* [PATCH v2] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array
@ 2024-02-16 23:55 Kees Cook
2024-02-17 0:27 ` Gustavo A. R. Silva
0 siblings, 1 reply; 5+ messages in thread
From: Kees Cook @ 2024-02-16 23:55 UTC (permalink / raw)
To: Alexei Starovoitov
Cc: Kees Cook, Mark Rutland, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Mykola Lysenko,
Shuah Khan, Haowen Bai, bpf, linux-kselftest, Yonghong Song,
Anton Protopopov, linux-kernel, linux-hardening
Replace deprecated 0-length array in struct bpf_lpm_trie_key with
flexible array. Found with GCC 13:
../kernel/bpf/lpm_trie.c:207:51: warning: array subscript i is outside array bounds of 'const __u8[0]' {aka 'const unsigned char[]'} [-Warray-bounds=]
207 | *(__be16 *)&key->data[i]);
| ^~~~~~~~~~~~~
../include/uapi/linux/swab.h:102:54: note: in definition of macro '__swab16'
102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
| ^
../include/linux/byteorder/generic.h:97:21: note: in expansion of macro '__be16_to_cpu'
97 | #define be16_to_cpu __be16_to_cpu
| ^~~~~~~~~~~~~
../kernel/bpf/lpm_trie.c:206:28: note: in expansion of macro 'be16_to_cpu'
206 | u16 diff = be16_to_cpu(*(__be16 *)&node->data[i]
^
| ^~~~~~~~~~~
In file included from ../include/linux/bpf.h:7:
../include/uapi/linux/bpf.h:82:17: note: while referencing 'data'
82 | __u8 data[0]; /* Arbitrary size */
| ^~~~
And found at run-time under CONFIG_FORTIFY_SOURCE:
UBSAN: array-index-out-of-bounds in kernel/bpf/lpm_trie.c:218:49
index 0 is out of range for type '__u8 [*]'
This includes fixing the selftest which was incorrectly using a
variable length struct as a header, identified earlier[1]. Avoid this
by just explicitly including the prefixlen member instead of struct
bpf_lpm_trie_key.
Note that it is not possible to simply remove the "data" member, as it
is referenced by userspace
cilium:
struct egress_gw_policy_key in_key = {
.lpm_key = { 32 + 24, {} },
.saddr = CLIENT_IP,
.daddr = EXTERNAL_SVC_IP & 0Xffffff,
};
systemd:
ipv6_map_fd = bpf_map_new(
BPF_MAP_TYPE_LPM_TRIE,
offsetof(struct bpf_lpm_trie_key, data) + sizeof(uint32_t)*4,
sizeof(uint64_t),
...
The only risk to UAPI would be if sizeof() were used directly on the
data member, which it does not seem to be. It is only used as a static
initializer destination and to find its location via offsetof().
Link: https://lore.kernel.org/all/202206281009.4332AA33@keescook/ [1]
Reported-by: Mark Rutland <mark.rutland@arm.com>
Closes: https://paste.debian.net/hidden/ca500597/
Signed-off-by: Kees Cook <keescook@chromium.org>
---
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Andrii Nakryiko <andrii@kernel.org>
Cc: Martin KaFai Lau <martin.lau@linux.dev>
Cc: Song Liu <song@kernel.org>
Cc: Yonghong Song <yhs@fb.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: KP Singh <kpsingh@kernel.org>
Cc: Stanislav Fomichev <sdf@google.com>
Cc: Hao Luo <haoluo@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mykola Lysenko <mykolal@fb.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Haowen Bai <baihaowen@meizu.com>
Cc: bpf@vger.kernel.org
Cc: linux-kselftest@vger.kernel.org
v2- clarify commit log, add more failure examples
v1- https://lore.kernel.org/all/63e531e3.170a0220.3a46a.3262@mx.google.com/
---
include/uapi/linux/bpf.h | 2 +-
