From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752349AbbJFHN4 (ORCPT ); Tue, 6 Oct 2015 03:13:56 -0400 Received: from mail-wi0-f178.google.com ([209.85.212.178]:37367 "EHLO mail-wi0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752099AbbJFHNw (ORCPT ); Tue, 6 Oct 2015 03:13:52 -0400 Date: Tue, 6 Oct 2015 09:13:47 +0200 From: Ingo Molnar To: Alexei Starovoitov Cc: Daniel Borkmann , "David S. Miller" , Andy Lutomirski , Hannes Frederic Sowa , Eric Dumazet , Kees Cook , linux-api@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs Message-ID: <20151006071347.GB14093@gmail.com> References: <1444078101-29060-1-git-send-email-ast@plumgrid.com> <1444078101-29060-2-git-send-email-ast@plumgrid.com> <5612F639.2050305@iogearbox.net> <56131B1F.80002@plumgrid.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <56131B1F.80002@plumgrid.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Alexei Starovoitov wrote: > On 10/5/15 3:14 PM, Daniel Borkmann wrote: > >One scenario that comes to mind ... what happens when there are kernel > >pointers stored in skb->cb[] (either from the current layer or an old > >one from a different layer that the skb went through previously, but > >which did not get overwritten)? > > > >Socket filters could read a portion of skb->cb[] also when unprived and > >leak that out through maps. I think the verifier doesn't catch that, > >right? > > grrr. indeed. previous layer before sk_filter() can leave junk in there. Could this be solved by activating zeroing/sanitizing of this data if there's an active BPF function around that can access that socket? Thanks, Ingo