From: Paul Chaignon <paul.chaignon@gmail.com>
To: Eduard Zingerman <eddyz87@gmail.com>
Cc: bpf@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
John Fastabend <john.fastabend@gmail.com>
Subject: Re: [PATCH bpf-next 1/2] bpf: Reject narrower access to pointer ctx fields
Date: Tue, 22 Jul 2025 16:44:33 +0200 [thread overview]
Message-ID: <aH-j0VZcsdEtnr0S@mail.gmail.com> (raw)
In-Reply-To: <ee25ac4771732bb09513e48fb2bc86614d3fd045.camel@gmail.com>
On Mon, Jul 21, 2025 at 05:08:05PM -0700, Eduard Zingerman wrote:
> On Mon, 2025-07-21 at 14:57 +0200, Paul Chaignon wrote:
Thanks for the review!
[...]
> > @@ -9318,17 +9318,17 @@ static bool sock_ops_is_valid_access(int off, int size,
> > if (size != sizeof(__u64))
> > return false;
> > break;
> > - case offsetof(struct bpf_sock_ops, sk):
> > + case bpf_ctx_range_ptr(struct bpf_sock_ops, sk):
> > if (size != sizeof(__u64))
> > return false;
> > info->reg_type = PTR_TO_SOCKET_OR_NULL;
> > break;
> > - case offsetof(struct bpf_sock_ops, skb_data):
> > + case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data):
> > if (size != sizeof(__u64))
> > return false;
> > info->reg_type = PTR_TO_PACKET;
> > break;
> > - case offsetof(struct bpf_sock_ops, skb_data_end):
> > + case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data_end):
> > if (size != sizeof(__u64))
> > return false;
> > info->reg_type = PTR_TO_PACKET_END;
>
> I think this function is buggy for `skb_hwtstamp` as well.
> The skb_hwtstamp field is u64, side_default is sizeof(u32).
> So access at `offsetof(struct bpf_sock_ops, skb_hwtstamp) + 4` would
> be permitted by the default branch. But this range is not handled by
> accompanying sock_ops_convert_ctx_access().
Nice catch, thanks! It's fixed and tested in the v2.
>
>
> > @@ -9417,7 +9417,7 @@ static bool sk_msg_is_valid_access(int off, int size,
> > if (size != sizeof(__u64))
> > return false;
> > break;
> > - case offsetof(struct sk_msg_md, sk):
> > + case bpf_ctx_range_ptr(struct sk_msg_md, sk):
> > if (size != sizeof(__u64))
> > return false;
> > info->reg_type = PTR_TO_SOCKET;
>
> I don't think this change is necessary, the default branch rejects
> access at any not matched offset. Otherwise `data` and `data_end`
> should be converted for uniformity.
Yes, this is not necessary; I got carried away. Per John's suggestion, I
still kept it in the v2 and converted data and data_end for consistency.
Hopefully, that'll be less confusing to future readers.
>
> > @@ -11623,7 +11623,7 @@ static bool sk_lookup_is_valid_access(int off, int size,
> > return false;
> >
> > switch (off) {
> > - case offsetof(struct bpf_sk_lookup, sk):
> > + case bpf_ctx_range_ptr(struct bpf_sk_lookup, sk):
> > info->reg_type = PTR_TO_SOCKET_OR_NULL;
> > return size == sizeof(__u64);
> >
>
> Same here, the default branch would reject access at the wrong offset already.
prev parent reply other threads:[~2025-07-22 14:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-21 12:57 [PATCH bpf-next 1/2] bpf: Reject narrower access to pointer ctx fields Paul Chaignon
2025-07-21 13:02 ` [PATCH bpf-next 2/2] selftests/bpf: Test invalid narrower ctx load Paul Chaignon
2025-07-22 0:11 ` Eduard Zingerman
2025-07-22 0:08 ` [PATCH bpf-next 1/2] bpf: Reject narrower access to pointer ctx fields Eduard Zingerman
2025-07-22 5:30 ` John Fastabend
2025-07-22 14:44 ` Paul Chaignon [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aH-j0VZcsdEtnr0S@mail.gmail.com \
--to=paul.chaignon@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=john.fastabend@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.