From: Kees Cook <keescook@chromium.org>
To: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Cc: Alexei Starovoitov <ast@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>, Mykola Lysenko <mykolal@fb.com>,
Shuah Khan <shuah@kernel.org>, Haowen Bai <baihaowen@meizu.com>,
bpf@vger.kernel.org, linux-kselftest@vger.kernel.org,
Yonghong Song <yonghong.song@linux.dev>,
Anton Protopopov <aspsk@isovalent.com>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array
Date: Fri, 16 Feb 2024 19:03:18 -0800 [thread overview]
Message-ID: <202402161902.FCFFEC322@keescook> (raw)
In-Reply-To: <e58d035c-fb74-4d29-94d5-6c22542e7513@embeddedor.com>
On Fri, Feb 16, 2024 at 06:27:08PM -0600, Gustavo A. R. Silva wrote:
>
>
> On 2/16/24 17:55, Kees Cook wrote:
> > Replace deprecated 0-length array in struct bpf_lpm_trie_key with
> > flexible array. Found with GCC 13:
> >
> > ../kernel/bpf/lpm_trie.c:207:51: warning: array subscript i is outside array bounds of 'const __u8[0]' {aka 'const unsigned char[]'} [-Warray-bounds=]
> > 207 | *(__be16 *)&key->data[i]);
> > | ^~~~~~~~~~~~~
> > ../include/uapi/linux/swab.h:102:54: note: in definition of macro '__swab16'
> > 102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
> > | ^
> > ../include/linux/byteorder/generic.h:97:21: note: in expansion of macro '__be16_to_cpu'
> > 97 | #define be16_to_cpu __be16_to_cpu
> > | ^~~~~~~~~~~~~
> > ../kernel/bpf/lpm_trie.c:206:28: note: in expansion of macro 'be16_to_cpu'
> > 206 | u16 diff = be16_to_cpu(*(__be16 *)&node->data[i]
> > ^
> > | ^~~~~~~~~~~
> > In file included from ../include/linux/bpf.h:7:
> > ../include/uapi/linux/bpf.h:82:17: note: while referencing 'data'
> > 82 | __u8 data[0]; /* Arbitrary size */
> > | ^~~~
> >
> > And found at run-time under CONFIG_FORTIFY_SOURCE:
> >
> > UBSAN: array-index-out-of-bounds in kernel/bpf/lpm_trie.c:218:49
> > index 0 is out of range for type '__u8 [*]'
> >
> > This includes fixing the selftest which was incorrectly using a
> > variable length struct as a header, identified earlier[1]. Avoid this
> > by just explicitly including the prefixlen member instead of struct
> > bpf_lpm_trie_key.
> >
> > Note that it is not possible to simply remove the "data" member, as it
> > is referenced by userspace
> >
> > cilium:
> > struct egress_gw_policy_key in_key = {
> > .lpm_key = { 32 + 24, {} },
> > .saddr = CLIENT_IP,
> > .daddr = EXTERNAL_SVC_IP & 0Xffffff,
> > };
> >
> > systemd:
> > ipv6_map_fd = bpf_map_new(
> > BPF_MAP_TYPE_LPM_TRIE,
> > offsetof(struct bpf_lpm_trie_key, data) + sizeof(uint32_t)*4,
> > sizeof(uint64_t),
> > ...
> >
> > The only risk to UAPI would be if sizeof() were used directly on the
> > data member, which it does not seem to be. It is only used as a static
> > initializer destination and to find its location via offsetof().
> >
> > Link: https://lore.kernel.org/all/202206281009.4332AA33@keescook/ [1]
> > Reported-by: Mark Rutland <mark.rutland@arm.com>
> > Closes: https://paste.debian.net/hidden/ca500597/
>
> mmh... this URL expires: 2024-05-15
Yup, but that's why I included the run-time splat above too. :)
--
Kees Cook
next prev parent reply other threads:[~2024-02-17 3:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-16 23:55 [PATCH v2] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array Kees Cook
2024-02-17 0:27 ` Gustavo A. R. Silva
2024-02-17 3:03 ` Kees Cook [this message]
2024-02-19 17:48 ` Daniel Borkmann
2024-02-19 19:48 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202402161902.FCFFEC322@keescook \
--to=keescook@chromium.org \
--cc=andrii@kernel.org \
--cc=aspsk@isovalent.com \
--cc=ast@kernel.org \
--cc=baihaowen@meizu.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=gustavo@embeddedor.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=martin.lau@linux.dev \
--cc=mykolal@fb.com \
--cc=sdf@google.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yhs@fb.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.