Re: [RFC bpf-next 1/2] bpf: tnums: warn against the usage of tnum_in(tnum_range(), ...)

From: Daniel Borkmann
Date: Fri Sep 02 2022 - 10:48:00 EST

Next message: Andy Shevchenko: "Re: [PATCH v2 i2c-master] i2c: microchip: pci1xxxx: Add driver for I2C host controller in multifunction endpoint of pci1xxxx switch"
Previous message: Gregory CLEMENT: "Re: [PATCH] arm64: dts: marvell: Add UART1-3 for AC5/AC5X"
In reply to: Shung-Hsi Yu: "Re: [RFC bpf-next 1/2] bpf: tnums: warn against the usage of tnum_in(tnum_range(), ...)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/2/22 5:52 AM, Shung-Hsi Yu wrote:

On Thu, Sep 01, 2022 at 05:00:58PM +0200, Daniel Borkmann wrote:

On 8/31/22 5:19 AM, Shung-Hsi Yu wrote:

Commit a657182a5c51 ("bpf: Don't use tnum_range on array range checking
for poke descriptors") has shown that using tnum_range() as argument to
tnum_in() can lead to misleading code that looks like tight bound check
when in fact the actual allowed range is much wider.

Document such behavior to warn against its usage in general, and suggest
some scenario where result can be trusted.

Link: https://lore.kernel.org/bpf/984b37f9fdf7ac36831d2137415a4a915744c1b6.1661462653.git.daniel@xxxxxxxxxxxxx/
Link: https://www.openwall.com/lists/oss-security/2022/08/26/1
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@xxxxxxxx>

Any objections from your side if I merge this? Thanks for adding doc. :)

There is a small typo I meant to fix with s/including/include below.

Other than that, none at all, thanks! :)

Fixed up and applied to bpf-next, thanks!

Next message: Andy Shevchenko: "Re: [PATCH v2 i2c-master] i2c: microchip: pci1xxxx: Add driver for I2C host controller in multifunction endpoint of pci1xxxx switch"
Previous message: Gregory CLEMENT: "Re: [PATCH] arm64: dts: marvell: Add UART1-3 for AC5/AC5X"
In reply to: Shung-Hsi Yu: "Re: [RFC bpf-next 1/2] bpf: tnums: warn against the usage of tnum_in(tnum_range(), ...)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]