From: Greg KH <gregkh@linuxfoundation.org>
To: Zubin Mithra <zsm@chromium.org>
Cc: stable@vger.kernel.org, groeck@chromium.org,
daniel@iogearbox.net, ast@kernel.org, davem@davemloft.net
Subject: Re: [PATCH v4.4.y] bpf: reject wrong sized filters earlier
Date: Mon, 29 Apr 2019 14:37:33 +0200 [thread overview]
Message-ID: <20190429123733.GA31371@kroah.com> (raw)
In-Reply-To: <20190424180018.15793-1-zsm@chromium.org>
On Wed, Apr 24, 2019 at 11:00:18AM -0700, Zubin Mithra wrote:
> From: Daniel Borkmann <daniel@iogearbox.net>
>
> commit f7bd9e36ee4a4ce38e1cddd7effe6c0d9943285b upstream
>
> Add a bpf_check_basics_ok() and reject filters that are of invalid
> size much earlier, so we don't do any useless work such as invoking
> bpf_prog_alloc(). Currently, rejection happens in bpf_check_classic()
> only, but it's really unnecessarily late and they should be rejected
> at earliest point. While at it, also clean up one bpf_prog_size() to
> make it consistent with the remaining invocations.
>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> Acked-by: Alexei Starovoitov <ast@kernel.org>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Zubin Mithra <zsm@chromium.org>
> ---
> Notes:
> * Syzkaller reported a kernel BUG related to a kernel paging request in
> bpf_prog_create with the following stacktrace when fuzzing a 4.4 kernel.
> Call Trace:
> [<ffffffff822ac1c8>] bpf_prog_create+0xc8/0x210 net/core/filter.c:1067
> [<ffffffff82454699>] bpf_mt_check+0xb9/0x120 net/netfilter/xt_bpf.c:31
> [<ffffffff82437db8>] xt_check_match+0x238/0x730 net/netfilter/x_tables.c:409
> [<ffffffff82940254>] ebt_check_match net/bridge/netfilter/ebtables.c:380 [inline]
> [<ffffffff82940254>] ebt_check_entry+0x844/0x1740 net/bridge/netfilter/ebtables.c:709
> [<ffffffff82946842>] translate_table+0xcb2/0x1e80 net/bridge/netfilter/ebtables.c:946
> [<ffffffff8294a918>] do_replace_finish+0x6e8/0x1fd0 net/bridge/netfilter/ebtables.c:1002
> [<ffffffff8294c419>] do_replace+0x219/0x370 net/bridge/netfilter/ebtables.c:1145
> [<ffffffff8294c649>] do_ebt_set_ctl+0xd9/0x110 net/bridge/netfilter/ebtables.c:1492
> [<ffffffff8239a87c>] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
> [<ffffffff8239a87c>] nf_setsockopt+0x6c/0xc0 net/netfilter/nf_sockopt.c:114
> [<ffffffff825ddeb6>] ip_setsockopt+0xa6/0xc0 net/ipv4/ip_sockglue.c:1226
> [<ffffffff825fd3c7>] tcp_setsockopt+0x87/0xd0 net/ipv4/tcp.c:2701
> [<ffffffff8220343a>] sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2690
> [<ffffffff822006ed>] SYSC_setsockopt net/socket.c:1767 [inline]
> [<ffffffff822006ed>] SyS_setsockopt+0x15d/0x240 net/socket.c:1746
> [<ffffffff82a16f9b>] entry_SYSCALL_64_fastpath+0x18/0x94
>
> * This patch resolves the following conflicts when applying to v4.4.y:
> - __get_filter does not exist in v4.4. Instead the checks are moved into
> __sk_attach_filter.
>
> * This patch is present in v4.9.y.
>
> * Tests run: Chrome OS tryjobs, Syzkaller reproducer
Now queued up, thanks.
greg k-h
prev parent reply other threads:[~2019-04-29 12:37 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-24 18:00 [PATCH v4.4.y] bpf: reject wrong sized filters earlier Zubin Mithra
2019-04-29 12:37 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190429123733.GA31371@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=groeck@chromium.org \
--cc=stable@vger.kernel.org \
--cc=zsm@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.