From patchwork Mon Jul 11 21:29:57 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brenden Blanco X-Patchwork-Id: 647103 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3rpJDQ5W61z9sxb for ; Tue, 12 Jul 2016 07:30:46 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=plumgrid-com.20150623.gappssmtp.com header.i=@plumgrid-com.20150623.gappssmtp.com header.b=gas3bYBd; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753648AbcGKVan (ORCPT ); Mon, 11 Jul 2016 17:30:43 -0400 Received: from mail-pf0-f178.google.com ([209.85.192.178]:34228 "EHLO mail-pf0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753382AbcGKVaV (ORCPT ); Mon, 11 Jul 2016 17:30:21 -0400 Received: by mail-pf0-f178.google.com with SMTP id h14so39637237pfe.1 for ; Mon, 11 Jul 2016 14:30:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=plumgrid-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=eYSkl39t0/QT9KUXsxpay7o6x7XyLvYCY4Vw63/La40=; b=gas3bYBdhkM57wN+bqM8jwxWewWfHVXj5alJErHMx9Q+u8iBtrcijS9dA4KUStMZL7 90TL54OMgbwDf11Eu6cx8S/K0Lq2sFgyrMXktKqel4Shb42D0YIluPF03EcpQnopnWLA mIaLlzCTYzcgGniTn7OFK16NLNXcKykut2rwTSPhGww1O+zuUBwwl2P5fPQJm2uhil7E a1ww2h2IjzxmiE70jTkxMjIZfZHsRTaKZezDYATB/NLdJtNSeM9PnyNgoFjCH1pMaTsB ovni1AWbEKfkT5t7FlVSX2X3D2X9NZfo1optkT4A/yJCrYSHaZAu4cmqPgcWKg81ZV9k /ybQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=eYSkl39t0/QT9KUXsxpay7o6x7XyLvYCY4Vw63/La40=; b=A02Tt3Q3kc4YIlCBqhsdSCvkCSUjoCPzQAyALRExL8UTXo+JWw9SM82pItHAzegBdg hOJuFKsjD3kJJOadGXeVkmtXIXaB57F3lmfev/BOW4MeA0jjDR5vASLgXnuGXDPDdMNb /I6L4xVewkKU7b+FPwnuVmW9EBZIMEr+q7pgStK5fh/8v6DQiEC3GJ2ZY9F32j2o6s+j NskjLI+j1l13igURoofQ78z7u4NYn4pyZpd7HMqHkwWrTzt42OK55NDlCVKrXv44nRFh HdppTvLUCgmumN8EQKJFr+BgNG2oxghPvkwsmaHJE/pKQT4UdT38xcrDl1u86B6qucoC FD9w== X-Gm-Message-State: ALyK8tJiFBpoBsxA7nZ/N1jXNMR+hYbJ9DVNUdZDZ8RdDwdb/ODLDYTK2Zns9ykcpqVjgOhV X-Received: by 10.98.78.138 with SMTP id c132mr13961210pfb.67.1468272620392; Mon, 11 Jul 2016 14:30:20 -0700 (PDT) Received: from iovisor-test1.plumgrid.com ([12.97.19.201]) by smtp.gmail.com with ESMTPSA id w63sm6722150pfi.9.2016.07.11.14.30.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 11 Jul 2016 14:30:19 -0700 (PDT) From: Brenden Blanco To: davem@davemloft.net, netdev@vger.kernel.org Cc: Brenden Blanco , Jamal Hadi Salim , Saeed Mahameed , Martin KaFai Lau , Jesper Dangaard Brouer , Ari Saha , Alexei Starovoitov , Or Gerlitz , john.fastabend@gmail.com, hannes@stressinduktion.org, Thomas Graf , Tom Herbert , Daniel Borkmann Subject: [PATCH v7 10/11] bpf: enable direct packet data write for xdp progs Date: Mon, 11 Jul 2016 14:29:57 -0700 Message-Id: <1468272598-21390-11-git-send-email-bblanco@plumgrid.com> X-Mailer: git-send-email 2.8.2 In-Reply-To: <1468272598-21390-1-git-send-email-bblanco@plumgrid.com> References: <1468272598-21390-1-git-send-email-bblanco@plumgrid.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org For forwarding to be effective, XDP programs should be allowed to rewrite packet data. This requires that the drivers supporting XDP must all map the packet memory as TODEVICE or BIDIRECTIONAL before invoking the program. Signed-off-by: Brenden Blanco --- kernel/bpf/verifier.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index a8d67d0..f72f23b 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -653,6 +653,16 @@ static int check_map_access(struct verifier_env *env, u32 regno, int off, #define MAX_PACKET_OFF 0xffff +static bool may_write_pkt_data(enum bpf_prog_type type) +{ + switch (type) { + case BPF_PROG_TYPE_XDP: + return true; + default: + return false; + } +} + static int check_packet_access(struct verifier_env *env, u32 regno, int off, int size) { @@ -806,10 +816,15 @@ static int check_mem_access(struct verifier_env *env, u32 regno, int off, err = check_stack_read(state, off, size, value_regno); } } else if (state->regs[regno].type == PTR_TO_PACKET) { - if (t == BPF_WRITE) { + if (t == BPF_WRITE && !may_write_pkt_data(env->prog->type)) { verbose("cannot write into packet\n"); return -EACCES; } + if (t == BPF_WRITE && value_regno >= 0 && + is_pointer_value(env, value_regno)) { + verbose("R%d leaks addr into packet\n", value_regno); + return -EACCES; + } err = check_packet_access(env, regno, off, size); if (!err && t == BPF_READ && value_regno >= 0) mark_reg_unknown_value(state->regs, value_regno);