lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAL+tcoD4PPFy1K39z_zegxfVdOVXJrZgMSaaVBEB3KvFPX=pNQ@mail.gmail.com>
Date: Wed, 5 Feb 2025 23:35:28 +0800
From: Jason Xing <kerneljasonxing@...il.com>
To: Willem de Bruijn <willemdebruijn.kernel@...il.com>
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, 
	pabeni@...hat.com, dsahern@...nel.org, willemb@...gle.com, ast@...nel.org, 
	daniel@...earbox.net, andrii@...nel.org, martin.lau@...ux.dev, 
	eddyz87@...il.com, song@...nel.org, yonghong.song@...ux.dev, 
	john.fastabend@...il.com, kpsingh@...nel.org, sdf@...ichev.me, 
	haoluo@...gle.com, jolsa@...nel.org, horms@...nel.org, bpf@...r.kernel.org, 
	netdev@...r.kernel.org
Subject: Re: [PATCH bpf-next v8 03/12] bpf: stop unsafely accessing TCP fields
 in bpf callbacks

On Wed, Feb 5, 2025 at 11:24 PM Willem de Bruijn
<willemdebruijn.kernel@...il.com> wrote:
>
> Jason Xing wrote:
> > The "allow_tcp_access" flag is added to indicate that the callback
> > site has a tcp_sock locked.
> >
> > Applying the new member allow_tcp_access in the existing callbacks
> > where is_fullsock is set to 1 can stop UDP socket accessing struct
> > tcp_sock and stop TCP socket without sk lock protecting does the
> > similar thing, or else it could be catastrophe leading to panic.
> >
> > To keep it simple, instead of distinguishing between read and write
> > access, users aren't allowed all read/write access to the tcp_sock
> > through the older bpf_sock_ops ctx. The new timestamping callbacks
> > can use newer helpers to read everything from a sk (e.g. bpf_core_cast),
> > so nothing is lost.
> >
> > Signed-off-by: Jason Xing <kerneljasonxing@...il.com>
> > ---
> >  include/linux/filter.h | 5 +++++
> >  include/net/tcp.h      | 1 +
> >  net/core/filter.c      | 8 ++++----
> >  net/ipv4/tcp_input.c   | 2 ++
> >  net/ipv4/tcp_output.c  | 2 ++
> >  5 files changed, 14 insertions(+), 4 deletions(-)
> >
> > diff --git a/include/linux/filter.h b/include/linux/filter.h
> > index a3ea46281595..1569e9f31a8c 100644
> > --- a/include/linux/filter.h
> > +++ b/include/linux/filter.h
> > @@ -1508,6 +1508,11 @@ struct bpf_sock_ops_kern {
> >       void    *skb_data_end;
> >       u8      op;
> >       u8      is_fullsock;
> > +     u8      allow_tcp_access;       /* Indicate that the callback site
> > +                                      * has a tcp_sock locked. Then it
> > +                                      * would be safe to access struct
> > +                                      * tcp_sock.
> > +                                      */
>
> perhaps no need for explicit documentation if the variable name is
> self documenting: is_locked_tcp_sock

Good suggestion. I will take it :)

Thanks,
Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