lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 28 Oct 2021 11:26:00 +0200
From:   Lorenzo Bianconi <lorenzo@...nel.org>
To:     Daniel Borkmann <daniel@...earbox.net>
Cc:     bpf@...r.kernel.org, netdev@...r.kernel.org,
        lorenzo.bianconi@...hat.com, davem@...emloft.net, kuba@...nel.org,
        ast@...nel.org, shayagr@...zon.com, john.fastabend@...il.com,
        dsahern@...nel.org, brouer@...hat.com, echaudro@...hat.com,
        jasowang@...hat.com, alexander.duyck@...il.com, saeed@...nel.org,
        maciej.fijalkowski@...el.com, magnus.karlsson@...el.com,
        tirthendu.sarkar@...el.com, toke@...hat.com
Subject: Re: [PATCH v16 bpf-next 19/20] net: xdp: introduce bpf_xdp_pointer
 utility routine

> On 10/15/21 3:08 PM, Lorenzo Bianconi wrote:
> [...]
> > +static void *bpf_xdp_pointer(struct xdp_buff *xdp, u32 offset,
> > +			     u32 len, void *buf)
> > +{
> > +	struct skb_shared_info *sinfo = xdp_get_shared_info_from_buff(xdp);
> > +	u32 size = xdp->data_end - xdp->data;
> > +	void *addr = xdp->data;
> > +	u32 frame_sz = size;
> > +	int i;
> > +
> > +	if (xdp_buff_is_mb(xdp))
> > +		frame_sz += sinfo->xdp_frags_size;
> > +
> > +	if (offset + len > frame_sz)
> > +		return ERR_PTR(-EINVAL);
> 
> Given offset is ARG_ANYTHING, the above could overflow. In bpf_skb_*_bytes() we
> guard with offset > 0xffff.

ack, I will fix it in v17

> 
> > +	if (offset < size) /* linear area */
> > +		goto out;
> > +
> > +	offset -= size;
> > +	for (i = 0; i < sinfo->nr_frags; i++) { /* paged area */
> > +		u32 frag_size = skb_frag_size(&sinfo->frags[i]);
> > +
> > +		if  (offset < frag_size) {
> > +			addr = skb_frag_address(&sinfo->frags[i]);
> > +			size = frag_size;
> > +			break;
> > +		}
> > +		offset -= frag_size;
> > +	}
> > +
> > +out:
> > +	if (offset + len < size)
> > +		return addr + offset; /* fast path - no need to copy */
> > +
> > +	if (!buf) /* no copy to the bounce buffer */
> > +		return NULL;
> > +
> > +	/* slow path - we need to copy data into the bounce buffer */
> > +	bpf_xdp_copy_buf(xdp, offset, len, buf, false);
> > +	return buf;
> > +}
> > +
> > +BPF_CALL_4(bpf_xdp_load_bytes, struct xdp_buff *, xdp, u32, offset,
> > +	   void *, buf, u32, len)
> > +{
> > +	void *ptr;
> > +
> > +	ptr = bpf_xdp_pointer(xdp, offset, len, buf);
> > +	if (ptr == ERR_PTR(-EINVAL))
> > +		return -EINVAL;
> 
> nit + same below in *_store_bytes(): IS_ERR(ptr) return PTR_ERR(ptr); ? (Or
> should we just return -EFAULT to make it analog to bpf_skb_{load,store}_bytes()?
> Either is okay, imho.)

ack, I will fix it in v17

> 
> > +	if (ptr != buf)
> > +		memcpy(buf, ptr, len);
> > +
> > +	return 0;
> > +}
> > +
> > +static const struct bpf_func_proto bpf_xdp_load_bytes_proto = {
> > +	.func		= bpf_xdp_load_bytes,
> > +	.gpl_only	= false,
> > +	.ret_type	= RET_INTEGER,
> > +	.arg1_type	= ARG_PTR_TO_CTX,
> > +	.arg2_type	= ARG_ANYTHING,
> > +	.arg3_type	= ARG_PTR_TO_MEM,
> 
> ARG_PTR_TO_UNINIT_MEM, or do you need the dst buffer to be initialized?

no, I think it is ok, I will fix it in v17.

