bpf: Don't return EINVAL from {get,set}sockopt when optlen > PAGE_SIZE (d8fe449a) · Commits · Mirrors / git.yoctoproject.org / linux-yocto

Commit d8fe449a authored Jun 16, 2020 by

Stanislav Fomichev Committed by Alexei Starovoitov Jun 17, 2020

bpf: Don't return EINVAL from {get,set}sockopt when optlen > PAGE_SIZE

Attaching to these hooks can break iptables because its optval is
usually quite big, or at least bigger than the current PAGE_SIZE limit.
David also mentioned some SCTP options can be big (around 256k).

For such optvals we expose only the first PAGE_SIZE bytes to
the BPF program. BPF program has two options:
1. Set ctx->optlen to 0 to indicate that the BPF's optval
   should be ignored and the kernel should use original userspace
   value.
2. Set ctx->optlen to something that's smaller than the PAGE_SIZE.

v5:
* use ctx->optlen == 0 with trimmed buffer (Alexei Starovoitov)
* update the docs accordingly

v4:
* use temporary buffer to avoid optval == optval_end == NULL;
  this removes the corner case in the verifier that might assume
  non-zero PTR_TO_PACKET/PTR_TO_PACKET_END.

v3:
* don't increase the limit, bypass the argument

v2:
* proper comments formatting (Jakub Kicinski)

Fixes: 0d01da6a

 ("bpf: implement getsockopt and setsockopt hooks")
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Cc: David Laight <David.Laight@ACULAB.COM>
Link: https://lore.kernel.org/bpf/20200617010416.93086-1-sdf@google.com

parent 99c51064

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 3ed29995
· Jan 27, 2021

mentioned in commit 3ed29995

mentioned in commit 3ed29995c281762df98cccf86afbddbfb6a918ef

Toggle commit list

Please register or to comment