tools/testing/selftests/bpf/progs/map_ptr_kern.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 754e68ca8744..359dd8a429c1 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -80,7 +80,7 @@ struct bpf_insn {
/* Key of an a BPF_MAP_TYPE_LPM_TRIE entry */
struct bpf_lpm_trie_key {
__u32 prefixlen; /* up to 32 for AF_INET, 128 for AF_INET6 */
- __u8 data[0]; /* Arbitrary size */
+ __u8 data[]; /* Arbitrary size */
};
struct bpf_cgroup_storage_key {
diff --git a/tools/testing/selftests/bpf/progs/map_ptr_kern.c b/tools/testing/selftests/bpf/progs/map_ptr_kern.c
index 3325da17ec81..1d476c6ae284 100644
--- a/tools/testing/selftests/bpf/progs/map_ptr_kern.c
+++ b/tools/testing/selftests/bpf/progs/map_ptr_kern.c
@@ -316,7 +316,7 @@ struct lpm_trie {
} __attribute__((preserve_access_index));
struct lpm_key {
- struct bpf_lpm_trie_key trie_key;
+ __u32 prefixlen;
__u32 data;
};
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array
2024-02-16 23:55 [PATCH v2] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array Kees Cook
@ 2024-02-17 0:27 ` Gustavo A. R. Silva
2024-02-17 3:03 ` Kees Cook
0 siblings, 1 reply; 5+ messages in thread
From: Gustavo A. R. Silva @ 2024-02-17 0:27 UTC (permalink / raw)
To: Kees Cook, Alexei Starovoitov
Cc: Mark Rutland, Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Song Liu, Yonghong Song, John Fastabend, KP Singh,
Stanislav Fomichev, Hao Luo, Jiri Olsa, Mykola Lysenko,
Shuah Khan, Haowen Bai, bpf, linux-kselftest, Yonghong Song,
Anton Protopopov, linux-kernel, linux-hardening
On 2/16/24 17:55, Kees Cook wrote:
> Replace deprecated 0-length array in struct bpf_lpm_trie_key with
> flexible array. Found with GCC 13:
>
> ../kernel/bpf/lpm_trie.c:207:51: warning: array subscript i is outside array bounds of 'const __u8[0]' {aka 'const unsigned char[]'} [-Warray-bounds=]
> 207 | *(__be16 *)&key->data[i]);
> | ^~~~~~~~~~~~~
> ../include/uapi/linux/swab.h:102:54: note: in definition of macro '__swab16'
> 102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
> | ^
> ../include/linux/byteorder/generic.h:97:21: note: in expansion of macro '__be16_to_cpu'
> 97 | #define be16_to_cpu __be16_to_cpu
> | ^~~~~~~~~~~~~
> ../kernel/bpf/lpm_trie.c:206:28: note: in expansion of macro 'be16_to_cpu'
> 206 | u16 diff = be16_to_cpu(*(__be16 *)&node->data[i]
> ^
> | ^~~~~~~~~~~
> In file included from ../include/linux/bpf.h:7:
> ../include/uapi/linux/bpf.h:82:17: note: while referencing 'data'
> 82 | __u8 data[0]; /* Arbitrary size */
> | ^~~~
>
> And found at run-time under CONFIG_FORTIFY_SOURCE:
>
> UBSAN: array-index-out-of-bounds in kernel/bpf/lpm_trie.c:218:49
> index 0 is out of range for type '__u8 [*]'
>
> This includes fixing the selftest which was incorrectly using a
> variable length struct as a header, identified earlier[1]. Avoid this
> by just explicitly including the prefixlen member instead of struct
> bpf_lpm_trie_key.
>
> Note that it is not possible to simply remove the "data" member, as it
> is referenced by userspace
>
> cilium:
> struct egress_gw_policy_key in_key = {
> .lpm_key = { 32 + 24, {} },
> .saddr = CLIENT_IP,
> .daddr = EXTERNAL_SVC_IP & 0Xffffff,
> };
>
> systemd:
> ipv6_map_fd = bpf_map_new(
> BPF_MAP_TYPE_LPM_TRIE,
> offsetof(struct bpf_lpm_trie_key, data) + sizeof(uint32_t)*4,
> sizeof(uint64_t),
> ...
