From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>
Subject: Re: How to disassemble a BPF program?
Date: Thu, 21 Apr 2022 20:15:11 +0900 [thread overview]
Message-ID: <27376147-9939-e1d6-650d-3c2d9599ec0c@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <e6f25385-c5d0-f56e-27e8-1e2fd2378755@I-love.SAKURA.ne.jp>
On 2022/04/21 16:17, Tetsuo Handa wrote:
> Also, I tried to find what bpf_skb_load_helper_8_no_cache() is doing
> but I couldn't find the implementation of ____bpf_skb_load_helper_8().
> Where is ____bpf_skb_load_helper_8() defined?
>
> ----------------------------------------
> BPF_CALL_2(bpf_skb_load_helper_8_no_cache, const struct sk_buff *, skb,
> int, offset)
> {
> return ____bpf_skb_load_helper_8(skb, skb->data, skb->len - skb->data_len,
> offset);
> }
> ----------------------------------------
>
Ah, OK. Since BPF_CALL_x macro defines
static __always_inline \
u64 ____##name(__BPF_MAP(x, __BPF_DECL_ARGS, __BPF_V, __VA_ARGS__))
, BPF_CALL_4(bpf_skb_load_helper_8) will define
static __always_inline u64 ____bpf_skb_load_helper_8()
for to be called from BPF_CALL_2(bpf_skb_load_helper_8_no_cache).
> I feel that amount of output above is too short for "char program[2053]".
> How can TCP/IPv6 socket be created from this quite limited operations?
Since bpf_skb_load_helper_8() nothing but reads a byte, I don't think that
bpf(BPF_PROG_LOAD) / setsockopt(SOL_SOCKET, SO_ATTACH_BPF) can affect this
use-after-free bug, unless "char program[2053]" is doing something other
than reading a byte.
next prev parent reply other threads:[~2022-04-21 11:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-12 11:04 How to disassemble a BPF program? Tetsuo Handa
2022-04-20 11:38 ` Tetsuo Handa
2022-04-20 16:48 ` Andrii Nakryiko
2022-04-21 7:17 ` Tetsuo Handa
2022-04-21 11:15 ` Tetsuo Handa [this message]
2022-04-22 6:44 ` Tetsuo Handa
2022-04-25 13:48 ` Jakub Sitnicki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=27376147-9939-e1d6-650d-3c2d9599ec0c@I-love.SAKURA.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.