From: Eric Dumazet <eric.dumazet@gmail.com>
To: Changli Gao <xiaosuo@gmail.com>
Cc: David Miller <davem@davemloft.net>,
hagen@jauu.net, wirelesser@gmail.com, netdev@vger.kernel.org,
Dan Rosenberg <drosenberg@vsecurity.com>
Subject: Re: [PATCH net-next-2.6] filter: add a security check at install time
Date: Thu, 02 Dec 2010 10:54:53 +0100 [thread overview]
Message-ID: <1291283693.2871.48.camel@edumazet-laptop> (raw)
In-Reply-To: <AANLkTikQOY7Nh7XOFT9wXDYpn1faVS9xH2Y-x67hiu7S@mail.gmail.com>
Le jeudi 02 décembre 2010 à 17:10 +0800, Changli Gao a écrit :
> On Thu, Dec 2, 2010 at 5:00 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> > Le jeudi 02 décembre 2010 à 09:53 +0100, Eric Dumazet a écrit :
> >> Le jeudi 02 décembre 2010 à 16:11 +0800, Changli Gao a écrit :
> >>
> >> > It seems correct to me now.
> >> >
> >> > Acked-by: Changli Gao <xiaosuo@gmail.com>
> >> >
> >>
> >> Thanks for reviewing Changli.
> >>
> >> Now I am thinking about not denying the filter installation, but change
> >> the problematic LOAD M(1) and LOADX M(1) by LOADI #0 (BPF_S_LD_IMM
> >> K=0) and LOADIX #0 (BPF_S_LDX_IMM K=0)
>
> Oops. We were wrong. The RAM of BPF machine is initialized to 0. So
> loading from a cell, in which no value is stored before, is valid. So
> we can't prevent the following instructions.
>
It was not 'initialized to 0', thats the point of previous patches.
> jeq jt jf
> jt:
> store m[0]
> jf:
> load m[0]
>
> After applying your patch, the third instruction will be replaced with
> load 0. It is wrong for the jt branch. So NACK.
>
>
But this is _exactly_ the case we want to deny (or protect)
We want to :
- Accept valid programs generated by libpcap current and future
optimizers. Show me a real sample.
A valid program doesnt mix stores/loads like you tried.
Memories are used because of limited instruction and register (A, X)
set.
- Make sure a malicious or stupid or buggy program doesnt read garbage
from stack.
After optimizer, your program should read (no memory load/stores)
RET #0
To let your 'program' run, we could add temporary state saying :
Memory K has a known value m(k), or an unknown one.
Register A has a known value a, or an unkown one.
Register X has a known value x, or an unkown one.
And be able to "optimize" stupid "jeq jt jf" tests if value of A is
known, since we know the result of test (only one branch will be taken)
I am not sure its worth it, really, since all instruction set should be
taken into account to maintain this state. (implement kind of an
optimizer in kernel)
It's probably better to spend time in userland optimizer, and a JIT
compiler...
(By the way, I believe FreeBSD has the security problem Dan reported to
us)
next prev parent reply other threads:[~2010-12-02 9:54 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-30 9:22 multi bpf filter will impact performance? Rui
2010-11-30 9:34 ` Eric Dumazet
[not found] ` <AANLkTi=VpmnrXTBNV7McQm6mq9ULT7KTKbM8_hLPoL=2@mail.gmail.com>
[not found] ` <1291127670.2904.96.camel@edumazet-laptop>
2010-12-01 3:48 ` Rui
2010-12-01 4:03 ` Eric Dumazet
2010-12-01 7:45 ` [PATCH net-next-2.6] filter: add SKF_AD_RXHASH and SKF_AD_CPU Eric Dumazet
2010-12-01 8:03 ` Changli Gao
2010-12-06 21:02 ` David Miller
2010-12-03 9:40 ` multi bpf filter will impact performance? Junchang Wang
2010-12-01 7:36 ` Changli Gao
2010-12-01 7:47 ` Eric Dumazet
2010-12-01 7:59 ` Changli Gao
2010-12-01 8:09 ` Eric Dumazet
2010-12-01 8:15 ` Changli Gao
2010-12-01 8:42 ` Eric Dumazet
2010-12-01 17:22 ` Hagen Paul Pfeifer
2010-12-01 18:18 ` David Miller
2010-12-01 18:24 ` David Miller
2010-12-01 18:24 ` Eric Dumazet
2010-12-01 18:44 ` David Miller
2010-12-01 19:48 ` Eric Dumazet
2010-12-01 20:23 ` David Miller
2010-12-01 20:45 ` [PATCH net-next-2.6] filter: add a security check at install time Eric Dumazet
2010-12-02 2:30 ` Changli Gao
2010-12-02 6:46 ` Eric Dumazet
2010-12-02 8:11 ` Changli Gao
2010-12-02 8:53 ` Eric Dumazet
2010-12-02 9:00 ` Eric Dumazet
2010-12-02 9:10 ` Changli Gao
2010-12-02 9:54 ` Eric Dumazet [this message]
2010-12-02 10:10 ` Changli Gao
2010-12-02 11:15 ` Eric Dumazet
2010-12-02 11:29 ` Changli Gao
2010-12-02 13:14 ` Eric Dumazet
2010-12-02 10:59 ` Changli Gao
2010-12-06 21:07 ` David Miller
2010-12-03 6:32 ` multi bpf filter will impact performance? Eric Dumazet
2010-12-05 20:53 ` PATCH] filter: fix sk_filter rcu handling Eric Dumazet
2010-12-05 21:08 ` Andi Kleen
2010-12-05 21:28 ` Eric Dumazet
2010-12-06 17:29 ` David Miller
2010-11-30 10:01 ` multi bpf filter will impact performance? Eric Dumazet
2010-11-30 11:17 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1291283693.2871.48.camel@edumazet-laptop \
--to=eric.dumazet@gmail.com \
--cc=davem@davemloft.net \
--cc=drosenberg@vsecurity.com \
--cc=hagen@jauu.net \
--cc=netdev@vger.kernel.org \
--cc=wirelesser@gmail.com \
--cc=xiaosuo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox