| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87r1chf2h7.fsf@cloudflare.com>
Date: Tue, 19 Oct 2021 17:39:32 +0200
From: Jakub Sitnicki <jakub@...udflare.com>
To: John Fastabend <john.fastabend@...il.com>
Cc: bpf@...r.kernel.org, netdev@...r.kernel.org, daniel@...earbox.net,
joamaki@...il.com, xiyou.wangcong@...il.com
Subject: Re: [PATCH bpf 3/4] bpf: sockmap, strparser, and tls are reusing
qdisc_skb_cb and colliding
On Mon, Oct 11, 2021 at 09:16 PM CEST, John Fastabend wrote:
> Strparser is reusing the qdisc_skb_cb struct to stash the skb message
> handling progress, e.g. offset and length of the skb. First this is
> poorly named and inherits a struct from qdisc that doesn't reflect the
> actual usage of cb[] at this layer.
>
> But, more importantly strparser is using the following to access its
> metadata.
>
> (struct _strp_msg *)((void *)skb->cb + offsetof(struct qdisc_skb_cb, data))
>
> Where _strp_msg is defined as,
>
> struct _strp_msg {
> struct strp_msg strp; /* 0 8 */
> int accum_len; /* 8 4 */
>
> /* size: 12, cachelines: 1, members: 2 */
> /* last cacheline: 12 bytes */
> };
>
> So we use 12 bytes of ->data[] in struct. However in BPF code running
> parser and verdict the user has read capabilities into the data[]
> array as well. Its not too problematic, but we should not be
> exposing internal state to BPF program. If its really needed then we can
> use the probe_read() APIs which allow reading kernel memory. And I don't
> believe cb[] layer poses any API breakage by moving this around because
> programs can't depend on cb[] across layers.
>
> In order to fix another issue with a ctx rewrite we need to stash a temp
> variable somewhere. To make this work cleanly this patch builds a cb
> struct for sk_skb types called sk_skb_cb struct. Then we can use this
> consistently in the strparser, sockmap space. Additionally we can
> start allowing ->cb[] write access after this.
>
> Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface"
> Signed-off-by: John Fastabend <john.fastabend@...il.com>
> ---
> include/net/strparser.h | 16 +++++++++++++++-
> net/core/filter.c | 22 ++++++++++++++++++++++
> net/strparser/strparser.c | 10 +---------
> 3 files changed, 38 insertions(+), 10 deletions(-)
>
> diff --git a/include/net/strparser.h b/include/net/strparser.h
> index 1d20b98493a1..bec1439bd3be 100644
> --- a/include/net/strparser.h
> +++ b/include/net/strparser.h
> @@ -54,10 +54,24 @@ struct strp_msg {
> int offset;
> };
>
> +struct _strp_msg {
> + /* Internal cb structure. struct strp_msg must be first for passing
> + * to upper layer.
> + */
> + struct strp_msg strp;
> + int accum_len;
> +};
> +
> +struct sk_skb_cb {
> +#define SK_SKB_CB_PRIV_LEN 20
Nit: Would consider reusing BPF_SKB_CB_LEN from linux/filter.h.
net/bpf/test_run.c should probably use it too, instead of
QDISC_CB_PRIV_LEN.
> + unsigned char data[SK_SKB_CB_PRIV_LEN];
> + struct _strp_msg strp;
> +};
> +
> static inline struct strp_msg *strp_msg(struct sk_buff *skb)
> {
> return (struct strp_msg *)((void *)skb->cb +
> - offsetof(struct qdisc_skb_cb, data));
> + offsetof(struct sk_skb_cb, strp));
> }
>
> /* Structure for an attached lower socket */
[...]
Reviewed-by: Jakub Sitnicki <jakub@...udflare.com>
Powered by blists - more mailing lists