diff mbox series

[bpf-next,v3,1/3] net: Enlarge offset check value from 0xffff to INT_MAX in bpf_skb_load_bytes

Message ID 20220414135902.100914-2-liujian56@huawei.com (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series Enlarge offset check value in bpf_skb_load_bytes | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for bpf-next, async
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Series has a cover letter
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 25 this patch: 25
netdev/cc_maintainers success CCed 13 of 13 maintainers
netdev/build_clang success Errors and warnings before: 9 this patch: 9
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 25 this patch: 25
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 16 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-1 success Logs for Kernel LATEST on ubuntu-latest + selftests
bpf/vmtest-bpf-next-PR success PR summary
bpf/vmtest-bpf-next-VM_Test-2 success Logs for Kernel LATEST on z15 + selftests

Commit Message

liujian (CE) April 14, 2022, 1:59 p.m. UTC
The data length of skb frags + frag_list may be greater than 0xffff,
and skb_header_pointer can not handle negative offset and negative len.
So here INT_MAX is used to check the validity of offset and len.
Add the same change to the related function skb_store_bytes.

Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper")
Signed-off-by: Liu Jian <liujian56@huawei.com>
Acked-by: Song Liu <songliubraving@fb.com>
---
v2->v3: change nothing
 net/core/filter.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Daniel Borkmann April 15, 2022, 7:31 p.m. UTC | #1
On 4/14/22 3:59 PM, Liu Jian wrote:
> The data length of skb frags + frag_list may be greater than 0xffff,
> and skb_header_pointer can not handle negative offset and negative len.
> So here INT_MAX is used to check the validity of offset and len.
> Add the same change to the related function skb_store_bytes.
> 
> Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper")
> Signed-off-by: Liu Jian <liujian56@huawei.com>
> Acked-by: Song Liu <songliubraving@fb.com>
> ---
> v2->v3: change nothing
>   net/core/filter.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 64470a727ef7..1571b6bc51ea 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -1687,7 +1687,7 @@ BPF_CALL_5(bpf_skb_store_bytes, struct sk_buff *, skb, u32, offset,
>   
>   	if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM | BPF_F_INVALIDATE_HASH)))
>   		return -EINVAL;
> -	if (unlikely(offset > 0xffff))
> +	if (unlikely(offset > INT_MAX || len > INT_MAX))

One more follow-up question, len param is checked by the verifier for the provided buffer.
Why is it needed here? Were you able to create e.g. map values of size larger than INT_MAX?
Please provide details. (Other than that, rest looks good.)

>   		return -EFAULT;
>   	if (unlikely(bpf_try_make_writable(skb, offset + len)))
>   		return -EFAULT;
> @@ -1722,7 +1722,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset,
>   {
>   	void *ptr;
>   
> -	if (unlikely(offset > 0xffff))
> +	if (unlikely(offset > INT_MAX || len > INT_MAX))
>   		goto err_clear;
>   
>   	ptr = skb_header_pointer(skb, offset, len, to);
>
liujian (CE) April 16, 2022, 10:45 a.m. UTC | #2
> -----Original Message-----
> From: Daniel Borkmann [mailto:daniel@iogearbox.net]
> Sent: Saturday, April 16, 2022 3:32 AM
> To: liujian (CE) <liujian56@huawei.com>; ast@kernel.org; andrii@kernel.org;
> kafai@fb.com; songliubraving@fb.com; yhs@fb.com;
> john.fastabend@gmail.com; kpsingh@kernel.org; davem@davemloft.net;
> kuba@kernel.org; sdf@google.com; netdev@vger.kernel.org;
> bpf@vger.kernel.org; pabeni@redhat.com
> Subject: Re: [PATCH bpf-next v3 1/3] net: Enlarge offset check value from
> 0xffff to INT_MAX in bpf_skb_load_bytes
> 
> On 4/14/22 3:59 PM, Liu Jian wrote:
> > The data length of skb frags + frag_list may be greater than 0xffff,
> > and skb_header_pointer can not handle negative offset and negative len.
> > So here INT_MAX is used to check the validity of offset and len.
> > Add the same change to the related function skb_store_bytes.
> >
> > Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper")
> > Signed-off-by: Liu Jian <liujian56@huawei.com>
> > Acked-by: Song Liu <songliubraving@fb.com>
> > ---
> > v2->v3: change nothing
> >   net/core/filter.c | 4 ++--
> >   1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/core/filter.c b/net/core/filter.c index
> > 64470a727ef7..1571b6bc51ea 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -1687,7 +1687,7 @@ BPF_CALL_5(bpf_skb_store_bytes, struct sk_buff
> > *, skb, u32, offset,
> >
> >   	if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM |
> BPF_F_INVALIDATE_HASH)))
> >   		return -EINVAL;
> > -	if (unlikely(offset > 0xffff))
> > +	if (unlikely(offset > INT_MAX || len > INT_MAX))
> 
> One more follow-up question, len param is checked by the verifier for the
> provided buffer.
> Why is it needed here? Were you able to create e.g. map values of size larger
> than INT_MAX?
> Please provide details. (Other than that, rest looks good.)
> 
I only need change "offset > 0xffff".  Delete " || len > INT_MAX " in v4.
Thank you~

> >   		return -EFAULT;
> >   	if (unlikely(bpf_try_make_writable(skb, offset + len)))
> >   		return -EFAULT;
> > @@ -1722,7 +1722,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const struct
> sk_buff *, skb, u32, offset,
> >   {
> >   	void *ptr;
> >
> > -	if (unlikely(offset > 0xffff))
> > +	if (unlikely(offset > INT_MAX || len > INT_MAX))
> >   		goto err_clear;
> >
> >   	ptr = skb_header_pointer(skb, offset, len, to);
> >
diff mbox series

Patch

diff --git a/net/core/filter.c b/net/core/filter.c
index 64470a727ef7..1571b6bc51ea 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1687,7 +1687,7 @@  BPF_CALL_5(bpf_skb_store_bytes, struct sk_buff *, skb, u32, offset,
 
 	if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM | BPF_F_INVALIDATE_HASH)))
 		return -EINVAL;
-	if (unlikely(offset > 0xffff))
+	if (unlikely(offset > INT_MAX || len > INT_MAX))
 		return -EFAULT;
 	if (unlikely(bpf_try_make_writable(skb, offset + len)))
 		return -EFAULT;
@@ -1722,7 +1722,7 @@  BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset,
 {
 	void *ptr;
 
-	if (unlikely(offset > 0xffff))
+	if (unlikely(offset > INT_MAX || len > INT_MAX))
 		goto err_clear;
 
 	ptr = skb_header_pointer(skb, offset, len, to);