mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-12 13:55:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/kernel/bpf
History
Daniel Borkmann 6b1bb01bcc bpf: fix cb access in socket filter programs on tail calls 
Commit ff936a04e5 ("bpf: fix cb access in socket filter programs")
added a fix for socket filter programs such that in i) AF_PACKET the
20 bytes of skb->cb[] area gets zeroed before use in order to not leak
data, and ii) socket filter programs attached to TCP/UDP sockets need
to save/restore these 20 bytes since they are also used by protocol
layers at that time.

The problem is that bpf_prog_run_save_cb() and bpf_prog_run_clear_cb()
only look at the actual attached program to determine whether to zero
or save/restore the skb->cb[] parts. There can be cases where the
actual attached program does not access the skb->cb[], but the program
tail calls into another program which does access this area. In such
a case, the zero or save/restore is currently not performed.

Since the programs we tail call into are unknown at verification time
and can dynamically change, we need to assume that whenever the attached
program performs a tail call, that later programs could access the
skb->cb[], and therefore we need to always set cb_access to 1.

Fixes: ff936a04e5 ("bpf: fix cb access in socket filter programs")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-17 15:51:57 -04:00
..
arraymap.c bpf: mark all registered map/prog types as __ro_after_init 2017-02-17 13:40:04 -05:00
bpf_lru_list.c bpf: Make unnecessarily global functions static 2017-01-10 21:00:59 -05:00
bpf_lru_list.h bpf: Add percpu LRU list 2016-11-15 11:50:20 -05:00
cgroup.c bpf: introduce BPF_F_ALLOW_OVERRIDE flag 2017-02-12 21:52:19 -05:00
core.c bpf: reference may_access_skb() from __bpf_prog_run() 2017-04-11 10:54:27 -04:00
hashtab.c bpf: fix hashmap extra_elems logic 2017-03-22 14:12:18 -07:00
helpers.c bpf: rename ARG_PTR_TO_STACK 2017-01-09 16:56:27 -05:00
inode.c bpf: add initial bpf tracepoints 2017-01-25 13:17:47 -05:00
lpm_trie.c bpf: add get_next_key callback to LPM map 2017-03-05 17:55:29 -08:00
Makefile bpf: add a longest prefix match trie map implementation 2017-01-23 16:10:38 -05:00
percpu_freelist.c bpf: introduce percpu_freelist 2016-03-08 15:28:31 -05:00
percpu_freelist.h bpf: introduce percpu_freelist 2016-03-08 15:28:31 -05:00
stackmap.c bpf: mark all registered map/prog types as __ro_after_init 2017-02-17 13:40:04 -05:00
syscall.c bpf: fix cb access in socket filter programs on tail calls 2017-04-17 15:51:57 -04:00
verifier.c bpf, verifier: fix rejection of unaligned access checks for map_value_adj 2017-04-01 12:36:37 -07:00