lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 16 Jan 2024 17:55:12 -0800
From: Martin KaFai Lau <martin.lau@...ux.dev>
To: Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: Kuniyuki Iwashima <kuni1840@...il.com>, bpf@...r.kernel.org,
 netdev@...r.kernel.org, Eric Dumazet <edumazet@...gle.com>,
 Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>,
 Andrii Nakryiko <andrii@...nel.org>, Paolo Abeni <pabeni@...hat.com>
Subject: Re: [PATCH v8 bpf-next 5/6] bpf: tcp: Support arbitrary SYN Cookie.

On 1/15/24 12:55 PM, Kuniyuki Iwashima wrote:
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 8c9f67c81e22..647d04171b7e 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -11837,6 +11837,106 @@ __bpf_kfunc int bpf_sock_addr_set_sun_path(struct bpf_sock_addr_kern *sa_kern,
>   
>   	return 0;
>   }
> +
> +__bpf_kfunc int bpf_sk_assign_tcp_reqsk(struct sk_buff *skb, struct sock *sk,
> +					struct bpf_tcp_req_attrs *attrs, int attrs__sz)
> +{
> +#if IS_ENABLED(CONFIG_SYN_COOKIES)
> +	const struct request_sock_ops *ops;
> +	struct inet_request_sock *ireq;
> +	struct tcp_request_sock *treq;
> +	struct request_sock *req;
> +	struct net *net;
> +	__u16 min_mss;
> +	u32 tsoff = 0;
> +
> +	if (attrs__sz != sizeof(*attrs) ||
> +	    attrs->reserved[0] || attrs->reserved[1] || attrs->reserved[2])
> +		return -EINVAL;
> +
> +	if (!sk)

I removed this "!sk" check, the verifier will check for it,

and ...

> +BTF_SET8_START(bpf_kfunc_check_set_tcp_reqsk)
> +BTF_ID_FLAGS(func, bpf_sk_assign_tcp_reqsk)

... limited it to KF_TRUSTED_ARGS. The arg "sk" must be from "bpf_sk*_lookup_*" 
or from "bpf_map_lookup_elem(&sock_map,...)". Both of them have 
"reg->ref_obj_id" (i.e. the verifier tracks the refcnt acquire/release) and it 
is as good as trusted ptr.

The above is some final details I noticed. Applied. Thanks.

> +BTF_SET8_END(bpf_kfunc_check_set_tcp_reqsk)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