netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH bpf 0/2] bpf: gso_segs fixes
@ 2019-07-23 10:15 Eric Dumazet
  2019-07-23 10:15 ` [PATCH bpf 1/2] bpf: fix access to skb_shared_info->gso_segs Eric Dumazet
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Eric Dumazet @ 2019-07-23 10:15 UTC (permalink / raw)
  To: Alexei Starovoitov, Daniel Borkmann
  Cc: David S . Miller, netdev, Eric Dumazet, Eric Dumazet,
	Stanislav Fomichev, bpf

First patch changes the kernel, second patch
adds a new test.

Note that other patches might be needed to take
care of similar issues in sock_ops_convert_ctx_access()
and SOCK_OPS_GET_FIELD()

Eric Dumazet (2):
  bpf: fix access to skb_shared_info->gso_segs
  selftests/bpf: add another gso_segs access

 net/core/filter.c                              |  6 +++---
 tools/testing/selftests/bpf/verifier/ctx_skb.c | 11 +++++++++++
 2 files changed, 14 insertions(+), 3 deletions(-)

-- 
2.22.0.657.g960e92d24f-goog


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH bpf 1/2] bpf: fix access to skb_shared_info->gso_segs
  2019-07-23 10:15 [PATCH bpf 0/2] bpf: gso_segs fixes Eric Dumazet
@ 2019-07-23 10:15 ` Eric Dumazet
  2019-07-23 10:15 ` [PATCH bpf 2/2] selftests/bpf: add another gso_segs access Eric Dumazet
  2019-07-23 21:15 ` [PATCH bpf 0/2] bpf: gso_segs fixes Alexei Starovoitov
  2 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2019-07-23 10:15 UTC (permalink / raw)
  To: Alexei Starovoitov, Daniel Borkmann
  Cc: David S . Miller, netdev, Eric Dumazet, Eric Dumazet,
	Stanislav Fomichev, bpf, syzbot

It is possible we reach bpf_convert_ctx_access() with
si->dst_reg == si->src_reg

Therefore, we need to load BPF_REG_AX before eventually
mangling si->src_reg.

syzbot generated this x86 code :
   3:   55                      push   %rbp
   4:   48 89 e5                mov    %rsp,%rbp
   7:   48 81 ec 00 00 00 00    sub    $0x0,%rsp // Might be avoided ?
   e:   53                      push   %rbx
   f:   41 55                   push   %r13
  11:   41 56                   push   %r14
  13:   41 57                   push   %r15
  15:   6a 00                   pushq  $0x0
  17:   31 c0                   xor    %eax,%eax
  19:   48 8b bf c0 00 00 00    mov    0xc0(%rdi),%rdi
  20:   44 8b 97 bc 00 00 00    mov    0xbc(%rdi),%r10d
  27:   4c 01 d7                add    %r10,%rdi
  2a:   48 0f b7 7f 06          movzwq 0x6(%rdi),%rdi // Crash
  2f:   5b                      pop    %rbx
  30:   41 5f                   pop    %r15
  32:   41 5e                   pop    %r14
  34:   41 5d                   pop    %r13
  36:   5b                      pop    %rbx
  37:   c9                      leaveq
  38:   c3                      retq

Fixes: d9ff286a0f59 ("bpf: allow BPF programs access skb_shared_info->gso_segs field")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
---
 net/core/filter.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index 4e2a79b2fd77f36ba2a31e9e43af1abc1207766e..7878f918b8c057b7b90ca0afcf2d5773cfb55e15 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -7455,12 +7455,12 @@ static u32 bpf_convert_ctx_access(enum bpf_access_type type,
 	case offsetof(struct __sk_buff, gso_segs):
 		/* si->dst_reg = skb_shinfo(SKB); */
 #ifdef NET_SKBUFF_DATA_USES_OFFSET
-		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, head),
-				      si->dst_reg, si->src_reg,
-				      offsetof(struct sk_buff, head));
 		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, end),
 				      BPF_REG_AX, si->src_reg,
 				      offsetof(struct sk_buff, end));
+		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, head),
+				      si->dst_reg, si->src_reg,
+				      offsetof(struct sk_buff, head));
 		*insn++ = BPF_ALU64_REG(BPF_ADD, si->dst_reg, BPF_REG_AX);
 #else
 		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, end),
-- 
2.22.0.657.g960e92d24f-goog


