• Daniel Borkmann's avatar
    bpf: cgroup skb progs cannot access ld_abs/ind · 92046578
    Daniel Borkmann authored
    Commit fb9a307d ("bpf: Allow CGROUP_SKB eBPF program to
    access sk_buff") enabled programs of BPF_PROG_TYPE_CGROUP_SKB
    type to use ld_abs/ind instructions. However, at this point,
    we cannot use them, since offsets relative to SKF_LL_OFF will
    end up pointing skb_mac_header(skb) out of bounds since in the
    egress path it is not yet set at that point in time, but only
    after __dev_queue_xmit() did a general reset on the mac header.
    bpf_internal_load_pointer_neg_helper() will then end up reading
    data from a wrong offset.
    
    BPF_PROG_TYPE_CGROUP_SKB programs can use bpf_skb_load_bytes()
    already to access packet data, which is also more flexible than
    the insns carried over from cBPF.
    
    Fixes: fb9a307d ("bpf: Allow CGROUP_SKB eBPF program to access sk_buff")
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Cc: Chenbo Feng <fengc@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    92046578
verifier.c 105 KB