From: Martin KaFai Lau <martin.lau@linux.dev>
To: Jason Xing <kerneljasonxing@gmail.com>
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, dsahern@kernel.org,
willemdebruijn.kernel@gmail.com, willemb@google.com,
ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev,
john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me,
haoluo@google.com, jolsa@kernel.org, horms@kernel.org,
bpf@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [RFC PATCH net-next v6 04/13] bpf: stop UDP sock accessing TCP fields in sock_op BPF CALLs
Date: Fri, 24 Jan 2025 16:28:08 -0800 [thread overview]
Message-ID: <1c2f4735-bddb-4ce7-bd0a-5dbb31cb0c45@linux.dev> (raw)
In-Reply-To: <20250121012901.87763-5-kerneljasonxing@gmail.com>
On 1/20/25 5:28 PM, Jason Xing wrote:
> In the next round, we will support the UDP proto for SO_TIMESTAMPING
> bpf extension, so we need to ensure there is no safety problem, which
> is ususally caused by UDP socket trying to access TCP fields.
>
> These approaches can be categorized into two groups:
> 1. add TCP protocol check
> 2. add sock op check
Same as patch 3. The commit message needs adjustment. I would combine patch 3
and patch 4 because ...
>
> Signed-off-by: Jason Xing <kerneljasonxing@gmail.com>
> ---
> net/core/filter.c | 19 +++++++++++++++++--
> 1 file changed, 17 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index fdd305b4cfbb..934431886876 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -5523,6 +5523,11 @@ static int __bpf_setsockopt(struct sock *sk, int level, int optname,
> return -EINVAL;
> }
>
> +static bool is_locked_tcp_sock_ops(struct bpf_sock_ops_kern *bpf_sock)
> +{
> + return bpf_sock->op <= BPF_SOCK_OPS_WRITE_HDR_OPT_CB;
More bike shedding...
After sleeping on it again, I think it can just test the
bpf_sock->allow_tcp_access instead.
> +}
> +
> static int _bpf_setsockopt(struct sock *sk, int level, int optname,
> char *optval, int optlen)
> {
> @@ -5673,7 +5678,12 @@ static const struct bpf_func_proto bpf_sock_addr_getsockopt_proto = {
> BPF_CALL_5(bpf_sock_ops_setsockopt, struct bpf_sock_ops_kern *, bpf_sock,
> int, level, int, optname, char *, optval, int, optlen)
> {
> - return _bpf_setsockopt(bpf_sock->sk, level, optname, optval, optlen);
> + struct sock *sk = bpf_sock->sk;
> +
> + if (is_locked_tcp_sock_ops(bpf_sock) && sk_fullsock(sk))
afaict, the new timestamping callbacks still can do setsockopt and it is
incorrect. It should be:
if (!bpf_sock->allow_tcp_access)
return -EOPNOTSUPP;
I recalled I have asked in v5 but it may be buried in the long thread, so asking
here again. Please add test(s) to check that the new timestamping callbacks
cannot call setsockopt and read/write to some of the tcp_sock fields through the
bpf_sock_ops.
> + sock_owned_by_me(sk);
Not needed and instead...
> +
> + return __bpf_setsockopt(sk, level, optname, optval, optlen);
keep the original _bpf_setsockopt().
> }
>
> static const struct bpf_func_proto bpf_sock_ops_setsockopt_proto = {
> @@ -5759,6 +5769,7 @@ BPF_CALL_5(bpf_sock_ops_getsockopt, struct bpf_sock_ops_kern *, bpf_sock,
> int, level, int, optname, char *, optval, int, optlen)
> {
> if (IS_ENABLED(CONFIG_INET) && level == SOL_TCP &&
> + bpf_sock->sk->sk_protocol == IPPROTO_TCP &&
> optname >= TCP_BPF_SYN && optname <= TCP_BPF_SYN_MAC) {
No need to allow getsockopt regardless what SOL_* it is asking. To keep it
simple, I would just disable both getsockopt and setsockopt for all SOL_* for
the new timestamping callbacks. Nothing is lost, the bpf prog can directly read
the sk.
> int ret, copy_len = 0;
> const u8 *start;
> @@ -5800,7 +5811,8 @@ BPF_CALL_2(bpf_sock_ops_cb_flags_set, struct bpf_sock_ops_kern *, bpf_sock,
> struct sock *sk = bpf_sock->sk;
> int val = argval & BPF_SOCK_OPS_ALL_CB_FLAGS;
>
> - if (!IS_ENABLED(CONFIG_INET) || !sk_fullsock(sk))
> + if (!IS_ENABLED(CONFIG_INET) || !sk_fullsock(sk) ||
> + sk->sk_protocol != IPPROTO_TCP)
Same here. It should disallow this "set" helper for the timestamping callbacks
which do not hold the lock.
