Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755708AbaFRWsJ (ORCPT ); Wed, 18 Jun 2014 18:48:09 -0400 Received: from mail-wg0-f46.google.com ([74.125.82.46]:43952 "EHLO mail-wg0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753697AbaFRWsH (ORCPT ); Wed, 18 Jun 2014 18:48:07 -0400 MIME-Version: 1.0 In-Reply-To: <20140618223457.GA31568@www.outflux.net> References: <20140618223457.GA31568@www.outflux.net> Date: Wed, 18 Jun 2014 15:48:05 -0700 Message-ID: Subject: Re: [PATCH] net: filter: fix upper BPF instruction limit From: Alexei Starovoitov To: Kees Cook Cc: LKML , "David S. Miller" , Daniel Borkmann , Eric Dumazet , Chema Gonzalez , Network Development Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 18, 2014 at 3:34 PM, Kees Cook wrote: > The original checks (via sk_chk_filter) for instruction count uses ">", > not ">=", so changing this in sk_convert_filter has the potential to break > existing seccomp filters that used exactly BPF_MAXINSNS many instructions. > > Fixes: bd4cf0ed331a ("net: filter: rework/optimize internal BPF interpreter's instruction set") > Signed-off-by: Kees Cook > Cc: stable@vger.kernel.org # v3.15+ Acked-by: Alexei Starovoitov I wonder how did you catch this? :) Just code inspection or seccomp actually generating such programs? Thanks! -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/