[PATCH bpf-next v9 01/12] bpf: Only reply field should be writeable

[PATCH bpf-next v9 00/12] bpf: More sock_ops callbacks · Lawrence Brakmo <hidden> · 2018-01-25
[PATCH bpf-next v9 03/12] bpf: Make SOCK_OPS_GET_TCP struct independent · Lawrence Brakmo <hidden> · 2018-01-25
[PATCH bpf-next v9 06/12] bpf: Adds field bpf_sock_ops_cb_flags to tcp_sock · Lawrence Brakmo <hidden> · 2018-01-25
[PATCH bpf-next v9 04/12] bpf: Add write access to tcp_sock and sock fields · Lawrence Brakmo <hidden> · 2018-01-25
[PATCH bpf-next v9 11/12] bpf: Add BPF_SOCK_OPS_STATE_CB · Lawrence Brakmo <hidden> · 2018-01-25
[PATCH bpf-next v9 05/12] bpf: Support passing args to sock_ops bpf function · Lawrence Brakmo <hidden> · 2018-01-25
[PATCH bpf-next v9 01/12] bpf: Only reply field should be writeable · Lawrence Brakmo <hidden> · 2018-01-25
[PATCH bpf-next v9 07/12] bpf: Add sock_ops RTO callback · Lawrence Brakmo <hidden> · 2018-01-25
[PATCH bpf-next v9 08/12] bpf: Add support for reading sk_state and more · Lawrence Brakmo <hidden> · 2018-01-25
[PATCH bpf-next v9 02/12] bpf: Make SOCK_OPS_GET_TCP size independent · Lawrence Brakmo <hidden> · 2018-01-25
[PATCH bpf-next v9 12/12] bpf: add selftest for tcpbpf · Lawrence Brakmo <hidden> · 2018-01-25
[PATCH bpf-next v9 10/12] bpf: Add BPF_SOCK_OPS_RETRANS_CB · Lawrence Brakmo <hidden> · 2018-01-25
[PATCH bpf-next v9 09/12] bpf: Add sock_ops R/W access to tclass · Lawrence Brakmo <hidden> · 2018-01-25

STALE3054d REVIEWED: 1 (0M)

Revisions (4)

2017-12-31 v3 [diff vs current]
2018-01-20 v6 [diff vs current]
2018-01-24 v8 [diff vs current]
2018-01-25 v9 current

From: Lawrence Brakmo <hidden>
Date: 2018-01-25 02:37:18
Subsystem: bpf [general] (safe dynamic programs and tools), bpf [networking] (tcx & tc bpf, sock_addr), networking [general], the rest · Maintainers: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi, Martin KaFai Lau, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds

Currently, a sock_ops BPF program can write the op field and all the
reply fields (reply and replylong). This is a bug. The op field should
not have been writeable and there is currently no way to use replylong
field for indices >= 1. This patch enforces that only the reply field
(which equals replylong[0]) is writeable.

Fixes: 40304b2a1567 ("bpf: BPF support for sock_ops")
Signed-off-by: Lawrence Brakmo <redacted>
Acked-by: Yuchung Cheng <redacted>
---
 net/core/filter.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index 18da42a..bf9bb75 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c

@@ -3845,8 +3845,7 @@ static bool sock_ops_is_valid_access(int off, int size,
 {
 	if (type == BPF_WRITE) {
 		switch (off) {
-		case offsetof(struct bpf_sock_ops, op) ...
-		     offsetof(struct bpf_sock_ops, replylong[3]):
+		case offsetof(struct bpf_sock_ops, reply):
 			break;
 		default:
 			return false;

-- 
2.9.5

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help