>
> The only risk to UAPI would be if sizeof() were used directly on the
> data member, which it does not seem to be. It is only used as a static
> initializer destination and to find its location via offsetof().
>
> Link: https://lore.kernel.org/all/202206281009.4332AA33@keescook/ [1]
> Reported-by: Mark Rutland <mark.rutland@arm.com>
> Closes: https://paste.debian.net/hidden/ca500597/
mmh... this URL expires: 2024-05-15
> Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Thanks!
--
Gustavo
> ---
> Cc: Alexei Starovoitov <ast@kernel.org>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Cc: Andrii Nakryiko <andrii@kernel.org>
> Cc: Martin KaFai Lau <martin.lau@linux.dev>
> Cc: Song Liu <song@kernel.org>
> Cc: Yonghong Song <yhs@fb.com>
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: KP Singh <kpsingh@kernel.org>
> Cc: Stanislav Fomichev <sdf@google.com>
> Cc: Hao Luo <haoluo@google.com>
> Cc: Jiri Olsa <jolsa@kernel.org>
> Cc: Mykola Lysenko <mykolal@fb.com>
> Cc: Shuah Khan <shuah@kernel.org>
> Cc: Haowen Bai <baihaowen@meizu.com>
> Cc: bpf@vger.kernel.org
> Cc: linux-kselftest@vger.kernel.org
>
> v2- clarify commit log, add more failure examples
> v1- https://lore.kernel.org/all/63e531e3.170a0220.3a46a.3262@mx.google.com/
> ---
> include/uapi/linux/bpf.h | 2 +-
> tools/testing/selftests/bpf/progs/map_ptr_kern.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index 754e68ca8744..359dd8a429c1 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -80,7 +80,7 @@ struct bpf_insn {
> /* Key of an a BPF_MAP_TYPE_LPM_TRIE entry */
> struct bpf_lpm_trie_key {
> __u32 prefixlen; /* up to 32 for AF_INET, 128 for AF_INET6 */
> - __u8 data[0]; /* Arbitrary size */
> + __u8 data[]; /* Arbitrary size */
> };
>
> struct bpf_cgroup_storage_key {
> diff --git a/tools/testing/selftests/bpf/progs/map_ptr_kern.c b/tools/testing/selftests/bpf/progs/map_ptr_kern.c
> index 3325da17ec81..1d476c6ae284 100644
> --- a/tools/testing/selftests/bpf/progs/map_ptr_kern.c
> +++ b/tools/testing/selftests/bpf/progs/map_ptr_kern.c
> @@ -316,7 +316,7 @@ struct lpm_trie {
> } __attribute__((preserve_access_index));
>
> struct lpm_key {
> - struct bpf_lpm_trie_key trie_key;
> + __u32 prefixlen;
> __u32 data;
> };
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array
2024-02-17 0:27 ` Gustavo A. R. Silva
@ 2024-02-17 3:03 ` Kees Cook
2024-02-19 17:48 ` Daniel Borkmann
0 siblings, 1 reply; 5+ messages in thread
From: Kees Cook @ 2024-02-17 3:03 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: Alexei Starovoitov, Mark Rutland, Daniel Borkmann,
Andrii Nakryiko, Martin KaFai Lau, Song Liu, Yonghong Song,
John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
Mykola Lysenko, Shuah Khan, Haowen Bai, bpf, linux-kselftest,
Yonghong Song, Anton Protopopov, linux-kernel, linux-hardening
On Fri, Feb 16, 2024 at 06:27:08PM -0600, Gustavo A. R. Silva wrote:
>
>
> On 2/16/24 17:55, Kees Cook wrote:
> > Replace deprecated 0-length array in struct bpf_lpm_trie_key with
> > flexible array. Found with GCC 13:
> >
> > ../kernel/bpf/lpm_trie.c:207:51: warning: array subscript i is outside array bounds of 'const __u8[0]' {aka 'const unsigned char[]'} [-Warray-bounds=]
> > 207 | *(__be16 *)&key->data[i]);
> > | ^~~~~~~~~~~~~
> > ../include/uapi/linux/swab.h:102:54: note: in definition of macro '__swab16'
> > 102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
> > | ^
> > ../include/linux/byteorder/generic.h:97:21: note: in expansion of macro '__be16_to_cpu'
> > 97 | #define be16_to_cpu __be16_to_cpu
> > | ^~~~~~~~~~~~~
> > ../kernel/bpf/lpm_trie.c:206:28: note: in expansion of macro 'be16_to_cpu'
> > 206 | u16 diff = be16_to_cpu(*(__be16 *)&node->data[i]
