bpf: bpf_dbg: split pcap_next_pkt() validation/advance, fix off-by-one in cmd_select#11987
Open
kernel-patches-daemon-bpf[bot] wants to merge 1 commit intobpf-next_basefrom
Open
bpf: bpf_dbg: split pcap_next_pkt() validation/advance, fix off-by-one in cmd_select#11987kernel-patches-daemon-bpf[bot] wants to merge 1 commit intobpf-next_basefrom
kernel-patches-daemon-bpf[bot] wants to merge 1 commit intobpf-next_basefrom
Conversation
Author
|
Upstream branch: 9f5b3ff |
AI reviewed your patch. Please fix the bug or email reply why it's not a bug. In-Reply-To-Subject: |
Author
|
Forwarding comment 4343910055 via email |
kernel-patches-daemon-bpf
Bot
force-pushed
the
bpf-next_base
branch
from
6d81208 to
e299921
Compare
Author
|
Upstream branch: 2ca6723 |
kernel-patches-daemon-bpf
Bot
force-pushed
the
series/1087457=>bpf-next
branch
from
2494c4d to
5bd2158
Compare
kernel-patches-daemon-bpf
Bot
force-pushed
the
bpf-next_base
branch
from
e299921 to
68b493c
Compare
Author
|
Upstream branch: 2ca6723 |
kernel-patches-daemon-bpf
Bot
force-pushed
the
series/1087457=>bpf-next
branch
from
5bd2158 to
c9176f1
Compare
kernel-patches-daemon-bpf
Bot
force-pushed
the
bpf-next_base
branch
from
68b493c to
149211d
Compare
Author
|
Upstream branch: 2ca6723 |
…e in cmd_select
bpf_dbg's interactive 'select <N>' command, documented in the file
header ("select 3 (run etc will start from the 3rd packet in the
pcap)") to use 1-based packet indexing, advances the pcap cursor one
packet too many. The loop in cmd_select():
pcap_reset_pkt(); /* cursor on packet 1 */
for (i = 0; i < which && (have_next = pcap_next_pkt()); i++)
/* noop */;
calls pcap_next_pkt() N times to reach packet N, but pcap_next_pkt()
validates the packet at the cursor and then advances past it. After
N calls the cursor is on packet N+1, so 'select 3' positions on
packet 4, 'select 4' on packet 5, etc.
Simply changing the loop init to 'i = 1' (so it advances N-1 times)
fixes the user-visible symptom but leaves the final landed-on packet
unvalidated, and combined with pcap_next_pkt()'s '>=' boundary
checks, mis-handles the boundary cases on the last and just-past-the-
last packet. As pointed out by the Sashiko AI review on v1 and v2,
this surfaces in two ways:
1. On a perfect pcap (no trailing bytes after the last packet),
pcap_next_pkt()'s '>= pcap_map_size' rejects packets whose body
ends exactly at the file boundary, so 'select N' on an N-packet
file errors as "no packet #N available" even though the packet
is fully in-bounds.
2. On a truncated pcap (filehdr + a few stray bytes that happen to
pass try_load_pcap()'s 'pcap_map_size > sizeof(filehdr)' guard
but not enough to contain a full pkthdr), 'select 1' returns
CMD_OK without ever validating the header, and a subsequent
'step' or 'run' dereferences pcap_curr_pkt()->caplen past the
mapped region.
Fix all three issues by splitting pcap_next_pkt() into a pure
validator (pcap_curr_pkt_valid()) and a validate-advance-validate
combinator. The boundary check now uses '>' instead of '>=', so a
packet whose body ends exactly at pcap_map_size is correctly accepted.
pcap_next_pkt() returns true only when both the current packet was
valid and, after advancing, the new cursor position is also valid.
This means the do-while in cmd_run() exits cleanly after the last
packet (no past-end dereference), and cmd_select() can call
pcap_curr_pkt_valid() after the loop to bounds-check the final
packet.
Reproduction (deterministic, no kernel needed): build bpf_dbg from
the unmodified tree, synthesize a pcap with N>=2 packets each with a
distinct payload byte, and drive 'select 1 / step 1 / quit'. Before
this fix, 'select 1' shows packet 2's payload. After this fix,
'select K' shows packet K for all K in 1..N, 'select N+1' correctly
errors with "no packet #N+1 available!", and 'select 1' on a pcap
truncated to filehdr + 1 byte also correctly errors.
Cloudflare's downstream mirror at github.com/cloudflare/bpftools
carries the same defect.
Fixes: fd981e3 ("filter: bpf_dbg: add minimal bpf debugger")
Signed-off-by: Hasan Basbunar <basbunarhasan@gmail.com>
kernel-patches-daemon-bpf
Bot
force-pushed
the
series/1087457=>bpf-next
branch
from
c9176f1 to
a4e19ca
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: bpf_dbg: split pcap_next_pkt() validation/advance, fix off-by-one in cmd_select
version: 3
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1087457