Accepting request 682651 from home:joestringer:branches:security:netfilter

- Pull in bpf global data section support patches
  * Corresponds to changes here:
    https://github.com/cilium/iproute2/tree/static-data

OBS-URL: https://build.opensuse.org/request/show/682651
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/iproute2?expand=0&rev=170

bpf-bss-section-poc.patch

@@ -0,0 +1,113 @@
+From 8f256b14edf9fdba3e0c688b76a4124d8627cde1 Mon Sep 17 00:00:00 2001
+From: Joe Stringer <joe@wand.net.nz>
+Date: Thu, 24 Jan 2019 20:55:39 -0800
+Subject: [PATCH iproute2-next 2/2] bpf: bss section poc
+To: Stephen Hemminger <stephen@networkplumber.org>
+Cc: netdev@vger.kernel.org, daniel@iogearbox.net
+
+The .bss section denotes uninitialized data, which is for instance what
+clang will generate if a static variable is set to zero by default.
+Teach the bpf library about .bss so that such variables can be properly
+initialized.
+
+Signed-off-by: Joe Stringer <joe@wand.net.nz>
+---
+ lib/bpf.c | 37 +++++++++++++++++++++++++++++++++++--
+ 1 file changed, 35 insertions(+), 2 deletions(-)
+
+diff --git a/lib/bpf.c b/lib/bpf.c
+index eb208275ebaa..69eaa5ee732d 100644
+--- a/lib/bpf.c
++++ b/lib/bpf.c
+@@ -1159,6 +1159,7 @@ struct bpf_elf_ctx {
+ 	int			sec_text;
+ 	int			sec_btf;
+ 	int			sec_data;
++	int			sec_bss;
+ 	char			license[ELF_MAX_LICENSE_LEN];
+ 	enum bpf_prog_type	type;
+ 	__u32			ifindex;
+@@ -2048,6 +2049,14 @@ static int bpf_fetch_data(struct bpf_elf_ctx *ctx, int section,
+ 	return 0;
+ }
+ 
++static int bpf_fetch_bss(struct bpf_elf_ctx *ctx, int section,
++			  struct bpf_elf_sec_data *data)
++{
++	ctx->sec_bss = section;
++	ctx->sec_done[section] = true;
++	return 0;
++}
++
+ static void bpf_btf_report(int fd, struct bpf_elf_ctx *ctx)
+ {
+ 	fprintf(stderr, "\nBTF debug data section \'.BTF\' %s%s (%d)!\n",
+@@ -2262,6 +2271,11 @@ static bool bpf_has_glob_data(const struct bpf_elf_ctx *ctx)
+ 	return ctx->sec_data;
+ }
+ 
++static bool bpf_has_bss_data(const struct bpf_elf_ctx *ctx)
++{
++	return ctx->sec_bss;
++}
++
+ static int bpf_fetch_ancillary(struct bpf_elf_ctx *ctx, bool check_text_sec)
+ {
+ 	struct bpf_elf_sec_data data;
+@@ -2286,6 +2300,9 @@ static int bpf_fetch_ancillary(struct bpf_elf_ctx *ctx, bool check_text_sec)
+ 		else if (data.sec_hdr.sh_type == SHT_PROGBITS &&
+ 			 !strcmp(data.sec_name, ".data"))
+ 			ret = bpf_fetch_data(ctx, i, &data);
++		else if (data.sec_hdr.sh_type == SHT_NOBITS &&
++			 !strcmp(data.sec_name, ".bss"))
++			ret = bpf_fetch_bss(ctx, i, &data);
+ 		else if (data.sec_hdr.sh_type == SHT_SYMTAB &&
+ 			 !strcmp(data.sec_name, ".symtab"))
+ 			ret = bpf_fetch_symtab(ctx, i, &data);
+@@ -2414,6 +2431,19 @@ static int bpf_apply_relo_glob(struct bpf_elf_ctx *ctx, struct bpf_elf_prog *pro
+ 	return 0;
+ }
+ 
++static int bpf_apply_relo_bss(struct bpf_elf_ctx *ctx, struct bpf_elf_prog *prog,
++			      GElf_Rel *relo, GElf_Sym *sym,
++			      struct bpf_relo_props *props)
++{
++	unsigned int insn_off = relo->r_offset / sizeof(struct bpf_insn);
++
++	if (insn_off >= prog->insns_num)
++		return -EINVAL;
++
++	prog->insns[insn_off].imm = 0;
++	return 0;
++}
++
+ static int bpf_apply_relo_call(struct bpf_elf_ctx *ctx, struct bpf_elf_prog *prog,
+ 			       GElf_Rel *relo, GElf_Sym *sym,
+ 			       struct bpf_relo_props *props)
+@@ -2470,10 +2500,12 @@ static int bpf_apply_relo_data(struct bpf_elf_ctx *ctx,
+ 			ret = bpf_apply_relo_map(ctx, prog, &relo, &sym, props);
+ 		else if (sym.st_shndx == ctx->sec_data)
+ 			ret = bpf_apply_relo_glob(ctx, prog, &relo, &sym, props);
++		else if (sym.st_shndx == ctx->sec_bss)
++			ret = bpf_apply_relo_bss(ctx, prog, &relo, &sym, props);
+ 		else if (sym.st_shndx == ctx->sec_text)
+ 			ret = bpf_apply_relo_call(ctx, prog, &relo, &sym, props);
+ 		else
+-			fprintf(stderr, "ELF contains non-{map,data,call} related relo data in entry %u pointing to section %u! Compiler bug?!\n",
++			fprintf(stderr, "ELF contains non-{bss,call,data,map} related relo data in entry %u pointing to section %u! Compiler bug?!\n",
+ 				relo_ent, sym.st_shndx);
+ 		if (ret < 0)
+ 			return ret;
+@@ -2569,7 +2601,8 @@ static int bpf_fetch_prog_sec(struct bpf_elf_ctx *ctx, const char *section)
+ 			return ret;
+ 	}
+ 
+-	if (bpf_has_map_data(ctx) || bpf_has_call_data(ctx) || bpf_has_glob_data(ctx))
++	if (bpf_has_map_data(ctx) || bpf_has_call_data(ctx) ||
++	    bpf_has_glob_data(ctx) || bpf_has_bss_data(ctx))
+ 		ret = bpf_fetch_prog_relo(ctx, section, &lderr, &sseen, &prog);
+ 	if (ret < 0 && !lderr)
+ 		ret = bpf_fetch_prog(ctx, section, &sseen);
+-- 
+2.19.1
+

