From mboxrd@z Thu Jan 1 00:00:00 1970 From: 'Christoph Hellwig' Subject: Re: [PATCH 03/26] bpfilter: reject kernel addresses Date: Thu, 23 Jul 2020 16:44:55 +0200 Message-ID: <20200723144455.GA12280@lst.de> References: <20200723060908.50081-1-hch@lst.de> <20200723060908.50081-4-hch@lst.de> Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: Sender: linux-hams-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: David Laight Cc: 'Christoph Hellwig' , "David S. Miller" , Jakub Kicinski , Alexei Starovoitov , Daniel Borkmann , Alexey Kuznetsov , Hideaki YOSHIFUJI , Eric Dumazet , "linux-crypto@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "netdev@vger.kernel.org" , "bpf@vger.kernel.org" , "netfilter-devel@vger.kernel.org" , "coreteam@netfilter.org" , "linux-sctp@vger.kernel.org" , "linux-hams@vger.kernel.org" On Thu, Jul 23, 2020 at 02:42:11PM +0000, David Laight wrote: > From: Christoph Hellwig > > Sent: 23 July 2020 07:09 > > > > The bpfilter user mode helper processes the optval address using > > process_vm_readv. Don't send it kernel addresses fed under > > set_fs(KERNEL_DS) as that won't work. > > What sort of operations is the bpf filter doing on the sockopt buffers? > > Any attempts to reject some requests can be thwarted by a second > application thread modifying the buffer after the bpf filter has > checked that it allowed. > > You can't do security by reading a user buffer twice. I'm not saying that I approve of the design, but the current bpfilter design uses process_vm_readv to access the buffer, which obviously does not work with kernel buffers.