lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Apr 2022 18:27:47 +0200 From: Jesper Dangaard Brouer <jbrouer@...hat.com> To: Larysa Zaremba <larysa.zaremba@...el.com>, bpf <bpf@...r.kernel.org> Cc: brouer@...hat.com, netdev <netdev@...r.kernel.org>, Andrii Nakryiko <andrii@...nel.org>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Toke Hoiland-Jorgensen <toke@...hat.com>, Magnus Karlsson <magnus.karlsson@...el.com>, Maciej Fijalkowski <maciej.fijalkowski@...el.com>, Alexander Lobakin <alexandr.lobakin@...el.com>, "xdp-hints@...-project.net" <xdp-hints@...-project.net> Subject: Re: Accessing XDP packet memory from the end On 21/04/2022 17.56, Larysa Zaremba wrote: > Dear all, > Our team has encountered a need of accessing data_meta in a following way: > > int xdp_meta_prog(struct xdp_md *ctx) > { > void *data_meta_ptr = (void *)(long)ctx->data_meta; > void *data_end = (void *)(long)ctx->data_end; > void *data = (void *)(long)ctx->data; > u64 data_size = sizeof(u32); > u32 magic_meta; > u8 offset; > > offset = (u8)((s64)data - (s64)data_meta_ptr); I'm not sure the verifier can handle this 'offset' calc. As it cannot statically know the sized based on this statement. Maybe this is not the issue. > if (offset < data_size) { > bpf_printk("invalid offset: %ld\n", offset); > return XDP_DROP; > } > > data_meta_ptr += offset; > data_meta_ptr -= data_size; > > if (data_meta_ptr + data_size > data) { > return XDP_DROP; > } > > magic_meta = *((u32 *)data); > bpf_printk("Magic: %d\n", magic_meta); > return XDP_PASS; > } > > Unfortunately, verifier claims this code attempts to access packet with > an offset of -2 (a constant part) and negative offset is generally forbidden. Are you forgetting to mention: - Have you modified the NIC driver to adjust data_meta pointer and provide info in this area? p.s. this is exactly what I'm also working towards[1], so I'll be happy to collaborate. I'm missing the driver code, as link[1] is focused on decoding BTF data_meta area in userspace for AF_XDP. [1] https://github.com/xdp-project/bpf-examples/tree/master/AF_XDP-interaction > For now we have 2 solutions, one is using bpf_xdp_adjust_meta(), > which is pretty good, but not ideal for the hot path. > The second one is the patch at the end. > Are you saying, verifier cannot handle that driver changed data_meta pointer and provided info there (without calling bpf_xdp_adjust_meta)? > Do you see any other way of accessing memory from the end of data_meta/data? > What do you think about both suggested solutions? > > Best regards, > Larysa Zaremba > > --- > > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -3576,8 +3576,11 @@ static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off, > } > > err = reg->range < 0 ? -EINVAL : > - __check_mem_access(env, regno, off, size, reg->range, > - zero_size_allowed); > + __check_mem_access(env, regno, off + reg->smin_value, size, > + reg->range + reg->smin_value, zero_size_allowed); > + err = err ? : > + __check_mem_access(env, regno, off + reg->umax_value, size, > + reg->range + reg->umax_value, zero_size_allowed); > if (err) { > verbose(env, "R%d offset is outside of the packet\n", regno); > return err; >
Powered by blists - more mailing lists