| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <602adaa11468c_3ed41208c5@john-XPS-13-9370.notmuch>
Date: Mon, 15 Feb 2021 12:33:37 -0800
From: John Fastabend <john.fastabend@...il.com>
To: Maciej Fijalkowski <maciej.fijalkowski@...el.com>,
daniel@...earbox.net, ast@...nel.org, bpf@...r.kernel.org,
netdev@...r.kernel.org
Cc: andrii@...nel.org, toke@...hat.com, bjorn.topel@...el.com,
magnus.karlsson@...el.com, ciara.loftus@...el.com,
Maciej Fijalkowski <maciej.fijalkowski@...el.com>
Subject: RE: [PATCH bpf-next 2/3] libbpf: clear map_info before each
bpf_obj_get_info_by_fd
Maciej Fijalkowski wrote:
> xsk_lookup_bpf_maps, based on prog_fd, looks whether current prog has a
> reference to XSKMAP. BPF prog can include insns that work on various BPF
> maps and this is covered by iterating through map_ids.
>
> The bpf_map_info that is passed to bpf_obj_get_info_by_fd for filling
> needs to be cleared at each iteration, so that it doesn't any outdated
> fields and that is currently missing in the function of interest.
>
> To fix that, zero-init map_info via memset before each
> bpf_obj_get_info_by_fd call.
>
> Also, since the area of this code is touched, in general strcmp is
> considered harmful, so let's convert it to strncmp and provide the
> length of the array name that we're looking for.
>
> Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@...el.com>
> ---
This is a bugfix independent of the link bits correct? Would be best
to send to bpf then.
> tools/lib/bpf/xsk.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/tools/lib/bpf/xsk.c b/tools/lib/bpf/xsk.c
> index 5911868efa43..fb259c0bba93 100644
> --- a/tools/lib/bpf/xsk.c
> +++ b/tools/lib/bpf/xsk.c
> @@ -616,6 +616,7 @@ static int xsk_lookup_bpf_maps(struct xsk_socket *xsk)
> __u32 i, *map_ids, num_maps, prog_len = sizeof(struct bpf_prog_info);
> __u32 map_len = sizeof(struct bpf_map_info);
> struct bpf_prog_info prog_info = {};
> + const char *map_name = "xsks_map";
> struct xsk_ctx *ctx = xsk->ctx;
> struct bpf_map_info map_info;
> int fd, err;
> @@ -645,13 +646,14 @@ static int xsk_lookup_bpf_maps(struct xsk_socket *xsk)
> if (fd < 0)
> continue;
>
> + memset(&map_info, 0, map_len);
> err = bpf_obj_get_info_by_fd(fd, &map_info, &map_len);
> if (err) {
> close(fd);
> continue;
> }
>
> - if (!strcmp(map_info.name, "xsks_map")) {
> + if (!strncmp(map_info.name, map_name, strlen(map_name))) {
> ctx->xsks_map_fd = fd;
> continue;
Also just looking at this how is above not buggy? Should be a break instead
of continue? If we match another "xsks_map" here won't we stomp on xsks_map_fd
and leak a file descriptor?
> }
> --
> 2.20.1
>
Powered by blists - more mailing lists