| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f1417959-4b0d-7c33-4b2b-08989bb86b23@redhat.com>
Date: Thu, 21 Apr 2022 18:27:47 +0200
From: Jesper Dangaard Brouer <jbrouer@...hat.com>
To: Larysa Zaremba <larysa.zaremba@...el.com>,
bpf <bpf@...r.kernel.org>
Cc: brouer@...hat.com, netdev <netdev@...r.kernel.org>,
Andrii Nakryiko <andrii@...nel.org>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Toke Hoiland-Jorgensen <toke@...hat.com>,
Magnus Karlsson <magnus.karlsson@...el.com>,
Maciej Fijalkowski <maciej.fijalkowski@...el.com>,
Alexander Lobakin <alexandr.lobakin@...el.com>,
"xdp-hints@...-project.net" <xdp-hints@...-project.net>
Subject: Re: Accessing XDP packet memory from the end
On 21/04/2022 17.56, Larysa Zaremba wrote:
> Dear all,
> Our team has encountered a need of accessing data_meta in a following way:
>
> int xdp_meta_prog(struct xdp_md *ctx)
> {
> void *data_meta_ptr = (void *)(long)ctx->data_meta;
> void *data_end = (void *)(long)ctx->data_end;
> void *data = (void *)(long)ctx->data;
> u64 data_size = sizeof(u32);
> u32 magic_meta;
> u8 offset;
>
> offset = (u8)((s64)data - (s64)data_meta_ptr);
I'm not sure the verifier can handle this 'offset' calc. As it cannot
statically know the sized based on this statement. Maybe this is not the
issue.
> if (offset < data_size) {
> bpf_printk("invalid offset: %ld\n", offset);
> return XDP_DROP;
> }
>
> data_meta_ptr += offset;
> data_meta_ptr -= data_size;
>
> if (data_meta_ptr + data_size > data) {
> return XDP_DROP;
> }
>
> magic_meta = *((u32 *)data);
> bpf_printk("Magic: %d\n", magic_meta);
> return XDP_PASS;
> }
>
> Unfortunately, verifier claims this code attempts to access packet with
> an offset of -2 (a constant part) and negative offset is generally forbidden.
Are you forgetting to mention:
- Have you modified the NIC driver to adjust data_meta pointer and
provide info in this area?
p.s. this is exactly what I'm also working towards[1], so I'll be happy
to collaborate. I'm missing the driver code, as link[1] is focused on
decoding BTF data_meta area in userspace for AF_XDP.
[1]
https://github.com/xdp-project/bpf-examples/tree/master/AF_XDP-interaction
> For now we have 2 solutions, one is using bpf_xdp_adjust_meta(),
> which is pretty good, but not ideal for the hot path.
> The second one is the patch at the end.
>
Are you saying, verifier cannot handle that driver changed data_meta
pointer and provided info there (without calling bpf_xdp_adjust_meta)?
> Do you see any other way of accessing memory from the end of data_meta/data?
> What do you think about both suggested solutions?
>
> Best regards,
> Larysa Zaremba
>
> ---
>
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -3576,8 +3576,11 @@ static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off,
> }
>
> err = reg->range < 0 ? -EINVAL :
> - __check_mem_access(env, regno, off, size, reg->range,
> - zero_size_allowed);
> + __check_mem_access(env, regno, off + reg->smin_value, size,
> + reg->range + reg->smin_value, zero_size_allowed);
> + err = err ? :
> + __check_mem_access(env, regno, off + reg->umax_value, size,
> + reg->range + reg->umax_value, zero_size_allowed);
> if (err) {
> verbose(env, "R%d offset is outside of the packet\n", regno);
> return err;
>
Powered by blists - more mailing lists