> > ^
> > | ^~~~~~~~~~~
> > In file included from ../include/linux/bpf.h:7:
> > ../include/uapi/linux/bpf.h:82:17: note: while referencing 'data'
> > 82 | __u8 data[0]; /* Arbitrary size */
> > | ^~~~
> >
> > And found at run-time under CONFIG_FORTIFY_SOURCE:
> >
> > UBSAN: array-index-out-of-bounds in kernel/bpf/lpm_trie.c:218:49
> > index 0 is out of range for type '__u8 [*]'
> >
> > This includes fixing the selftest which was incorrectly using a
> > variable length struct as a header, identified earlier[1]. Avoid this
> > by just explicitly including the prefixlen member instead of struct
> > bpf_lpm_trie_key.
> >
> > Note that it is not possible to simply remove the "data" member, as it
> > is referenced by userspace
> >
> > cilium:
> > struct egress_gw_policy_key in_key = {
> > .lpm_key = { 32 + 24, {} },
> > .saddr = CLIENT_IP,
> > .daddr = EXTERNAL_SVC_IP & 0Xffffff,
> > };
> >
> > systemd:
> > ipv6_map_fd = bpf_map_new(
> > BPF_MAP_TYPE_LPM_TRIE,
> > offsetof(struct bpf_lpm_trie_key, data) + sizeof(uint32_t)*4,
> > sizeof(uint64_t),
> > ...
> >
> > The only risk to UAPI would be if sizeof() were used directly on the
> > data member, which it does not seem to be. It is only used as a static
> > initializer destination and to find its location via offsetof().
> >
> > Link: https://lore.kernel.org/all/202206281009.4332AA33@keescook/ [1]
> > Reported-by: Mark Rutland <mark.rutland@arm.com>
> > Closes: https://paste.debian.net/hidden/ca500597/
>
> mmh... this URL expires: 2024-05-15
Yup, but that's why I included the run-time splat above too. :)
--
Kees Cook
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array
2024-02-17 3:03 ` Kees Cook
@ 2024-02-19 17:48 ` Daniel Borkmann
2024-02-19 19:48 ` Kees Cook
0 siblings, 1 reply; 5+ messages in thread
From: Daniel Borkmann @ 2024-02-19 17:48 UTC (permalink / raw)
To: Kees Cook, Gustavo A. R. Silva
Cc: Alexei Starovoitov, Mark Rutland, Andrii Nakryiko,
Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, Mykola Lysenko,
Shuah Khan, Haowen Bai, bpf, linux-kselftest, Yonghong Song,
Anton Protopopov, linux-kernel, linux-hardening
On 2/17/24 4:03 AM, Kees Cook wrote:
> On Fri, Feb 16, 2024 at 06:27:08PM -0600, Gustavo A. R. Silva wrote:
>> On 2/16/24 17:55, Kees Cook wrote:
>>> Replace deprecated 0-length array in struct bpf_lpm_trie_key with
>>> flexible array. Found with GCC 13:
>>>
>>> ../kernel/bpf/lpm_trie.c:207:51: warning: array subscript i is outside array bounds of 'const __u8[0]' {aka 'const unsigned char[]'} [-Warray-bounds=]
>>> 207 | *(__be16 *)&key->data[i]);
>>> | ^~~~~~~~~~~~~
>>> ../include/uapi/linux/swab.h:102:54: note: in definition of macro '__swab16'
>>> 102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
>>> | ^
>>> ../include/linux/byteorder/generic.h:97:21: note: in expansion of macro '__be16_to_cpu'
>>> 97 | #define be16_to_cpu __be16_to_cpu
>>> | ^~~~~~~~~~~~~
>>> ../kernel/bpf/lpm_trie.c:206:28: note: in expansion of macro 'be16_to_cpu'
>>> 206 | u16 diff = be16_to_cpu(*(__be16 *)&node->data[i]
>>> ^
>>> | ^~~~~~~~~~~
>>> In file included from ../include/linux/bpf.h:7:
>>> ../include/uapi/linux/bpf.h:82:17: note: while referencing 'data'
>>> 82 | __u8 data[0]; /* Arbitrary size */
>>> | ^~~~
>>>
>>> And found at run-time under CONFIG_FORTIFY_SOURCE:
>>>
>>> UBSAN: array-index-out-of-bounds in kernel/bpf/lpm_trie.c:218:49
>>> index 0 is out of range for type '__u8 [*]'
>>>
>>> This includes fixing the selftest which was incorrectly using a
>>> variable length struct as a header, identified earlier[1]. Avoid this
>>> by just explicitly including the prefixlen member instead of struct
>>> bpf_lpm_trie_key.
