bpf: Only reply field should be writeable

Currently, a sock_ops BPF program can write the op field and all the reply fields (reply and replylong). This is a bug. The op field should not have been writeable and there is currently no way to use replylong field for indices >= 1. This patch enforces that only the reply field (which equals replylong[0]) is writeable. Fixes: 40304b2a ("bpf: BPF support for sock_ops") Signed-off-by: N Lawrence Brakmo <brakmo@fb.com> Acked-by: N Yuchung Cheng <ycheng@google.com> Signed-off-by: N Alexei Starovoitov <ast@kernel.org>

bpf: Only reply field should be writeable
Currently, a sock_ops BPF program can write the op field and all the reply fields (reply and replylong). This is a bug. The op field should not have been writeable and there is currently no way to use replylong field for indices >= 1. This patch enforces that only the reply field (which equals replylong[0]) is writeable. Fixes: 40304b2a ("bpf: BPF support for sock_ops") Signed-off-by: N Lawrence Brakmo <brakmo@fb.com> Acked-by: N Yuchung Cheng <ycheng@google.com> Signed-off-by: N Alexei Starovoitov <ast@kernel.org>
2585cd62 · Lawrence Brakmo · Alexei Starovoitov · e9dcd80b · 2585cd62
隐藏空白更改
内联并排

Showing with 1 addition and 2 deletion

net/core/filter.c net/core/filter.c +1 -2

未找到文件。
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3845,8 +3845,7 @@ static bool sock_ops_is_valid_access(int off, int size,
 {
 	if (type == BPF_WRITE) {
 		switch (off) {
-		case offsetof(struct bpf_sock_ops, op) ...
-		     offsetof(struct bpf_sock_ops, replylong[3]):
+		case offsetof(struct bpf_sock_ops, reply):
 			break;
 		default:
 			return false;