[PATCH bpf-next v8 04/12] bpf: Only reply field should be writeable

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Lawrence Brakmo <brakmo@fb.com>
To: netdev <netdev@vger.kernel.org>
Cc: Kernel Team <kernel-team@fb.com>, Blake Matheny <bmatheny@fb.com>,
	Alexei Starovoitov <ast@fb.com>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Eric Dumazet <eric.dumazet@gmail.com>,
	Neal Cardwell <ncardwell@google.com>,
	Yuchung Cheng <ycheng@google.com>
Subject: [PATCH bpf-next v8 04/12] bpf: Only reply field should be writeable
Date: Tue, 23 Jan 2018 23:57:54 -0800	[thread overview]
Message-ID: <20180124075802.1522053-5-brakmo@fb.com> (raw)
In-Reply-To: <20180124075802.1522053-1-brakmo@fb.com>

Currently, a sock_ops BPF program can write the op field and all the
reply fields (reply and replylong). This is a bug. The op field should
not have been writeable and there is currently no way to use replylong
field for indices >= 1. This patch enforces that only the reply field
(which equals replylong[0]) is writeable.

Fixes: 40304b2a1567 ("bpf: BPF support for sock_ops")
Signed-off-by: Lawrence Brakmo <brakmo@fb.com>
---
 net/core/filter.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index 0cf170f..c356ec0 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3845,8 +3845,7 @@ static bool sock_ops_is_valid_access(int off, int size,
 {
 	if (type == BPF_WRITE) {
 		switch (off) {
-		case offsetof(struct bpf_sock_ops, op) ...
-		     offsetof(struct bpf_sock_ops, replylong[3]):
+		case offsetof(struct bpf_sock_ops, reply):
 			break;
 		default:
 			return false;
-- 
2.9.5

next prev parent reply	other threads:[~2018-01-24  7:58 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-24  7:57 [PATCH bpf-next v8 00/12] bpf: More sock_ops callbacks Lawrence Brakmo
2018-01-24  7:57 ` [PATCH bpf-next v8 01/12] bpf: Make SOCK_OPS_GET_TCP size independent Lawrence Brakmo
2018-01-24  7:57 ` [PATCH bpf-next v8 02/12] bpf: Make SOCK_OPS_GET_TCP struct independent Lawrence Brakmo
2018-01-24  7:57 ` [PATCH bpf-next v8 03/12] bpf: Add write access to tcp_sock and sock fields Lawrence Brakmo
2018-01-24  7:57 ` Lawrence Brakmo [this message]
2018-01-24 19:58   ` [PATCH bpf-next v8 04/12] bpf: Only reply field should be writeable Yuchung Cheng
2018-01-24 20:23     ` Alexei Starovoitov
2018-01-24  7:57 ` [PATCH bpf-next v8 05/12] bpf: Support passing args to sock_ops bpf function Lawrence Brakmo
2018-01-24  7:57 ` [PATCH bpf-next v8 06/12] bpf: Adds field bpf_sock_ops_cb_flags to tcp_sock Lawrence Brakmo
2018-01-24  7:57 ` [PATCH bpf-next v8 07/12] bpf: Add sock_ops RTO callback Lawrence Brakmo
2018-01-24  7:57 ` [PATCH bpf-next v8 08/12] bpf: Add support for reading sk_state and more Lawrence Brakmo
2018-01-24 20:05   ` Yuchung Cheng
2018-01-24 22:07     ` Lawrence Brakmo
2018-01-24  7:57 ` [PATCH bpf-next v8 09/12] bpf: Add sock_ops R/W access to tclass Lawrence Brakmo
2018-01-24  7:58 ` [PATCH bpf-next v8 10/12] bpf: Add BPF_SOCK_OPS_RETRANS_CB Lawrence Brakmo
2018-01-24 20:01   ` Yuchung Cheng
2018-01-24 21:14     ` Lawrence Brakmo
2018-01-24  7:58 ` [PATCH bpf-next v8 11/12] bpf: Add BPF_SOCK_OPS_STATE_CB Lawrence Brakmo
2018-01-24  7:58 ` [PATCH bpf-next v8 12/12] bpf: add selftest for tcpbpf Lawrence Brakmo
2018-01-24 14:14 ` [PATCH bpf-next v8 00/12] bpf: More sock_ops callbacks Eric Dumazet
2018-01-24 15:27   ` Alexei Starovoitov
2018-01-24 15:48     ` Eric Dumazet
2018-01-24 16:48       ` Alexei Starovoitov
2018-01-24 16:58         ` Eric Dumazet

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0cf170f dfblob:c356ec0 )
 OR (
bs:"[PATCH bpf-next v8 04/12] bpf: Only reply field should be writeable" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180124075802.1522053-5-brakmo@fb.com \
    --to=brakmo@fb.com \
    --cc=ast@fb.com \
    --cc=bmatheny@fb.com \
    --cc=daniel@iogearbox.net \
    --cc=eric.dumazet@gmail.com \
    --cc=kernel-team@fb.com \
    --cc=ncardwell@google.com \
    --cc=netdev@vger.kernel.org \
    --cc=ycheng@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.