git.baikalelectronics.ru Git - kernel.git/commit

author	Daniel Borkmann <daniel@iogearbox.net>
	Mon, 17 Apr 2017 01:12:06 +0000 (03:12 +0200)
committer	David S. Miller <davem@davemloft.net>
	Mon, 17 Apr 2017 19:51:57 +0000 (15:51 -0400)
commit	0357ccc84154a5f183aa098f9acd8a9e9e42cc4a
tree	78a6c4735547ce428622592b0d2802c75ecd405e	tree \| snapshot
parent	b0cb83e3b8568fa982ff42d2130ea664abd00a63	commit \| diff

bpf: fix cb access in socket filter programs on tail calls

Commit fcf4800a5769 ("bpf: fix cb access in socket filter programs")
added a fix for socket filter programs such that in i) AF_PACKET the
20 bytes of skb->cb[] area gets zeroed before use in order to not leak
data, and ii) socket filter programs attached to TCP/UDP sockets need
to save/restore these 20 bytes since they are also used by protocol
layers at that time.

The problem is that bpf_prog_run_save_cb() and bpf_prog_run_clear_cb()
only look at the actual attached program to determine whether to zero
or save/restore the skb->cb[] parts. There can be cases where the
actual attached program does not access the skb->cb[], but the program
tail calls into another program which does access this area. In such
a case, the zero or save/restore is currently not performed.

Since the programs we tail call into are unknown at verification time
and can dynamically change, we need to assume that whenever the attached
program performs a tail call, that later programs could access the
skb->cb[], and therefore we need to always set cb_access to 1.

Fixes: fcf4800a5769 ("bpf: fix cb access in socket filter programs")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>