From: Jakub Sitnicki <jakub@cloudflare•com>
To: John Fastabend <john.fastabend@gmail•com>
Cc: bpf@vger•kernel.org, netdev@vger•kernel.org,
daniel@iogearbox•net, joamaki@gmail•com,
xiyou.wangcong@gmail•com
Subject: Re: [PATCH bpf 4/4] bpf, sockmap: sk_skb data_end access incorrect when src_reg = dst_reg
Date: Sat, 23 Oct 2021 15:05:19 +0200 [thread overview]
Message-ID: <87mtmzgacw.fsf@cloudflare.com> (raw)
In-Reply-To: <20211011191647.418704-5-john.fastabend@gmail.com>
On Mon, Oct 11, 2021 at 09:16 PM CEST, John Fastabend wrote:
> From: Jussi Maki <joamaki@gmail•com>
>
> The current conversion of skb->data_end reads like this,
>
> ; data_end = (void*)(long)skb->data_end;
> 559: (79) r1 = *(u64 *)(r2 +200) ; r1 = skb->data
> 560: (61) r11 = *(u32 *)(r2 +112) ; r11 = skb->len
> 561: (0f) r1 += r11
> 562: (61) r11 = *(u32 *)(r2 +116)
> 563: (1f) r1 -= r11
>
> But similar to the case
>
> ("bpf: sock_ops sk access may stomp registers when dst_reg = src_reg"),
>
> the code will read an incorrect skb->len when src == dst. In this case we
> end up generating this xlated code.
>
> ; data_end = (void*)(long)skb->data_end;
> 559: (79) r1 = *(u64 *)(r1 +200) ; r1 = skb->data
> 560: (61) r11 = *(u32 *)(r1 +112) ; r11 = (skb->data)->len
> 561: (0f) r1 += r11
> 562: (61) r11 = *(u32 *)(r1 +116)
> 563: (1f) r1 -= r11
>
> where line 560 is the reading 4B of (skb->data + 112) instead of the
> intended skb->len Here the skb pointer in r1 gets set to skb->data and
> the later deref for skb->len ends up following skb->data instead of skb.
>
> This fixes the issue similarly to the patch mentioned above by creating
> an additional temporary variable and using to store the register when
> dst_reg = src_reg. We name the variable bpf_temp_reg and place it in the
> cb context for sk_skb. Then we restore from the temp to ensure nothing
> is lost.
>
> Fixes: 16137b09a66f2 ("bpf: Compute data_end dynamically with JIT code")
> Signed-off-by: Jussi Maki <joamaki@gmail•com>
> Signed-off-by: John Fastabend <john.fastabend@gmail•com>
> ---
Reviewed-by: Jakub Sitnicki <jakub@cloudflare•com>
prev parent reply other threads:[~2021-10-23 13:05 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-11 19:16 [PATCH bpf 0/4] bpf, sockmap: fixes stress testing and regression John Fastabend
2021-10-11 19:16 ` [PATCH bpf 1/4] bpf, sockmap: Remove unhash handler for BPF sockmap usage John Fastabend
2021-10-19 7:17 ` Jakub Sitnicki
2021-10-20 5:28 ` John Fastabend
2021-10-20 15:11 ` Jakub Sitnicki
2021-10-20 15:51 ` John Fastabend
2021-10-20 16:35 ` Jakub Sitnicki
2021-10-21 19:24 ` John Fastabend
2021-10-11 19:16 ` [PATCH bpf 2/4] bpf, sockmap: Fix race in ingress receive verdict with redirect to self John Fastabend
2021-10-19 9:16 ` Jakub Sitnicki
2021-10-11 19:16 ` [PATCH bpf 3/4] bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding John Fastabend
2021-10-19 15:39 ` Jakub Sitnicki
2021-10-11 19:16 ` [PATCH bpf 4/4] bpf, sockmap: sk_skb data_end access incorrect when src_reg = dst_reg John Fastabend
2021-10-23 13:05 ` Jakub Sitnicki [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mtmzgacw.fsf@cloudflare.com \
--to=jakub@cloudflare$(echo .)com \
--cc=bpf@vger$(echo .)kernel.org \
--cc=daniel@iogearbox$(echo .)net \
--cc=joamaki@gmail$(echo .)com \
--cc=john.fastabend@gmail$(echo .)com \
--cc=netdev@vger$(echo .)kernel.org \
--cc=xiyou.wangcong@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox