Re: [PATCH] net: filter: fix upper BPF instruction limit
From: Daniel Borkmann
Date: Fri Jun 20 2014 - 06:13:43 EST
Hi Kees,
On 06/19/2014 01:28 AM, Kees Cook wrote:
On Wed, Jun 18, 2014 at 4:19 PM, Alexei Starovoitov <ast@xxxxxxxxxxxx> wrote:
On Wed, Jun 18, 2014 at 3:55 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
On Wed, Jun 18, 2014 at 3:48 PM, Alexei Starovoitov <ast@xxxxxxxxxxxx> wrote:
On Wed, Jun 18, 2014 at 3:34 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
...
I wonder how did you catch this? :)
Just code inspection or seccomp actually generating such programs?
In the process of merging my seccomp thread-sync series back with
mainline, I got uncomfortable that I was moving filter size validation
around without actually testing it. When I added it, I was happy that
my series was correctly checking size limits, but then discovered my
newly added check actually failed on an earlier kernel (3.2). Tracking
it down found the corner case under 3.15.
Here's the test I added to the seccomp regression tests, if you're interested:
https://github.com/kees/seccomp/commit/794d54a340cde70a3bdf7fe0ade1f95d160b2883
Nice. I'm assuming https://github.com/redpig/seccomp is still the main tree
for seccomp testsuiteâ
Yes. Will hasn't pulled this most recent set of changes.
We were actually thinking about extending lib/test_bpf module with seccomp
tests, which is possible to a limited extend, but seccomp is also a bit
more than just running a BPF program and making sure results fit.
Are there any plans to put and extend test cases from [1] via user space
side into the kernel self-test directory, i.e. into something like
tools/testing/selftests/seccomp/ so that in future new tests can be added
or run from there? Might be worth to consider.
Thanks,
Daniel
[1] https://github.com/redpig/seccomp
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/