>>>
>>> Note that it is not possible to simply remove the "data" member, as it
>>> is referenced by userspace
>>>
>>> cilium:
>>> struct egress_gw_policy_key in_key = {
>>> .lpm_key = { 32 + 24, {} },
>>> .saddr = CLIENT_IP,
>>> .daddr = EXTERNAL_SVC_IP & 0Xffffff,
>>> };
>>>
>>> systemd:
>>> ipv6_map_fd = bpf_map_new(
>>> BPF_MAP_TYPE_LPM_TRIE,
>>> offsetof(struct bpf_lpm_trie_key, data) + sizeof(uint32_t)*4,
>>> sizeof(uint64_t),
>>> ...
>>>
>>> The only risk to UAPI would be if sizeof() were used directly on the
>>> data member, which it does not seem to be. It is only used as a static
>>> initializer destination and to find its location via offsetof().
>>>
>>> Link: https://lore.kernel.org/all/202206281009.4332AA33@keescook/ [1]
>>> Reported-by: Mark Rutland <mark.rutland@arm.com>
>>> Closes: https://paste.debian.net/hidden/ca500597/
>>
>> mmh... this URL expires: 2024-05-15
>
> Yup, but that's why I included the run-time splat above too. :)
I don't quite follow, this basically undoes 3024d95a4c52 ("bpf: Partially revert
flexible-array member replacement") again with the small change that this 'fixes'
up the BPF selftest to not embed struct bpf_lpm_trie_key.
Outside of BPF selftests though aren't we readding the same error that we fixed
earlier for BPF programs in the wild which embed struct bpf_lpm_trie_key into their
key structure?
