From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alexei Starovoitov Subject: Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs Date: Mon, 5 Oct 2015 17:51:43 -0700 Message-ID: <56131B1F.80002@plumgrid.com> References: <1444078101-29060-1-git-send-email-ast@plumgrid.com> <1444078101-29060-2-git-send-email-ast@plumgrid.com> <5612F639.2050305@iogearbox.net> Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5612F639.2050305-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org> Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Daniel Borkmann , "David S. Miller" Cc: Andy Lutomirski , Ingo Molnar , Hannes Frederic Sowa , Eric Dumazet , Kees Cook , linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: linux-api@vger.kernel.org On 10/5/15 3:14 PM, Daniel Borkmann wrote: > One scenario that comes to mind ... what happens when there are kernel > pointers stored in skb->cb[] (either from the current layer or an old > one from a different layer that the skb went through previously, but > which did not get overwritten)? > > Socket filters could read a portion of skb->cb[] also when unprived and > leak that out through maps. I think the verifier doesn't catch that, > right? grrr. indeed. previous layer before sk_filter() can leave junk in there. Would need to disable cb[0-5] for unpriv, but that will make tail_call much harder to use, since cb[0-5] is a way to pass arguments from one prog to another and clearing them is not an option, since it's too expensive. Like samples/bpf/sockex3_kern.c usage of cb[0] won't work anymore. I guess that's the price of unpriv. Will fix this, add few tail_call specific tests and respin. Please keep poking. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752887AbbJFAvt (ORCPT ); Mon, 5 Oct 2015 20:51:49 -0400 Received: from mail-pa0-f50.google.com ([209.85.220.50]:36806 "EHLO mail-pa0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752737AbbJFAvq (ORCPT ); Mon, 5 Oct 2015 20:51:46 -0400 Subject: Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs To: Daniel Borkmann , "David S. Miller" References: <1444078101-29060-1-git-send-email-ast@plumgrid.com> <1444078101-29060-2-git-send-email-ast@plumgrid.com> <5612F639.2050305@iogearbox.net> Cc: Andy Lutomirski , Ingo Molnar , Hannes Frederic Sowa , Eric Dumazet , Kees Cook , linux-api@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org From: Alexei Starovoitov Message-ID: <56131B1F.80002@plumgrid.com> Date: Mon, 5 Oct 2015 17:51:43 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <5612F639.2050305@iogearbox.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/5/15 3:14 PM, Daniel Borkmann wrote: > One scenario that comes to mind ... what happens when there are kernel > pointers stored in skb->cb[] (either from the current layer or an old > one from a different layer that the skb went through previously, but > which did not get overwritten)? > > Socket filters could read a portion of skb->cb[] also when unprived and > leak that out through maps. I think the verifier doesn't catch that, > right? grrr. indeed. previous layer before sk_filter() can leave junk in there. Would need to disable cb[0-5] for unpriv, but that will make tail_call much harder to use, since cb[0-5] is a way to pass arguments from one prog to another and clearing them is not an option, since it's too expensive. Like samples/bpf/sockex3_kern.c usage of cb[0] won't work anymore. I guess that's the price of unpriv. Will fix this, add few tail_call specific tests and respin. Please keep poking.