From: Jakub Sitnicki <jakub@cloudflare.com>
To: Dan Carpenter <error27@gmail.com>
Cc: oe-kbuild@lists.linux.dev, netdev@vger.kernel.org, lkp@intel.com,
oe-kbuild-all@lists.linux.dev, kernel-team@cloudflare.com,
John Fastabend <john.fastabend@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
syzbot+04c21ed96d861dccc5cd@syzkaller.appspotmail.com
Subject: Re: [PATCH bpf 1/3] bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener
Date: Mon, 16 Jan 2023 11:09:02 +0100 [thread overview]
Message-ID: <87sfgayeg9.fsf@cloudflare.com> (raw)
In-Reply-To: <202301141018.w4fQc4gd-lkp@intel.com>
Hi Dan,
On Sat, Jan 14, 2023 at 11:04 AM +03, Dan Carpenter wrote:
> Hi Jakub,
>
> url: https://github.com/intel-lab-lkp/linux/commits/Jakub-Sitnicki/bpf-sockmap-Check-for-any-of-tcp_bpf_prots-when-cloning-a-listener/20230113-230728
> base: e7895f017b79410bf4591396a733b876dc1e0e9d
> patch link: https://lore.kernel.org/r/20230113-sockmap-fix-v1-1-d3cad092ee10%40cloudflare.com
> patch subject: [PATCH bpf 1/3] bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener
> config: i386-randconfig-m021
> compiler: gcc-11 (Debian 11.3.0-8) 11.3.0
>
> If you fix the issue, kindly add following tag where applicable
> | Reported-by: kernel test robot <lkp@intel.com>
> | Reported-by: Dan Carpenter <error27@gmail.com>
>
> smatch warnings:
> net/ipv4/tcp_bpf.c:644 tcp_bpf_clone() error: buffer overflow 'tcp_bpf_prots' 2 <= 2
>
> vim +/tcp_bpf_prots +644 net/ipv4/tcp_bpf.c
>
> 604326b41a6fb9 Daniel Borkmann 2018-10-13 634
> e80251555f0bef Jakub Sitnicki 2020-02-18 635 /* If a child got cloned from a listening socket that had tcp_bpf
> e80251555f0bef Jakub Sitnicki 2020-02-18 636 * protocol callbacks installed, we need to restore the callbacks to
> e80251555f0bef Jakub Sitnicki 2020-02-18 637 * the default ones because the child does not inherit the psock state
> e80251555f0bef Jakub Sitnicki 2020-02-18 638 * that tcp_bpf callbacks expect.
> e80251555f0bef Jakub Sitnicki 2020-02-18 639 */
> e80251555f0bef Jakub Sitnicki 2020-02-18 640 void tcp_bpf_clone(const struct sock *sk, struct sock *newsk)
> e80251555f0bef Jakub Sitnicki 2020-02-18 641 {
> e80251555f0bef Jakub Sitnicki 2020-02-18 642 struct proto *prot = newsk->sk_prot;
> e80251555f0bef Jakub Sitnicki 2020-02-18 643
> c2e74657613125 Jakub Sitnicki 2023-01-13 @644 if (tcp_bpf_prots[0] <= prot && prot < tcp_bpf_prots[ARRAY_SIZE(tcp_bpf_prots)])
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> What? Also I suspect this might cause a compile error for Clang builds.
Can't say I see a problem B-)
tcp_bpf_prots is a 2D array:
static struct proto tcp_bpf_prots[TCP_BPF_NUM_PROTS][TCP_BPF_NUM_CFGS];
... so tcp_bpf_prots[0] is the base address of the first array, while
tcp_bpf_prots[ARRAY_SIZE(tcp_bpf_prots)] is the base address of the
array one past the last one.
Smatch doesn't seem to graps the 2D array concept here. We can make it
happy by being explicit but harder on the eyes:
if (&tcp_bpf_prots[0][0] <= prot && prot < &tcp_bpf_prots[ARRAY_SIZE(tcp_bpf_prots)][0])
newsk->sk_prot = sk->sk_prot_creator;
Clang can do pointer arithmetic on 2D arrays just fine :-)
next prev parent reply other threads:[~2023-01-16 10:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-13 14:56 [PATCH bpf 0/3] bpf, sockmap: Fix infinite recursion in sock_map_close Jakub Sitnicki
2023-01-13 14:56 ` [PATCH bpf 1/3] bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener Jakub Sitnicki
2023-01-14 8:04 ` Dan Carpenter
2023-01-16 10:09 ` Jakub Sitnicki [this message]
2023-01-16 10:39 ` Eric Dumazet
2023-01-16 11:27 ` Jakub Sitnicki
2023-01-16 11:13 ` Dan Carpenter
2023-01-16 11:31 ` Jakub Sitnicki
2023-01-16 11:53 ` Dan Carpenter
2023-01-13 14:56 ` [PATCH bpf 2/3] selftests/bpf: Pass BPF skeleton to sockmap_listen ops tests Jakub Sitnicki
2023-01-13 14:56 ` [PATCH bpf 3/3] selftests/bpf: Cover listener cloning with progs attached to sockmap Jakub Sitnicki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sfgayeg9.fsf@cloudflare.com \
--to=jakub@cloudflare.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=edumazet@google.com \
--cc=error27@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=kernel-team@cloudflare.com \
--cc=lkp@intel.com \
--cc=netdev@vger.kernel.org \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=oe-kbuild@lists.linux.dev \
--cc=syzbot+04c21ed96d861dccc5cd@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).