Use whitelist instead of a blacklist and allow only a small set of fields that might be relevant in the context of flow dissector: * len * protocol * vlan_present * vlan_tci * vlan_proto * cb This is required for the eth_get_headlen case where we construct temporary skb which might not have full/consistent state to let flow dissector programs access all the fields (which are irrelevant in for flow dissector program type). Signed-off-by: Stanislav Fomichev <sdf@xxxxxxxxxx> --- net/core/filter.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index 647c63a7b25b..5f413567ce8a 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -6632,11 +6632,14 @@ static bool flow_dissector_is_valid_access(int off, int size, case bpf_ctx_range_ptr(struct __sk_buff, flow_keys): info->reg_type = PTR_TO_FLOW_KEYS; break; - case bpf_ctx_range(struct __sk_buff, tc_classid): - case bpf_ctx_range(struct __sk_buff, data_meta): - case bpf_ctx_range_till(struct __sk_buff, family, local_port): - case bpf_ctx_range(struct __sk_buff, tstamp): - case bpf_ctx_range(struct __sk_buff, wire_len): + case bpf_ctx_range(struct __sk_buff, len): + case bpf_ctx_range(struct __sk_buff, protocol): + case bpf_ctx_range(struct __sk_buff, vlan_present): + case bpf_ctx_range(struct __sk_buff, vlan_tci): + case bpf_ctx_range(struct __sk_buff, vlan_proto): + case bpf_ctx_range_till(struct __sk_buff, cb[0], cb[4]): + break; + default: return false; } -- 2.21.0.225.g810b269d1ac-goog
