| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAADnVQ+JzFM0D9aknYqPYL7TSvVPQ7cV9iYF7pYyf75hRokLmw@mail.gmail.com>
Date: Tue, 20 May 2025 13:03:16 -0700
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: Amery Hung <ameryhung@...il.com>
Cc: bpf <bpf@...r.kernel.org>, Network Development <netdev@...r.kernel.org>,
Andrii Nakryiko <andrii@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Tejun Heo <tj@...nel.org>,
Kumar Kartikeya Dwivedi <memxor@...il.com>, Martin KaFai Lau <martin.lau@...nel.org>,
Kernel Team <kernel-team@...a.com>
Subject: Re: [PATCH bpf-next v4 1/3] selftests/bpf: Introduce task local data
On Tue, May 20, 2025 at 12:37 AM Amery Hung <ameryhung@...il.com> wrote:
>
> > Then something like:
> > #define tld_get_data(tld_obj, key) \
> > ({
> > void * data = tld_obj->data_map->data;
> > if (data)
> > data += tld_obj->key_map->key.off & (PAGE_SIZE - 1);
> > data;
> > })
> >
> > size is really not needed. The verifier sees it as one page.
> > Bad bpf prog can write into the wrong key and the verifier cannot stop it.
> >
>
> key.off is a variable offset, so the verifier may assume key.off ==
> PAGE_SIZE - 1. If a bpf program tries to dereference a pointer
> returned by the proposed tld_get_data() as an int * without bound
> check, the verifier will still consider this a potential out-of-bound
> access:
>
> invalid access to memory, mem_size=4096 off=4095 size=4
>
> I think if there needs to be a bound check anyways, hiding it
> tld_get_data() makes the user written part less complex.
I see. Yeah off < TLD_DATA_SIZE - size check cannot be removed.
I was hoping to save an extra branch. oh well.
Powered by blists - more mailing lists