From: Daniel Borkmann <daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
To: Martin KaFai Lau <kafai-b10kYP2dOMg@public.gmane.org>
Cc: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Alexei Starovoitov <ast-b10kYP2dOMg@public.gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
kernel-team-b10kYP2dOMg@public.gmane.org
Subject: Re: [PATCH net-next v2 3/4] cgroup: bpf: Add bpf_skb_in_cgroup_proto
Date: Thu, 23 Jun 2016 22:07:27 +0200 [thread overview]
Message-ID: <576C417F.6000301@iogearbox.net> (raw)
In-Reply-To: <20160623165449.GC82305-ik1955jzaFFGY1KPJGhogQ@public.gmane.org>
On 06/23/2016 06:54 PM, Martin KaFai Lau wrote:
> On Thu, Jun 23, 2016 at 11:53:50AM +0200, Daniel Borkmann wrote:
>>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>>> index 668e079..68753e0 100644
>>> --- a/kernel/bpf/verifier.c
>>> +++ b/kernel/bpf/verifier.c
>>> @@ -1062,6 +1062,10 @@ static int check_map_func_compatibility(struct bpf_map *map, int func_id)
>>> if (func_id != BPF_FUNC_get_stackid)
>>> goto error;
>>> break;
>>> + case BPF_MAP_TYPE_CGROUP_ARRAY:
>>> + if (func_id != BPF_FUNC_skb_in_cgroup)
>>> + goto error;
>>> + break;
>>
>> I think the BPF_MAP_TYPE_CGROUP_ARRAY case should have been fist here in
>> patch 2/4, but with unconditional goto error. And this one only adds the
>> 'func_id != BPF_FUNC_skb_in_cgroup' test.
> I am not sure I understand. Can you elaborate? I am probably missing
> something here.
If someone backports patch 2/4 as-is, but for some reason not 3/4, then you
could craft a program that calls f.e. bpf_map_update_elem() on a cgroup array
and would thus cause a NULL pointer deref, since verifier doesn't prevent it.
I'm just trying to say that it would probably make sense to add the above 'case
BPF_MAP_TYPE_CGROUP_ARRAY:' with an unconditional 'goto error' in patch 2/4
and extend upon it in patch 3/4 so result looks like here, so that the patches
are fine/complete each as stand-alone.
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Borkmann <daniel@iogearbox.net>
To: Martin KaFai Lau <kafai@fb.com>
Cc: cgroups@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, Alexei Starovoitov <ast@fb.com>,
Tejun Heo <tj@kernel.org>,
kernel-team@fb.com
Subject: Re: [PATCH net-next v2 3/4] cgroup: bpf: Add bpf_skb_in_cgroup_proto
Date: Thu, 23 Jun 2016 22:07:27 +0200 [thread overview]
Message-ID: <576C417F.6000301@iogearbox.net> (raw)
In-Reply-To: <20160623165449.GC82305@kafai-mba.local>
On 06/23/2016 06:54 PM, Martin KaFai Lau wrote:
> On Thu, Jun 23, 2016 at 11:53:50AM +0200, Daniel Borkmann wrote:
>>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>>> index 668e079..68753e0 100644
>>> --- a/kernel/bpf/verifier.c
>>> +++ b/kernel/bpf/verifier.c
>>> @@ -1062,6 +1062,10 @@ static int check_map_func_compatibility(struct bpf_map *map, int func_id)
>>> if (func_id != BPF_FUNC_get_stackid)
>>> goto error;
>>> break;
>>> + case BPF_MAP_TYPE_CGROUP_ARRAY:
>>> + if (func_id != BPF_FUNC_skb_in_cgroup)
>>> + goto error;
>>> + break;
>>
>> I think the BPF_MAP_TYPE_CGROUP_ARRAY case should have been fist here in
>> patch 2/4, but with unconditional goto error. And this one only adds the
>> 'func_id != BPF_FUNC_skb_in_cgroup' test.
> I am not sure I understand. Can you elaborate? I am probably missing
> something here.
If someone backports patch 2/4 as-is, but for some reason not 3/4, then you
could craft a program that calls f.e. bpf_map_update_elem() on a cgroup array
and would thus cause a NULL pointer deref, since verifier doesn't prevent it.