bpf-data-section-support-poc.patch

@@ -0,0 +1,118 @@
+From 4e0dcb220bd77a5ddf0f8956740281efbf1ead90 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 31 Oct 2018 20:25:22 +0100
+Subject: [PATCH iproute2-next 1/2] bpf: data section support poc
+To: Stephen Hemminger <stephen@networkplumber.org>
+Cc: netdev@vger.kernel.org, daniel@iogearbox.net
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+---
+ lib/bpf.c | 40 ++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 38 insertions(+), 2 deletions(-)
+
+diff --git a/lib/bpf.c b/lib/bpf.c
+index 45f279fa4a41..eb208275ebaa 100644
+--- a/lib/bpf.c
++++ b/lib/bpf.c
+@@ -1142,6 +1142,7 @@ struct bpf_elf_ctx {
+ 	Elf_Data		*sym_tab;
+ 	Elf_Data		*str_tab;
+ 	Elf_Data		*btf_data;
++	Elf_Data		*glo_data;
+ 	char			obj_uid[64];
+ 	int			obj_fd;
+ 	int			btf_fd;
+@@ -1157,6 +1158,7 @@ struct bpf_elf_ctx {
+ 	int			sec_maps;
+ 	int			sec_text;
+ 	int			sec_btf;
++	int			sec_data;
+ 	char			license[ELF_MAX_LICENSE_LEN];
+ 	enum bpf_prog_type	type;
+ 	__u32			ifindex;
+@@ -2037,6 +2039,15 @@ static int bpf_fetch_text(struct bpf_elf_ctx *ctx, int section,
+ 	return 0;
+ }
+ 
++static int bpf_fetch_data(struct bpf_elf_ctx *ctx, int section,
++			  struct bpf_elf_sec_data *data)
++{
++	ctx->sec_data = section;
++	ctx->glo_data = data->sec_data;
++	ctx->sec_done[section] = true;
++	return 0;
++}
++
+ static void bpf_btf_report(int fd, struct bpf_elf_ctx *ctx)
+ {
+ 	fprintf(stderr, "\nBTF debug data section \'.BTF\' %s%s (%d)!\n",
+@@ -2246,6 +2257,11 @@ static bool bpf_has_call_data(const struct bpf_elf_ctx *ctx)
+ 	return ctx->sec_text;
+ }
+ 
++static bool bpf_has_glob_data(const struct bpf_elf_ctx *ctx)
++{
++	return ctx->sec_data;
++}
++
+ static int bpf_fetch_ancillary(struct bpf_elf_ctx *ctx, bool check_text_sec)
+ {
+ 	struct bpf_elf_sec_data data;
+@@ -2267,6 +2283,9 @@ static int bpf_fetch_ancillary(struct bpf_elf_ctx *ctx, bool check_text_sec)
+ 			 !strcmp(data.sec_name, ".text") &&
+ 			 check_text_sec)
+ 			ret = bpf_fetch_text(ctx, i, &data);
++		else if (data.sec_hdr.sh_type == SHT_PROGBITS &&
++			 !strcmp(data.sec_name, ".data"))
++			ret = bpf_fetch_data(ctx, i, &data);
+ 		else if (data.sec_hdr.sh_type == SHT_SYMTAB &&
+ 			 !strcmp(data.sec_name, ".symtab"))
+ 			ret = bpf_fetch_symtab(ctx, i, &data);
+@@ -2380,6 +2399,21 @@ static int bpf_apply_relo_map(struct bpf_elf_ctx *ctx, struct bpf_elf_prog *prog
+ 	return 0;
+ }
+ 
++static int bpf_apply_relo_glob(struct bpf_elf_ctx *ctx, struct bpf_elf_prog *prog,
++			       GElf_Rel *relo, GElf_Sym *sym,
++			       struct bpf_relo_props *props)
++{
++	unsigned int insn_off = relo->r_offset / sizeof(struct bpf_insn);