> 
> > +	.arg4_type	= ARG_CONST_SIZE_OR_ZERO,
> 
> ARG_CONST_SIZE

ack, I will fix it in v17

> 
> > +};
> > +
> > +BPF_CALL_4(bpf_xdp_store_bytes, struct xdp_buff *, xdp, u32, offset,
> > +	   void *, buf, u32, len)
> > +{
> > +	void *ptr;
> > +
> > +	ptr = bpf_xdp_pointer(xdp, offset, len, NULL);
> > +	if (ptr == ERR_PTR(-EINVAL))
> > +		return -EINVAL;
> > +
> > +	if (!ptr)
> > +		bpf_xdp_copy_buf(xdp, offset, len, buf, true);
> > +	else
> > +		memcpy(ptr, buf, len);
> > +
> > +	return 0;
> > +}
> > +
> > +static const struct bpf_func_proto bpf_xdp_store_bytes_proto = {
> > +	.func		= bpf_xdp_store_bytes,
> > +	.gpl_only	= false,
> > +	.ret_type	= RET_INTEGER,
> > +	.arg1_type	= ARG_PTR_TO_CTX,
> > +	.arg2_type	= ARG_ANYTHING,
> > +	.arg3_type	= ARG_PTR_TO_MEM,
> > +	.arg4_type	= ARG_CONST_SIZE_OR_ZERO,
> 
> ARG_CONST_SIZE, or do you have a use case for bpf_xdp_store_bytes(..., buf, 0)?

ack, I think we do not need it. I will fix it in v17

Regards,
Lorenzo

> 
> > +};
> > +
> >   static int bpf_xdp_mb_increase_tail(struct xdp_buff *xdp, int offset)
> >   {
> >   	struct skb_shared_info *sinfo = xdp_get_shared_info_from_buff(xdp);
> > @@ -7619,6 +7749,10 @@ xdp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> >   		return &bpf_xdp_adjust_tail_proto;
> >   	case BPF_FUNC_xdp_get_buff_len:
> >   		return &bpf_xdp_get_buff_len_proto;
> > +	case BPF_FUNC_xdp_load_bytes:
> > +		return &bpf_xdp_load_bytes_proto;
> > +	case BPF_FUNC_xdp_store_bytes:
> > +		return &bpf_xdp_store_bytes_proto;
> >   	case BPF_FUNC_fib_lookup:
> >   		return &bpf_xdp_fib_lookup_proto;
> >   	case BPF_FUNC_check_mtu:
> > diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
> > index 1cb992ec0cc8..dad1d8c3a4c1 100644
> > --- a/tools/include/uapi/linux/bpf.h
> > +++ b/tools/include/uapi/linux/bpf.h
> > @@ -4920,6 +4920,22 @@ union bpf_attr {
> >    *		Get the total size of a given xdp buff (linear and paged area)
> >    *	Return
> >    *		The total size of a given xdp buffer.
> > + *
> > + * long bpf_xdp_load_bytes(struct xdp_buff *xdp_md, u32 offset, void *buf, u32 len)
> > + *	Description
> > + *		This helper is provided as an easy way to load data from a
> > + *		xdp buffer. It can be used to load *len* bytes from *offset* from
> > + *		the frame associated to *xdp_md*, into the buffer pointed by
> > + *		*buf*.
> > + *	Return
> > + *		0 on success, or a negative error in case of failure.
> > + *
> > + * long bpf_xdp_store_bytes(struct xdp_buff *xdp_md, u32 offset, void *buf, u32 len)
> > + *	Description
> > + *		Store *len* bytes from buffer *buf* into the frame
> > + *		associated to *xdp_md*, at *offset*.
> > + *	Return
> > + *		0 on success, or a negative error in case of failure.
> >    */
> >   #define __BPF_FUNC_MAPPER(FN)		\
> >   	FN(unspec),			\
> > @@ -5101,6 +5117,8 @@ union bpf_attr {
> >   	FN(get_branch_snapshot),	\
> >   	FN(trace_vprintk),		\
> >   	FN(xdp_get_buff_len),		\
> > +	FN(xdp_load_bytes),		\
> > +	FN(xdp_store_bytes),		\
> >   	/* */
> >   /* integer value in 'imm' field of BPF_CALL instruction selects which helper
> > 
> 

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists