lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Thu, 14 Apr 2022 00:23:00 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Liu Jian <liujian56@...wei.com>, ast@...nel.org, andrii@...nel.org,
        kafai@...com, songliubraving@...com, yhs@...com,
        john.fastabend@...il.com, kpsingh@...nel.org, davem@...emloft.net,
        kuba@...nel.org, sdf@...gle.com, netdev@...r.kernel.org,
        bpf@...r.kernel.org
Subject: Re: [PATCH bpf v2 1/2] net: Enlarge offset check value from 0xffff to
 INT_MAX in bpf_skb_load_bytes

On 4/13/22 8:21 AM, Liu Jian wrote:
> The data length of skb frags + frag_list may be greater than 0xffff,
> and skb_header_pointer can not handle negative offset and negative len.
> So here INT_MAX is used to check the validity of offset and len.
> Add the same change to the related function skb_store_bytes.
> 
> Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper")
> Signed-off-by: Liu Jian <liujian56@...wei.com>
> Acked-by: Song Liu <songliubraving@...com>
> ---
> v1->v2: change nothing, only add Acked-by tag
>   net/core/filter.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 64470a727ef7..1571b6bc51ea 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -1687,7 +1687,7 @@ BPF_CALL_5(bpf_skb_store_bytes, struct sk_buff *, skb, u32, offset,
>   
>   	if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM | BPF_F_INVALIDATE_HASH)))
>   		return -EINVAL;
> -	if (unlikely(offset > 0xffff))
> +	if (unlikely(offset > INT_MAX || len > INT_MAX))
>   		return -EFAULT;
>   	if (unlikely(bpf_try_make_writable(skb, offset + len)))
>   		return -EFAULT;
> @@ -1722,7 +1722,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset,
>   {
>   	void *ptr;
>   
> -	if (unlikely(offset > 0xffff))
> +	if (unlikely(offset > INT_MAX || len > INT_MAX))
>   		goto err_clear;
>   
>   	ptr = skb_header_pointer(skb, offset, len, to);
> 

While at it, lets also change skb_ensure_writable()'s write_len param to unsigned int
type. Both pskb_may_pull() and skb_clone_writable()'s length parameters are of type
unsigned int already.

Powered by blists - more mailing lists