diff options
| author | Daniel Borkmann <daniel@iogearbox.net> | 2018-10-24 16:05:45 -0400 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2018-10-25 20:02:06 -0400 |
| commit | 5d66fa7d9e9e9399ddfdc530f352dd6f7c724485 (patch) | |
| tree | da484f108d8b91eb463623140b1e9a497da3a94f /kernel/bpf | |
| parent | ab21c1b5f799395232b838e98981cfed6d647905 (diff) | |
bpf: fix direct packet access for flow dissector progs
Commit d58e468b1112 ("flow_dissector: implements flow dissector BPF
hook") added direct packet access for skbs in may_access_direct_pkt_data()
function where this enables read and write access to the skb->data. This
is buggy because without a prologue generator such as bpf_unclone_prologue()
we would allow for writing into cloned skbs. Original intention might have
been to only allow read access where this is not needed (similar as the
flow_dissector_func_proto() indicates which enables only bpf_skb_load_bytes()
as well), therefore this patch fixes it to restrict to read-only.
Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Cc: Petar Penkov <ppenkov@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'kernel/bpf')
| -rw-r--r-- | kernel/bpf/verifier.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 98fa0be35370..b0cc8f2ff95f 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c | |||
| @@ -1387,21 +1387,23 @@ static bool may_access_direct_pkt_data(struct bpf_verifier_env *env, | |||
| 1387 | enum bpf_access_type t) | 1387 | enum bpf_access_type t) |
| 1388 | { | 1388 | { |
| 1389 | switch (env->prog->type) { | 1389 | switch (env->prog->type) { |
| 1390 | /* Program types only with direct read access go here! */ | ||
| 1390 | case BPF_PROG_TYPE_LWT_IN: | 1391 | case BPF_PROG_TYPE_LWT_IN: |
| 1391 | case BPF_PROG_TYPE_LWT_OUT: | 1392 | case BPF_PROG_TYPE_LWT_OUT: |
| 1392 | case BPF_PROG_TYPE_LWT_SEG6LOCAL: | 1393 | case BPF_PROG_TYPE_LWT_SEG6LOCAL: |
| 1393 | case BPF_PROG_TYPE_SK_REUSEPORT: | 1394 | case BPF_PROG_TYPE_SK_REUSEPORT: |
| 1394 | /* dst_input() and dst_output() can't write for now */ | 1395 | case BPF_PROG_TYPE_FLOW_DISSECTOR: |
| 1395 | if (t == BPF_WRITE) | 1396 | if (t == BPF_WRITE) |
| 1396 | return false; | 1397 | return false; |
| 1397 | /* fallthrough */ | 1398 | /* fallthrough */ |
| 1399 | |||
| 1400 | /* Program types with direct read + write access go here! */ | ||
| 1398 | case BPF_PROG_TYPE_SCHED_CLS: | 1401 | case BPF_PROG_TYPE_SCHED_CLS: |
| 1399 | case BPF_PROG_TYPE_SCHED_ACT: | 1402 | case BPF_PROG_TYPE_SCHED_ACT: |
| 1400 | case BPF_PROG_TYPE_XDP: | 1403 | case BPF_PROG_TYPE_XDP: |
| 1401 | case BPF_PROG_TYPE_LWT_XMIT: | 1404 | case BPF_PROG_TYPE_LWT_XMIT: |
| 1402 | case BPF_PROG_TYPE_SK_SKB: | 1405 | case BPF_PROG_TYPE_SK_SKB: |
| 1403 | case BPF_PROG_TYPE_SK_MSG: | 1406 | case BPF_PROG_TYPE_SK_MSG: |
| 1404 | case BPF_PROG_TYPE_FLOW_DISSECTOR: | ||
| 1405 | if (meta) | 1407 | if (meta) |
| 1406 | return meta->pkt_access; | 1408 | return meta->pkt_access; |
| 1407 | 1409 | ||