Thanks,
Daniel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array
2024-02-19 17:48 ` Daniel Borkmann
@ 2024-02-19 19:48 ` Kees Cook
0 siblings, 0 replies; 5+ messages in thread
From: Kees Cook @ 2024-02-19 19:48 UTC (permalink / raw)
To: Daniel Borkmann
Cc: Gustavo A. R. Silva, Alexei Starovoitov, Mark Rutland,
Andrii Nakryiko, Martin KaFai Lau, Song Liu, Yonghong Song,
John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
Mykola Lysenko, Shuah Khan, Haowen Bai, bpf, linux-kselftest,
Yonghong Song, Anton Protopopov, linux-kernel, linux-hardening
On Mon, Feb 19, 2024 at 06:48:41PM +0100, Daniel Borkmann wrote:
> On 2/17/24 4:03 AM, Kees Cook wrote:
> > On Fri, Feb 16, 2024 at 06:27:08PM -0600, Gustavo A. R. Silva wrote:
> > > On 2/16/24 17:55, Kees Cook wrote:
> > > > Replace deprecated 0-length array in struct bpf_lpm_trie_key with
> > > > flexible array. Found with GCC 13:
> > > >
> > > > ../kernel/bpf/lpm_trie.c:207:51: warning: array subscript i is outside array bounds of 'const __u8[0]' {aka 'const unsigned char[]'} [-Warray-bounds=]
> > > > 207 | *(__be16 *)&key->data[i]);
> > > > | ^~~~~~~~~~~~~
> > > > ../include/uapi/linux/swab.h:102:54: note: in definition of macro '__swab16'
> > > > 102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
> > > > | ^
> > > > ../include/linux/byteorder/generic.h:97:21: note: in expansion of macro '__be16_to_cpu'
> > > > 97 | #define be16_to_cpu __be16_to_cpu
> > > > | ^~~~~~~~~~~~~
> > > > ../kernel/bpf/lpm_trie.c:206:28: note: in expansion of macro 'be16_to_cpu'
> > > > 206 | u16 diff = be16_to_cpu(*(__be16 *)&node->data[i]
> > > > ^
> > > > | ^~~~~~~~~~~
> > > > In file included from ../include/linux/bpf.h:7:
> > > > ../include/uapi/linux/bpf.h:82:17: note: while referencing 'data'
> > > > 82 | __u8 data[0]; /* Arbitrary size */
> > > > | ^~~~
> > > >
> > > > And found at run-time under CONFIG_FORTIFY_SOURCE:
> > > >
> > > > UBSAN: array-index-out-of-bounds in kernel/bpf/lpm_trie.c:218:49
> > > > index 0 is out of range for type '__u8 [*]'
> > > >
> > > > This includes fixing the selftest which was incorrectly using a
> > > > variable length struct as a header, identified earlier[1]. Avoid this
> > > > by just explicitly including the prefixlen member instead of struct
> > > > bpf_lpm_trie_key.
> > > >
> > > > Note that it is not possible to simply remove the "data" member, as it
> > > > is referenced by userspace
> > > >
> > > > cilium:
> > > > struct egress_gw_policy_key in_key = {
> > > > .lpm_key = { 32 + 24, {} },
> > > > .saddr = CLIENT_IP,
> > > > .daddr = EXTERNAL_SVC_IP & 0Xffffff,
> > > > };
> > > >
> > > > systemd:
> > > > ipv6_map_fd = bpf_map_new(
> > > > BPF_MAP_TYPE_LPM_TRIE,
> > > > offsetof(struct bpf_lpm_trie_key, data) + sizeof(uint32_t)*4,
> > > > sizeof(uint64_t),
> > > > ...
> > > >
> > > > The only risk to UAPI would be if sizeof() were used directly on the
> > > > data member, which it does not seem to be. It is only used as a static
> > > > initializer destination and to find its location via offsetof().
> > > >
> > > > Link: https://lore.kernel.org/all/202206281009.4332AA33@keescook/ [1]
> > > > Reported-by: Mark Rutland <mark.rutland@arm.com>
> > > > Closes: https://paste.debian.net/hidden/ca500597/
> > >
> > > mmh... this URL expires: 2024-05-15
> >
> > Yup, but that's why I included the run-time splat above too. :)
>
> I don't quite follow, this basically undoes 3024d95a4c52 ("bpf: Partially revert
> flexible-array member replacement") again with the small change that this 'fixes'
> up the BPF selftest to not embed struct bpf_lpm_trie_key.
>
> Outside of BPF selftests though aren't we readding the same error that we fixed
> earlier for BPF programs in the wild which embed struct bpf_lpm_trie_key into their
> key structure?
Oops, yes, sorry. I see how that cilium does include it in the same
fashion. I will adjust this patch again. Thanks for double-checking!
struct egress_gw_policy_key {
struct bpf_lpm_trie_key lpm_key;
__u32 saddr;
__u32 daddr;
};
--
Kees Cook
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-02-19 19:48 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-16 23:55 [PATCH v2] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array Kees Cook
2024-02-17 0:27 ` Gustavo A. R. Silva
2024-02-17 3:03 ` Kees Cook
2024-02-19 17:48 ` Daniel Borkmann
2024-02-19 19:48 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).