> return -EINVAL;
>
> tcp_sk(sk)->bpf_sock_ops_cb_flags = val;
> @@ -7609,6 +7621,9 @@ BPF_CALL_4(bpf_sock_ops_load_hdr_opt, struct bpf_sock_ops_kern *, bpf_sock,
> u8 search_kind, search_len, copy_len, magic_len;
> int ret;
>
> + if (!is_locked_tcp_sock_ops(bpf_sock))
> + return -EOPNOTSUPP;
This is correct, just change it to "!bpf_sock->allow_tcp_access".
All the above changed helpers should use the same test and the same return handling.
> +
> /* 2 byte is the minimal option len except TCPOPT_NOP and
> * TCPOPT_EOL which are useless for the bpf prog to learn
> * and this helper disallow loading them also.
next prev parent reply other threads:[~2025-01-25 0:28 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-21 1:28 [RFC PATCH net-next v6 00/13] net-timestamp: bpf extension to equip applications transparently Jason Xing
2025-01-21 1:28 ` [RFC PATCH net-next v6 01/13] net-timestamp: add support for bpf_setsockopt() Jason Xing
2025-01-21 1:28 ` [RFC PATCH net-next v6 02/13] net-timestamp: prepare for timestamping callbacks use Jason Xing
2025-01-21 5:08 ` Jason Xing
2025-01-21 1:28 ` [RFC PATCH net-next v6 03/13] bpf: stop UDP sock accessing TCP fields in bpf callbacks Jason Xing
2025-01-24 23:40 ` Martin KaFai Lau
2025-01-25 0:28 ` Jason Xing
2025-01-28 1:34 ` Jason Xing
2025-01-21 1:28 ` [RFC PATCH net-next v6 04/13] bpf: stop UDP sock accessing TCP fields in sock_op BPF CALLs Jason Xing
2025-01-25 0:28 ` Martin KaFai Lau [this message]
2025-01-25 1:15 ` Jason Xing
2025-01-25 1:32 ` Jason Xing
2025-01-25 2:25 ` Martin KaFai Lau
2025-01-25 2:58 ` Jason Xing
2025-01-25 3:12 ` Martin KaFai Lau
2025-01-25 3:43 ` Jason Xing
2025-01-21 1:28 ` [RFC PATCH net-next v6 05/13] net-timestamp: prepare for isolating two modes of SO_TIMESTAMPING Jason Xing
2025-01-21 1:28 ` [RFC PATCH net-next v6 06/13] net-timestamp: support SCM_TSTAMP_SCHED for bpf extension Jason Xing
2025-01-25 0:38 ` Martin KaFai Lau
2025-01-25 1:16 ` Jason Xing
2025-01-21 1:28 ` [RFC PATCH net-next v6 07/13] net-timestamp: support sw SCM_TSTAMP_SND " Jason Xing
2025-01-25 0:40 ` Martin KaFai Lau
2025-01-25 1:17 ` Jason Xing
2025-01-21 1:28 ` [RFC PATCH net-next v6 08/13] net-timestamp: support hw " Jason Xing
2025-01-25 0:46 ` Martin KaFai Lau
2025-01-25 1:18 ` Jason Xing
2025-01-25 1:29 ` Martin KaFai Lau
2025-01-25 1:35 ` Jason Xing
2025-01-25 2:36 ` Martin KaFai Lau
2025-01-25 2:59 ` Jason Xing
2025-01-21 1:28 ` [RFC PATCH net-next v6 09/13] net-timestamp: support SCM_TSTAMP_ACK " Jason Xing
2025-01-21 1:28 ` [RFC PATCH net-next v6 10/13] net-timestamp: make TCP tx timestamp bpf extension work Jason Xing
2025-01-21 1:28 ` [RFC PATCH net-next v6 11/13] net-timestamp: add a new callback in tcp_tx_timestamp() Jason Xing
2025-01-25 0:50 ` Martin KaFai Lau
2025-01-25 1:21 ` Jason Xing
2025-01-21 1:29 ` [RFC PATCH net-next v6 12/13] net-timestamp: introduce cgroup lock to avoid affecting non-bpf cases Jason Xing
2025-01-25 1:09 ` Martin KaFai Lau
2025-01-25 1:25 ` Jason Xing
2025-01-21 1:29 ` [RFC PATCH net-next v6 13/13] bpf: add simple bpf tests in the tx path for so_timestamping feature Jason Xing
2025-01-25 3:07 ` Martin KaFai Lau
2025-01-25 3:42 ` Jason Xing
2025-01-27 23:49 ` Martin KaFai Lau
2025-01-28 0:19 ` Jason Xing
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1c2f4735-bddb-4ce7-bd0a-5dbb31cb0c45@linux.dev \
--to=martin.lau@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=haoluo@google.com \
--cc=horms@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kerneljasonxing@gmail.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=willemb@google.com \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).