| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEf4Bzb_FAOMK+8J+wyvbR2etYFDU1ae=P3pwW3fzfcWctZ1Xw@mail.gmail.com>
Date: Tue, 20 Jul 2021 13:27:12 -0700
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Martynas Pumputis <m@...bda.lt>
Cc: Networking <netdev@...r.kernel.org>,
Hangbin Liu <haliu@...hat.com>,
Stephen Hemminger <stephen@...workplumber.org>,
David Ahern <dsahern@...il.com>
Subject: Re: [PATCH iproute2] libbpf: fix attach of prog with multiple sections
On Mon, Jul 5, 2021 at 5:44 AM Martynas Pumputis <m@...bda.lt> wrote:
>
> When BPF programs which consists of multiple executable sections via
> iproute2+libbpf (configured with LIBBPF_FORCE=on), we noticed that a
> wrong section can be attached to a device. E.g.:
>
> # tc qdisc replace dev lxc_health clsact
> # tc filter replace dev lxc_health ingress prio 1 \
> handle 1 bpf da obj bpf_lxc.o sec from-container
> # tc filter show dev lxc_health ingress filter protocol all
> pref 1 bpf chain 0 filter protocol all pref 1 bpf chain 0
> handle 0x1 bpf_lxc.o:[__send_drop_notify] <-- WRONG SECTION
> direct-action not_in_hw id 38 tag 7d891814eda6809e jited
>
> After taking a closer look into load_bpf_object() in lib/bpf_libbpf.c,
> we noticed that the filter used in the program iterator does not check
> whether a program section name matches a requested section name
> (cfg->section). This can lead to a wrong prog FD being used to attach
> the program.
>
> Fixes: 6d61a2b55799 ("lib: add libbpf support")
> Signed-off-by: Martynas Pumputis <m@...bda.lt>
> ---
> lib/bpf_libbpf.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/lib/bpf_libbpf.c b/lib/bpf_libbpf.c
> index d05737a4..f76b90d2 100644
> --- a/lib/bpf_libbpf.c
> +++ b/lib/bpf_libbpf.c
> @@ -267,10 +267,12 @@ static int load_bpf_object(struct bpf_cfg_in *cfg)
> }
>
> bpf_object__for_each_program(p, obj) {
> + bool prog_to_attach = !prog && cfg->section &&
> + !strcmp(get_bpf_program__section_name(p), cfg->section);
This is still problematic, because one section can have multiple BPF
programs. I.e., it's possible two define two or more XDP BPF programs
all with SEC("xdp") and libbpf works just fine with that. I suggest
moving users to specify the program name (i.e., C function name
representing the BPF program). All the xdp_mycustom_suffix namings are
a hack and will be rejected by libbpf 1.0, so it would be great to get
a head start on fixing this early on.
> +
> /* Only load the programs that will either be subsequently
> * attached or inserted into a tail call map */
> - if (find_legacy_tail_calls(p, obj) < 0 && cfg->section &&
> - strcmp(get_bpf_program__section_name(p), cfg->section)) {
> + if (find_legacy_tail_calls(p, obj) < 0 && !prog_to_attach) {
> ret = bpf_program__set_autoload(p, false);
> if (ret)
> return -EINVAL;
> @@ -279,7 +281,8 @@ static int load_bpf_object(struct bpf_cfg_in *cfg)
>
> bpf_program__set_type(p, cfg->type);
> bpf_program__set_ifindex(p, cfg->ifindex);
> - if (!prog)
> +
> + if (prog_to_attach)
> prog = p;
> }
>
> --
> 2.32.0
>
Powered by blists - more mailing lists