Re: [RFC bpf-next 1/2] bpf: tnums: warn against the usage of tnum_in(tnum_range(), ...)

From: Daniel Borkmann
Date: Fri Sep 02 2022 - 10:48:00 EST


On 9/2/22 5:52 AM, Shung-Hsi Yu wrote:
On Thu, Sep 01, 2022 at 05:00:58PM +0200, Daniel Borkmann wrote:
On 8/31/22 5:19 AM, Shung-Hsi Yu wrote:
Commit a657182a5c51 ("bpf: Don't use tnum_range on array range checking
for poke descriptors") has shown that using tnum_range() as argument to
tnum_in() can lead to misleading code that looks like tight bound check
when in fact the actual allowed range is much wider.

Document such behavior to warn against its usage in general, and suggest
some scenario where result can be trusted.

Link: https://lore.kernel.org/bpf/984b37f9fdf7ac36831d2137415a4a915744c1b6.1661462653.git.daniel@xxxxxxxxxxxxx/
Link: https://www.openwall.com/lists/oss-security/2022/08/26/1
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@xxxxxxxx>

Any objections from your side if I merge this? Thanks for adding doc. :)

There is a small typo I meant to fix with s/including/include below.

Other than that, none at all, thanks! :)

Fixed up and applied to bpf-next, thanks!