABLED(CONFIG_IPV6)
> > > case AF_INET6:
> > > - rc = bpf_ipv6_fib_lookup(net, params, flags, false);
> > > + rc = bpf_ipv6_fib_lookup(net, dev, params, flags, check_mtu);
> > > break;
> > > #endif
> > > }
> > >
> > > - if (!rc) {
> > > - struct net_device *dev;
> > > -
> > > - dev = dev_get_by_index_rcu(net, params->ifindex);
> > > + if (rc == BPF_FIB_LKUP_RET_SUCCESS && !check_mtu) {
> > > + /* When tot_len isn't provided by user,
> > > + * check skb against net_device MTU
> > > + */
> > > if (!is_skb_forwardable(dev, skb))
> > > rc = BPF_FIB_LKUP_RET_FRAG_NEEDED;
> >
> > ... so using old cached dev from above will result in wrong MTU check &
> > subsequent passing of wrong params->mtu_result = dev->mtu this way.
>
> Yes, you are right, params->ifindex have a chance to change in the calls.
> So, our attempt to save an ifindex lookup (dev_get_by_index_rcu) is not
> correct.
>
> > So one
> > way to fix is that we would need to pass &dev to bpf_ipv{4,6}_fib_lookup().
>
> Ok, I will try to code it up, and see how ugly it looks, but I'm no
> longer sure that it is worth saving this ifindex lookup, as it will
> only happen if BPF-prog didn't specify params->tot_len.
I guess we can still do this as an "optimization", but the dev/ifindex
will very likely be another at this point.
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Principal Kernel Engineer at Red Hat
LinkedIn: http://www.linkedin.com/in/brouer
Powered by blists - more mailing lists