bpf: Reject narrower access to pointer ctx fields (e0929922) · Commits · git / linux-nf

kernel/bpf/cgroup.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -2440,22 +2440,22 @@ static bool cg_sockopt_is_valid_access(int off, int size,
		}

		switch (off) {
		case offsetof(struct bpf_sockopt, sk):
		case bpf_ctx_range_ptr(struct bpf_sockopt, sk):
		if (size != sizeof(__u64))
		return false;
		info->reg_type = PTR_TO_SOCKET;
		break;
		case offsetof(struct bpf_sockopt, optval):
		case bpf_ctx_range_ptr(struct bpf_sockopt, optval):
		if (size != sizeof(__u64))
		return false;
		info->reg_type = PTR_TO_PACKET;
		break;
		case offsetof(struct bpf_sockopt, optval_end):
		case bpf_ctx_range_ptr(struct bpf_sockopt, optval_end):
		if (size != sizeof(__u64))
		return false;
		info->reg_type = PTR_TO_PACKET_END;
		break;
		case offsetof(struct bpf_sockopt, retval):
		case bpf_ctx_range(struct bpf_sockopt, retval):
		if (size != size_default)
		return false;
		return prog->expected_attach_type == BPF_CGROUP_GETSOCKOPT;

net/core/filter.c

+10 −10

Original line number	Diff line number	Diff line
		@@ -8699,7 +8699,7 @@ static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type
		if (size != sizeof(__u64))
		return false;
		break;
		case offsetof(struct __sk_buff, sk):
		case bpf_ctx_range_ptr(struct __sk_buff, sk):
		if (type == BPF_WRITE \|\| size != sizeof(__u64))
		return false;
		info->reg_type = PTR_TO_SOCK_COMMON_OR_NULL;
		@@ -9277,7 +9277,7 @@ static bool sock_addr_is_valid_access(int off, int size,
		return false;
		}
		break;
		case offsetof(struct bpf_sock_addr, sk):
		case bpf_ctx_range_ptr(struct bpf_sock_addr, sk):
		if (type != BPF_READ)
		return false;
		if (size != sizeof(__u64))
		@@ -9327,17 +9327,17 @@ static bool sock_ops_is_valid_access(int off, int size,
		if (size != sizeof(__u64))
		return false;
		break;
		case offsetof(struct bpf_sock_ops, sk):
		case bpf_ctx_range_ptr(struct bpf_sock_ops, sk):
		if (size != sizeof(__u64))
		return false;
		info->reg_type = PTR_TO_SOCKET_OR_NULL;
		break;
		case offsetof(struct bpf_sock_ops, skb_data):
		case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data):
		if (size != sizeof(__u64))
		return false;
		info->reg_type = PTR_TO_PACKET;
		break;
		case offsetof(struct bpf_sock_ops, skb_data_end):
		case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data_end):
		if (size != sizeof(__u64))
		return false;
		info->reg_type = PTR_TO_PACKET_END;
		@@ -9346,7 +9346,7 @@ static bool sock_ops_is_valid_access(int off, int size,
		bpf_ctx_record_field_size(info, size_default);
		return bpf_ctx_narrow_access_ok(off, size,
		size_default);
		case offsetof(struct bpf_sock_ops, skb_hwtstamp):
		case bpf_ctx_range(struct bpf_sock_ops, skb_hwtstamp):
		if (size != sizeof(__u64))
		return false;
		break;
		@@ -9416,17 +9416,17 @@ static bool sk_msg_is_valid_access(int off, int size,
		return false;

		switch (off) {
		case offsetof(struct sk_msg_md, data):
		case bpf_ctx_range_ptr(struct sk_msg_md, data):
		info->reg_type = PTR_TO_PACKET;
		if (size != sizeof(__u64))
		return false;
		break;
		case offsetof(struct sk_msg_md, data_end):
		case bpf_ctx_range_ptr(struct sk_msg_md, data_end):
		info->reg_type = PTR_TO_PACKET_END;
		if (size != sizeof(__u64))
		return false;
		break;
		case offsetof(struct sk_msg_md, sk):
		case bpf_ctx_range_ptr(struct sk_msg_md, sk):
		if (size != sizeof(__u64))
		return false;
		info->reg_type = PTR_TO_SOCKET;
		@@ -11632,7 +11632,7 @@ static bool sk_lookup_is_valid_access(int off, int size,
		return false;

		switch (off) {
		case offsetof(struct bpf_sk_lookup, sk):
		case bpf_ctx_range_ptr(struct bpf_sk_lookup, sk):
		info->reg_type = PTR_TO_SOCKET_OR_NULL;
		return size == sizeof(__u64);