bpf: Disable unsafe helpers in TX timestamping callbacks

author Jason Xing <kerneljasonxing@gmail.com>

Thu, 20 Feb 2025 07:29:32 +0000 (15:29 +0800)

committer Martin KaFai Lau <martin.lau@kernel.org>

Thu, 20 Feb 2025 22:29:10 +0000 (14:29 -0800)
author Jason Xing <kerneljasonxing@gmail.com>
Thu, 20 Feb 2025 07:29:32 +0000 (15:29 +0800)
committer Martin KaFai Lau <martin.lau@kernel.org>
Thu, 20 Feb 2025 22:29:10 +0000 (14:29 -0800)
diff --git a/net/core/filter.c b/net/core/filter.c

index 7a20ddae76676e766a3abecded801fc2ba745fd5..90a8fbc2e09677bb45e208179cd751e010ebc166 100644 (file)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -5524,6 +5524,11 @@ static int __bpf_setsockopt(struct sock *sk, int level, int optname,
         return -EINVAL;
  }
  
+static bool is_locked_tcp_sock_ops(struct bpf_sock_ops_kern *bpf_sock)
+{
+       return bpf_sock->op <= BPF_SOCK_OPS_WRITE_HDR_OPT_CB;
+}
+
  static int _bpf_setsockopt(struct sock *sk, int level, int optname,
                            char *optval, int optlen)
  {
@@ -5674,6 +5679,9 @@ static const struct bpf_func_proto bpf_sock_addr_getsockopt_proto = {
  BPF_CALL_5(bpf_sock_ops_setsockopt, struct bpf_sock_ops_kern *, bpf_sock,
            int, level, int, optname, char *, optval, int, optlen)
  {
+       if (!is_locked_tcp_sock_ops(bpf_sock))
+               return -EOPNOTSUPP;
+
         return _bpf_setsockopt(bpf_sock->sk, level, optname, optval, optlen);
  }
  
@@ -5759,6 +5767,9 @@ static int bpf_sock_ops_get_syn(struct bpf_sock_ops_kern *bpf_sock,
  BPF_CALL_5(bpf_sock_ops_getsockopt, struct bpf_sock_ops_kern *, bpf_sock,
            int, level, int, optname, char *, optval, int, optlen)
  {
+       if (!is_locked_tcp_sock_ops(bpf_sock))
+               return -EOPNOTSUPP;
+
         if (IS_ENABLED(CONFIG_INET) && level == SOL_TCP &&
             optname >= TCP_BPF_SYN && optname <= TCP_BPF_SYN_MAC) {
                 int ret, copy_len = 0;
@@ -5801,6 +5812,9 @@ BPF_CALL_2(bpf_sock_ops_cb_flags_set, struct bpf_sock_ops_kern *, bpf_sock,
         struct sock *sk = bpf_sock->sk;
         int val = argval & BPF_SOCK_OPS_ALL_CB_FLAGS;
  
+       if (!is_locked_tcp_sock_ops(bpf_sock))
+               return -EOPNOTSUPP;
+
         if (!IS_ENABLED(CONFIG_INET) || !sk_fullsock(sk))
                 return -EINVAL;
  
@@ -7610,6 +7624,9 @@ BPF_CALL_4(bpf_sock_ops_load_hdr_opt, struct bpf_sock_ops_kern *, bpf_sock,
         u8 search_kind, search_len, copy_len, magic_len;
         int ret;
  
+       if (!is_locked_tcp_sock_ops(bpf_sock))
+               return -EOPNOTSUPP;
+
         /* 2 byte is the minimal option len except TCPOPT_NOP and
          * TCPOPT_EOL which are useless for the bpf prog to learn
          * and this helper disallow loading them also.
author	Jason Xing <kerneljasonxing@gmail.com>
	Thu, 20 Feb 2025 07:29:32 +0000 (15:29 +0800)
committer	Martin KaFai Lau <martin.lau@kernel.org>
	Thu, 20 Feb 2025 22:29:10 +0000 (14:29 -0800)