lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <85d41eee-d912-3203-9291-a52326e7c162@iogearbox.net>
Date: Wed, 21 Jun 2023 23:53:48 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: Gilad Sever <gilad9366@...il.com>, dsahern@...nel.org,
 martin.lau@...ux.dev, john.fastabend@...il.com, ast@...nel.org,
 andrii@...nel.org, song@...nel.org, yhs@...com, kpsingh@...nel.org,
 sdf@...gle.com, haoluo@...gle.com, jolsa@...nel.org, davem@...emloft.net,
 edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, mykolal@...com,
 shuah@...nel.org, hawk@...nel.org, joe@...d.net.nz
Cc: eyal.birger@...il.com, shmulik.ladkani@...il.com, bpf@...r.kernel.org,
 netdev@...r.kernel.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH bpf,v6 3/4] bpf: fix bpf socket lookup from tc/xdp to
 respect socket VRF bindings

On 6/21/23 12:42 PM, Gilad Sever wrote:
> When calling bpf_sk_lookup_tcp(), bpf_sk_lookup_udp() or
> bpf_skc_lookup_tcp() from tc/xdp ingress, VRF socket bindings aren't
> respoected, i.e. unbound sockets are returned, and bound sockets aren't
> found.
> 
> VRF binding is determined by the sdif argument to sk_lookup(), however
> when called from tc the IP SKB control block isn't initialized and thus
> inet{,6}_sdif() always returns 0.
> 
> Fix by calculating sdif for the tc/xdp flows by observing the device's
> l3 enslaved state.
> 
> The cg/sk_skb hooking points which are expected to support
> inet{,6}_sdif() pass sdif=-1 which makes __bpf_skc_lookup() use the
> existing logic.
> 
> Fixes: 6acc9b432e67 ("bpf: Add helper to retrieve socket in BPF")
> Acked-by: Stanislav Fomichev <sdf@...gle.com>
> Reviewed-by: Shmulik Ladkani <shmulik.ladkani@...il.com>
> Reviewed-by: Eyal Birger <eyal.birger@...il.com>
> Signed-off-by: Gilad Sever <gilad9366@...il.com>
[...]
>   static const struct bpf_func_proto bpf_tc_sk_lookup_tcp_proto = {
> @@ -6776,12 +6788,17 @@ static const struct bpf_func_proto bpf_tc_sk_lookup_tcp_proto = {
>   BPF_CALL_5(bpf_tc_sk_lookup_udp, struct sk_buff *, skb,
>   	   struct bpf_sock_tuple *, tuple, u32, len, u64, netns_id, u64, flags)
>   {
> -	struct net *caller_net = dev_net(skb->dev);
> -	int ifindex = skb->dev->ifindex;
> +	struct net_device *dev = skb->dev;
> +	struct net *caller_net;
> +	int ifindex, sdif;
> +
> +	caller_net = dev_net(dev);
> +	ifindex = dev->ifindex;
> +	sdif = dev_sdif(dev);
>   
>   	return (unsigned long)__bpf_sk_lookup(skb, tuple, len, caller_net,
>   					      ifindex, IPPROTO_UDP, netns_id,
> -					      flags);
> +					      flags, sdif);
>   }

Applied, thanks! Btw, the above looks now way uglier than before, so I fixed this
up wrt how it should have looked like for the submission:

https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=9a5cb79762e0eda17ca15c2a6eaca4622383c21c

Thanks,
Daniel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