From: Daniel Borkmann <daniel@iogearbox.net>
To: Alexei Starovoitov <ast@plumgrid.com>,
"David S. Miller" <davem@davemloft.net>
Cc: Andy Lutomirski <luto@amacapital.net>,
Ingo Molnar <mingo@kernel.org>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
Eric Dumazet <edumazet@google.com>,
Kees Cook <keescook@chromium.org>,
netdev@vger.kernel.org
Subject: Re: [PATCH net-next] bpf: fix cb access in socket filter programs
Date: Wed, 07 Oct 2015 11:39:26 +0200 [thread overview]
Message-ID: <5614E84E.2010806@iogearbox.net> (raw)
In-Reply-To: <1444184292-17500-1-git-send-email-ast@plumgrid.com>
On 10/07/2015 04:18 AM, Alexei Starovoitov wrote:
> eBPF socket filter programs may see junk in 'u32 cb[5]' area,
> since it could have been used by protocol layers earlier.
>
> On the receive path the af_packet sees clean skb->cb.
> On the xmit the dev_queue_xmit_nit() delivers cloned skb, so we can
> conditionally clean 20 bytes of skb->cb that could be used by the program.
Having slept over this one night, I think this assumption is not
always correct :/, more below ...
> For programs attached to TCP/UDP sockets we need to save/restore
> these 20 bytes, since it's used by protocol layers.
...
> +static inline u32 bpf_prog_run_save_cb(const struct bpf_prog *prog,
> + struct sk_buff *skb)
> +{
> + u8 *cb_data = qdisc_skb_cb(skb)->data;
> + u8 saved_cb[QDISC_CB_PRIV_LEN];
> + u32 res;
> +
> + BUILD_BUG_ON(FIELD_SIZEOF(struct __sk_buff, cb) !=
> + QDISC_CB_PRIV_LEN);
> +
> + if (unlikely(prog->cb_access)) {
> + memcpy(saved_cb, cb_data, sizeof(saved_cb));
> + memset(cb_data, 0, sizeof(saved_cb));
> + }
> +
> + res = BPF_PROG_RUN(prog, skb);
> +
> + if (unlikely(prog->cb_access))
> + memcpy(cb_data, saved_cb, sizeof(saved_cb));
> +
> + return res;
> +}
> +
> +static inline u32 bpf_prog_run_clear_cb(const struct bpf_prog *prog,
> + struct sk_buff *skb)
> +{
> + u8 *cb_data = qdisc_skb_cb(skb)->data;
> +
> + if (unlikely(prog->cb_access) && skb->pkt_type == PACKET_OUTGOING)
> + memset(cb_data, 0, QDISC_CB_PRIV_LEN);
> + return BPF_PROG_RUN(prog, skb);
> +}
> +
> static inline unsigned int bpf_prog_size(unsigned int proglen)
> {
> return max(sizeof(struct bpf_prog),
bpf_prog_run_clear_cb() wouldn't work on dev_forward_skb() as
skb->pkt_type is then being scrubbed to PACKET_HOST, so on the
receive path, AF_PACKET might not always see clean skbs->cb[]
as assumed ... I think that the skb->pkt_type part needs to be
dropped, no?
Thanks,
Daniel
next prev parent reply other threads:[~2015-10-07 9:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-07 2:18 [PATCH net-next] bpf: fix cb access in socket filter programs Alexei Starovoitov
2015-10-07 9:39 ` Daniel Borkmann [this message]
2015-10-07 13:09 ` Daniel Borkmann
2015-10-07 16:53 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5614E84E.2010806@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=ast@plumgrid.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hannes@stressinduktion.org \
--cc=keescook@chromium.org \
--cc=luto@amacapital.net \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.