From patchwork Tue Jul 12 07:51:33 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brenden Blanco X-Patchwork-Id: 647219 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3rpZ2r5Gffz9sDB for ; Tue, 12 Jul 2016 17:53:24 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=plumgrid-com.20150623.gappssmtp.com header.i=@plumgrid-com.20150623.gappssmtp.com header.b=xS6cwqOG; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751473AbcGLHw5 (ORCPT ); Tue, 12 Jul 2016 03:52:57 -0400 Received: from mail-pf0-f178.google.com ([209.85.192.178]:33375 "EHLO mail-pf0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751151AbcGLHwn (ORCPT ); Tue, 12 Jul 2016 03:52:43 -0400 Received: by mail-pf0-f178.google.com with SMTP id i123so4243543pfg.0 for ; Tue, 12 Jul 2016 00:52:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=plumgrid-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=eYSkl39t0/QT9KUXsxpay7o6x7XyLvYCY4Vw63/La40=; b=xS6cwqOGRiqMvYMl3cvrCazZsRzCdP/4qZEMq2R2XdCFHEphacE1kv/Ixc7ShQxxeD Ec1RyC4OL9b1s8jfXPMSnakHIUyoOwQ7AB68xdj0MoyUKD3icWG94+Pn+Fexwji2OuAs RWD9yqeeDDge1tGgHvsm84l7rgXVUBe6ZSqqjnsLMI0bv05miqudzqTkKzZAKCMd5EhK nGmDj9o+m/FxCdKwgwjwJKQ2aDFmoVtMBEiZzFX5bFlaIFkhkkUiNy8AZkcZoCIxDZbC cKYfqTqekzBxkEQWxwsHHcnI6g+7Za7RmwfAPAT9F0+d1taSOI4IhEx0fqPn3mPo4fSE 9P0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=eYSkl39t0/QT9KUXsxpay7o6x7XyLvYCY4Vw63/La40=; b=Kh8x1F6ivExpG0Yfmk1W/cmOxNAw4TAjsxYkHBY9JuIba0UMNiXtAk1UOTVW39sIxW yKSMyRkwzOLnxyGdOQC74kPFHAzyVqzAuj6DVkNPJyr9HOPIy6gzBtlkNGsFNoXQyGbU hrNF/FxUZv0DkVOO3uc2LDNUHJG2HCNgErfRZ0sh5iQJmvO4jCJqLhIe9qmxzKiw+rNd zAd+ekFxGAQEhXyUa7t3IKVOenzDjyxucD7d3kOdaA2YtGvUajDhxq+opncm/caJSFJ7 IIl6RD/a1WocB/GPd1GYxBw8frprESrmWorTpaBkk6N7HwBB9ji7nQxcFtNA0LOcblxI 69Mg== X-Gm-Message-State: ALyK8tJEInmmvZHXI3XmdURrFHXktU0AdHJCpIutKFolEmOMnHyZnC2IT8N8ax+5gi3vSYcW X-Received: by 10.98.109.134 with SMTP id i128mr41527915pfc.72.1468309961967; Tue, 12 Jul 2016 00:52:41 -0700 (PDT) Received: from iovisor-test1.plumgrid.com ([12.97.19.201]) by smtp.gmail.com with ESMTPSA id c64sm2775951pfg.35.2016.07.12.00.52.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 12 Jul 2016 00:52:41 -0700 (PDT) From: Brenden Blanco To: davem@davemloft.net, netdev@vger.kernel.org Cc: Brenden Blanco , Jamal Hadi Salim , Saeed Mahameed , Martin KaFai Lau , Jesper Dangaard Brouer , Ari Saha , Alexei Starovoitov , Or Gerlitz , john.fastabend@gmail.com, hannes@stressinduktion.org, Thomas Graf , Tom Herbert , Daniel Borkmann Subject: [PATCH v8 10/11] bpf: enable direct packet data write for xdp progs Date: Tue, 12 Jul 2016 00:51:33 -0700 Message-Id: <1468309894-26258-11-git-send-email-bblanco@plumgrid.com> X-Mailer: git-send-email 2.8.2 In-Reply-To: <1468309894-26258-1-git-send-email-bblanco@plumgrid.com> References: <1468309894-26258-1-git-send-email-bblanco@plumgrid.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org For forwarding to be effective, XDP programs should be allowed to rewrite packet data. This requires that the drivers supporting XDP must all map the packet memory as TODEVICE or BIDIRECTIONAL before invoking the program. Signed-off-by: Brenden Blanco --- kernel/bpf/verifier.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index a8d67d0..f72f23b 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -653,6 +653,16 @@ static int check_map_access(struct verifier_env *env, u32 regno, int off, #define MAX_PACKET_OFF 0xffff +static bool may_write_pkt_data(enum bpf_prog_type type) +{ + switch (type) { + case BPF_PROG_TYPE_XDP: + return true; + default: + return false; + } +} + static int check_packet_access(struct verifier_env *env, u32 regno, int off, int size) { @@ -806,10 +816,15 @@ static int check_mem_access(struct verifier_env *env, u32 regno, int off, err = check_stack_read(state, off, size, value_regno); } } else if (state->regs[regno].type == PTR_TO_PACKET) { - if (t == BPF_WRITE) { + if (t == BPF_WRITE && !may_write_pkt_data(env->prog->type)) { verbose("cannot write into packet\n"); return -EACCES; } + if (t == BPF_WRITE && value_regno >= 0 && + is_pointer_value(env, value_regno)) { + verbose("R%d leaks addr into packet\n", value_regno); + return -EACCES; + } err = check_packet_access(env, regno, off, size); if (!err && t == BPF_READ && value_regno >= 0) mark_reg_unknown_value(state->regs, value_regno);