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH bpf 2/2] selftests/bpf: add another gso_segs access
  2019-07-23 10:15 [PATCH bpf 0/2] bpf: gso_segs fixes Eric Dumazet
  2019-07-23 10:15 ` [PATCH bpf 1/2] bpf: fix access to skb_shared_info->gso_segs Eric Dumazet
@ 2019-07-23 10:15 ` Eric Dumazet
  2019-07-23 21:15 ` [PATCH bpf 0/2] bpf: gso_segs fixes Alexei Starovoitov
  2 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2019-07-23 10:15 UTC (permalink / raw)
  To: Alexei Starovoitov, Daniel Borkmann
  Cc: David S . Miller, netdev, Eric Dumazet, Eric Dumazet,
	Stanislav Fomichev, bpf

Use BPF_REG_1 for source and destination of gso_segs read,
to exercise "bpf: fix access to skb_shared_info->gso_segs" fix.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Suggested-by: Stanislav Fomichev <sdf@google.com>
---
 tools/testing/selftests/bpf/verifier/ctx_skb.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tools/testing/selftests/bpf/verifier/ctx_skb.c b/tools/testing/selftests/bpf/verifier/ctx_skb.c
index b0fda2877119c4af08277bd0f329f238c193313c..d438193804b212ffa80c94be47e8c1aca392181e 100644
--- a/tools/testing/selftests/bpf/verifier/ctx_skb.c
+++ b/tools/testing/selftests/bpf/verifier/ctx_skb.c
@@ -974,6 +974,17 @@
 	.result = ACCEPT,
 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
 },
+{
+	"read gso_segs from CGROUP_SKB",
+	.insns = {
+	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
+		    offsetof(struct __sk_buff, gso_segs)),
+	BPF_MOV64_IMM(BPF_REG_0, 0),
+	BPF_EXIT_INSN(),
+	},
+	.result = ACCEPT,
+	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
+},
 {
 	"write gso_segs from CGROUP_SKB",
 	.insns = {
-- 
2.22.0.657.g960e92d24f-goog


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH bpf 0/2] bpf: gso_segs fixes
  2019-07-23 10:15 [PATCH bpf 0/2] bpf: gso_segs fixes Eric Dumazet
  2019-07-23 10:15 ` [PATCH bpf 1/2] bpf: fix access to skb_shared_info->gso_segs Eric Dumazet
  2019-07-23 10:15 ` [PATCH bpf 2/2] selftests/bpf: add another gso_segs access Eric Dumazet
@ 2019-07-23 21:15 ` Alexei Starovoitov
  2 siblings, 0 replies; 4+ messages in thread
From: Alexei Starovoitov @ 2019-07-23 21:15 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: Alexei Starovoitov, Daniel Borkmann, David S . Miller, netdev,
	Eric Dumazet, Stanislav Fomichev, bpf

On Tue, Jul 23, 2019 at 3:15 AM Eric Dumazet <edumazet@google.com> wrote:
>
> First patch changes the kernel, second patch
> adds a new test.
>
> Note that other patches might be needed to take
> care of similar issues in sock_ops_convert_ctx_access()
> and SOCK_OPS_GET_FIELD()

Nice catch!
Applied to bpf tree. Thanks

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-07-23 21:15 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-23 10:15 [PATCH bpf 0/2] bpf: gso_segs fixes Eric Dumazet
2019-07-23 10:15 ` [PATCH bpf 1/2] bpf: fix access to skb_shared_info->gso_segs Eric Dumazet
2019-07-23 10:15 ` [PATCH bpf 2/2] selftests/bpf: add another gso_segs access Eric Dumazet
2019-07-23 21:15 ` [PATCH bpf 0/2] bpf: gso_segs fixes Alexei Starovoitov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).