lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <d3aa0c80-f73a-3325-e39b-e2e880043acc@iogearbox.net>
Date:   Fri, 18 Mar 2022 14:48:16 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Liu Jian <liujian56@...wei.com>, ast@...nel.org, andrii@...nel.org,
        kafai@...com, songliubraving@...com, yhs@...com,
        john.fastabend@...il.com, kpsingh@...nel.org, davem@...emloft.net,
        kuba@...nel.org, sdf@...gle.com, netdev@...r.kernel.org,
        bpf@...r.kernel.org
Subject: Re: [PATCH bpf-next v2] net: Enlarge offset check value from 0xffff
 to 0x7fffffff in bpf_skb_load_bytes

On 3/18/22 2:12 AM, Liu Jian wrote:
> The data length of skb frags + frag_list may be greater than 0xffff,
> and skb_header_pointer can not handle negative offset and negative len.
> So here 0x7ffffff is used to check the validity of offset and len.
> 
> Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper")
> Signed-off-by: Liu Jian <liujian56@...wei.com>
> ---
> v1->v2: sorry for this, change 0x7ffffffff to 0x7fffffff
>   net/core/filter.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 9eb785842258..17865b896f7d 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -1722,7 +1722,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset,
>   {
>   	void *ptr;
>   
> -	if (unlikely(offset > 0xffff))
> +	if (unlikely(offset > 0x7fffffff || len > 0x7fffffff))
>   		goto err_clear;

What are those magic numbers (and why not < 0 check)? Also, it's ugly you're adding
these for skb_load_bytes but not skb_store_bytes, both are used in combination from
tc BPF side. Can we come up with something better that works for both?

Given you had to change this between v1 -> v2 from 0x7ffffffff to 0x7fffffff, please
also add BPF selftests with corner cases so this gets properly tested.

>   	ptr = skb_header_pointer(skb, offset, len, to);
> 

Thanks,
Daniel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