++	int *data;
++
++	if (insn_off >= prog->insns_num)
++		return -EINVAL;
++
++	data = ctx->glo_data->d_buf + sym->st_value;
++	prog->insns[insn_off].imm = *data;
++	return 0;
++}
++
+ static int bpf_apply_relo_call(struct bpf_elf_ctx *ctx, struct bpf_elf_prog *prog,
+ 			       GElf_Rel *relo, GElf_Sym *sym,
+ 			       struct bpf_relo_props *props)
+@@ -2434,10 +2468,12 @@ static int bpf_apply_relo_data(struct bpf_elf_ctx *ctx,
+ 
+ 		if (sym.st_shndx == ctx->sec_maps)
+ 			ret = bpf_apply_relo_map(ctx, prog, &relo, &sym, props);
++		else if (sym.st_shndx == ctx->sec_data)
++			ret = bpf_apply_relo_glob(ctx, prog, &relo, &sym, props);
+ 		else if (sym.st_shndx == ctx->sec_text)
+ 			ret = bpf_apply_relo_call(ctx, prog, &relo, &sym, props);
+ 		else
+-			fprintf(stderr, "ELF contains non-{map,call} related relo data in entry %u pointing to section %u! Compiler bug?!\n",
++			fprintf(stderr, "ELF contains non-{map,data,call} related relo data in entry %u pointing to section %u! Compiler bug?!\n",
+ 				relo_ent, sym.st_shndx);
+ 		if (ret < 0)
+ 			return ret;
+@@ -2533,7 +2569,7 @@ static int bpf_fetch_prog_sec(struct bpf_elf_ctx *ctx, const char *section)
+ 			return ret;
+ 	}
+ 
+-	if (bpf_has_map_data(ctx) || bpf_has_call_data(ctx))
++	if (bpf_has_map_data(ctx) || bpf_has_call_data(ctx) || bpf_has_glob_data(ctx))
+ 		ret = bpf_fetch_prog_relo(ctx, section, &lderr, &sseen, &prog);
+ 	if (ret < 0 && !lderr)
+ 		ret = bpf_fetch_prog(ctx, section, &sseen);
+-- 
+2.19.1
+

iproute2.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Mar  6 00:59:48 UTC 2019 - Joe Stringer <joe@cilium.io>
+
+- Pull in bpf global data section support patches
+  * Corresponds to changes here:
+    https://github.com/cilium/iproute2/tree/static-data
+
 -------------------------------------------------------------------
 Sat Jan 26 10:39:56 UTC 2019 - mkubecek@suse.cz
 

iproute2.spec

@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -38,6 +38,8 @@ Patch4:         xfrm-support-displaying-transformations-used-for-Mob.patch
 Patch6:         split-link-and-compile-steps-for-binaries.patch
 Patch7:         examples-fix-bashisms-in-example-script.patch
 Patch102:       Revert-emp-fix-warning-on-deprecated-bison-directive.patch
+Patch201:       bpf-data-section-support-poc.patch
+Patch202:       bpf-bss-section-poc.patch
 BuildRequires:  bison
 BuildRequires:  db-devel
 BuildRequires:  fdupes
@@ -84,7 +86,7 @@ bash command line completion support for iproute.
 
 %prep
 %setup -qn %name-%rversion
-%patch -P 1 -P 2 -P 3 -P 4 -P 6 -P 7 -p1
+%patch -P 1 -P 2 -P 3 -P 4 -P 6 -P 7 -P 201 -P 202 -p1
 %if 0%{?sles_version} == 11
 %patch -P 102 -p1
 %endif