I'm just trying to say that it would probably make sense to add the above 'case
BPF_MAP_TYPE_CGROUP_ARRAY:' with an unconditional 'goto error' in patch 2/4
and extend upon it in patch 3/4 so result looks like here, so that the patches
are fine/complete each as stand-alone.
next prev parent reply other threads:[~2016-06-23 20:07 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-22 21:17 [PATCH net-next v2 0/4] cgroup: bpf: cgroup2 membership test on skb Martin KaFai Lau
2016-06-22 21:17 ` Martin KaFai Lau
2016-06-22 21:17 ` [PATCH net-next v2 1/4] cgroup: Add cgroup_get_from_fd Martin KaFai Lau
2016-06-22 21:17 ` Martin KaFai Lau
2016-06-23 21:11 ` Tejun Heo
[not found] ` <1466630252-3822277-1-git-send-email-kafai-b10kYP2dOMg@public.gmane.org>
2016-06-22 21:17 ` [PATCH net-next v2 2/4] cgroup: bpf: Add BPF_MAP_TYPE_CGROUP_ARRAY Martin KaFai Lau
2016-06-22 21:17 ` Martin KaFai Lau
2016-06-22 21:17 ` Martin KaFai Lau
[not found] ` <1466630252-3822277-3-git-send-email-kafai-b10kYP2dOMg@public.gmane.org>
2016-06-23 9:42 ` Daniel Borkmann
2016-06-23 9:42 ` Daniel Borkmann
[not found] ` <576BAF07.4020302-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2016-06-23 21:13 ` Tejun Heo
2016-06-23 21:13 ` Tejun Heo
[not found] ` <20160623211326.GK3262-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2016-06-23 21:33 ` Daniel Borkmann
2016-06-23 21:33 ` Daniel Borkmann
2016-06-23 21:26 ` Martin KaFai Lau
2016-06-23 21:26 ` Martin KaFai Lau
2016-06-23 21:50 ` Daniel Borkmann
2016-06-23 22:10 ` Martin KaFai Lau
2016-06-23 22:10 ` Martin KaFai Lau
2016-06-22 21:17 ` [PATCH net-next v2 3/4] cgroup: bpf: Add bpf_skb_in_cgroup_proto Martin KaFai Lau
2016-06-22 21:17 ` Martin KaFai Lau
2016-06-22 21:17 ` Martin KaFai Lau
[not found] ` <1466630252-3822277-4-git-send-email-kafai-b10kYP2dOMg@public.gmane.org>
2016-06-23 9:53 ` Daniel Borkmann
2016-06-23 9:53 ` Daniel Borkmann
[not found] ` <576BB1AE.5080605-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2016-06-23 16:54 ` Martin KaFai Lau
2016-06-23 16:54 ` Martin KaFai Lau
2016-06-23 16:54 ` Martin KaFai Lau
[not found] ` <20160623165449.GC82305-ik1955jzaFFGY1KPJGhogQ@public.gmane.org>
2016-06-23 20:07 ` Daniel Borkmann [this message]
2016-06-23 20:07 ` Daniel Borkmann
2016-06-23 21:41 ` Martin KaFai Lau
2016-06-23 21:41 ` Martin KaFai Lau
2016-06-29 14:36 ` kbuild test robot
2016-06-29 14:36 ` kbuild test robot
2016-06-22 21:17 ` [PATCH net-next v2 4/4] cgroup: bpf: Add an example to do cgroup checking in BPF Martin KaFai Lau
2016-06-22 21:17 ` Martin KaFai Lau
2016-06-22 21:17 ` Martin KaFai Lau
[not found] ` <1466630252-3822277-5-git-send-email-kafai-b10kYP2dOMg@public.gmane.org>
2016-06-23 9:58 ` Daniel Borkmann
2016-06-23 9:58 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=576C417F.6000301@iogearbox.net \
--to=daniel-fec+5ew28dpmcu3hniyyjq@public.gmane.org \
--cc=ast-b10kYP2dOMg@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=kafai-b10kYP2dOMg@public.gmane.org \
--cc=kernel-team-b10kYP2dOMg@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.