Re: [PATCH bpf-next] bpf: ringbuf: Support consuming BPF_MAP_TYPE_RINGBUF from prog

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 10, 2024 at 3:16 PM Daniel Xu <dxu@xxxxxxxxx> wrote:
>
>
>
> On Tue, Sep 10, 2024, at 2:07 PM, Daniel Xu wrote:
> > On Tue, Sep 10, 2024 at 01:41:41PM GMT, Andrii Nakryiko wrote:
> >> On Tue, Sep 10, 2024 at 11:36 AM Alexei Starovoitov
> [...]
> >
> >>
> >> Also, Daniel, can you please make sure that dynptr we return for each
> >> sample is read-only? We shouldn't let consumer BPF program ability to
> >> corrupt ringbuf record headers (accidentally or otherwise).
> >
> > Sure.
>
> So the sample is not read-only. But I think prog is prevented from messing
> with header regardless.
>
> __bpf_user_ringbuf_peek() returns sample past the header:
>
>         *sample = (void *)((uintptr_t)rb->data +
>                            (uintptr_t)((cons_pos + BPF_RINGBUF_HDR_SZ) & rb->mask));
>
> dynptr is initialized with the above ptr:
>
>         bpf_dynptr_init(&dynptr, sample, BPF_DYNPTR_TYPE_LOCAL, 0, size);
>
> So I don't think there's a way for the prog to access the header thru the dynptr.
>

By "header" I mean 8 bytes that precede each submitted ringbuf record.
That header is part of ringbuf data area. Given user space can set
consumer_pos to arbitrary value, kernel can return arbitrary part of
ringbuf data area, including that 8 byte header. If that data is
writable, it's easy to screw up that header and crash another BPF
program that reserves/submits a new record. User space can only read
data area for BPF ringbuf, and so we rely heavily on a tight control
of who can write what into those 8 bytes.

> Thanks,
> Daniel





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux