All of lore.kernel.org
 help / color / mirror / Atom feed
* bpf_test_finish()
@ 2017-05-02  3:56 David Miller
  2017-05-02  4:46 ` bpf_test_finish() Alexei Starovoitov
  0 siblings, 1 reply; 3+ messages in thread
From: David Miller @ 2017-05-02  3:56 UTC (permalink / raw)
  To: ast; +Cc: daniel, netdev


It dereferences a user pointer:

static int bpf_test_finish(union bpf_attr __user *uattr, const void *data,
			   u32 size, u32 retval, u32 duration)
{
	void __user *data_out = u64_to_user_ptr(uattr->test.data_out);
                                                ^^^^^^^^^^^^^^^^^^^^
Which of course doesn't work so well :-)

I really wish that didn't silently work on x86/x86_64.

You're going to have to do a "get_user(&uattr->test.data_out)"

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: bpf_test_finish()
  2017-05-02  3:56 bpf_test_finish() David Miller
@ 2017-05-02  4:46 ` Alexei Starovoitov
  2017-05-02 15:14   ` bpf_test_finish() David Miller
  0 siblings, 1 reply; 3+ messages in thread
From: Alexei Starovoitov @ 2017-05-02  4:46 UTC (permalink / raw)
  To: David Miller; +Cc: daniel, netdev

On 5/1/17 8:56 PM, David Miller wrote:
>
> It dereferences a user pointer:
>
> static int bpf_test_finish(union bpf_attr __user *uattr, const void *data,
> 			   u32 size, u32 retval, u32 duration)
> {
> 	void __user *data_out = u64_to_user_ptr(uattr->test.data_out);
>                                                 ^^^^^^^^^^^^^^^^^^^^
> Which of course doesn't work so well :-)
>
> I really wish that didn't silently work on x86/x86_64.

argh. my bad.
I'll send a patch first thing tomorrow unless Daniel beats me to it.
We have kattr there as well which has the whole bpf_attr copied into
kernel memory already. Should have taken data_out from there and
passed into bpf_test_finish().

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: bpf_test_finish()
  2017-05-02  4:46 ` bpf_test_finish() Alexei Starovoitov
@ 2017-05-02 15:14   ` David Miller
  0 siblings, 0 replies; 3+ messages in thread
From: David Miller @ 2017-05-02 15:14 UTC (permalink / raw)
  To: ast; +Cc: daniel, netdev

From: Alexei Starovoitov <ast@fb.com>
Date: Mon, 1 May 2017 21:46:07 -0700

> I'll send a patch first thing tomorrow unless Daniel beats me to it.
> We have kattr there as well which has the whole bpf_attr copied into
> kernel memory already. Should have taken data_out from there and
> passed into bpf_test_finish().

I happen to be hacking on this file for another reason right now so
I'll work on a fix for this.  So don't worry about it.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-05-02 15:14 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-02  3:56 bpf_test_finish() David Miller
2017-05-02  4:46 ` bpf_test_finish() Alexei Starovoitov
2017-05-02 15:14   ` bpf_test_finish() David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.