Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs

[Alexei Starovoitov]

On 10/5/15 3:02 PM, Kees Cook wrote:
> > the array maps that hold FDs (BPF_MAP_TYPE_PROG_ARRAY and
> > >BPF_MAP_TYPE_PERF_EVENT_ARRAY) don't have lookup/update accessors
> > >from the program side, so programs cannot see or manipulate
> > >those pointers.
> > >For the former only bpf_tail_call() is allowed that takes integer
> > >index and jumps to it. And the latter map accessed with
> Okay, so I can't take a pointer, put it on the stack, take it back any
> part of it as an integer and use it for a tail call?

not quite.
you can store a pointer to stack and read it as 8 byte load back into
another register, but reading <8 byte of it will be rejected.
That's the test:
unpriv: read pointer from stack in small chunks
we obviously want to avoid hiding pointer in integers.
After reading it back from stack as a pointer you cannnot use
this register to pass as index into bpf_tail_call().
That's the test:
unpriv: pass pointer to helper function

please keep shooting everything that comes to mind.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/