On 10/5/15 3:14 PM, Daniel Borkmann wrote:
One scenario that comes to mind ... what happens when there are kernel pointers stored in skb->cb[] (either from the current layer or an old one from a different layer that the skb went through previously, but which did not get overwritten)? Socket filters could read a portion of skb->cb[] also when unprived and leak that out through maps. I think the verifier doesn't catch that, right?
grrr. indeed. previous layer before sk_filter() can leave junk in there. Would need to disable cb[0-5] for unpriv, but that will make tail_call much harder to use, since cb[0-5] is a way to pass arguments from one prog to another and clearing them is not an option, since it's too expensive. Like samples/bpf/sockex3_kern.c usage of cb[0] won't work anymore. I guess that's the price of unpriv. Will fix this, add few tail_call specific tests and respin. Please keep poking. -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
