From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Stanislav Fomichev <sdf@google.com>,
Eric Dumazet <edumazet@google.com>,
syzbot+f635e86ec3fa0a37e019@syzkaller.appspotmail.com,
Martin KaFai Lau <martin.lau@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Sasha Levin <sashal@kernel.org>,
martin.lau@linux.dev, daniel@iogearbox.net, andrii@kernel.org,
davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com,
bpf@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 05/26] bpf: make sure skb->len != 0 when redirecting to a tunneling device
Date: Sun, 18 Dec 2022 11:19:55 -0500 [thread overview]
Message-ID: <20221218162016.934280-5-sashal@kernel.org> (raw)
In-Reply-To: <20221218162016.934280-1-sashal@kernel.org>
From: Stanislav Fomichev <sdf@google.com>
[ Upstream commit 07ec7b502800ba9f7b8b15cb01dd6556bb41aaca ]
syzkaller managed to trigger another case where skb->len == 0
when we enter __dev_queue_xmit:
WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline]
WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295
Call Trace:
dev_queue_xmit+0x17/0x20 net/core/dev.c:4406
__bpf_tx_skb net/core/filter.c:2115 [inline]
__bpf_redirect_no_mac net/core/filter.c:2140 [inline]
__bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163
____bpf_clone_redirect net/core/filter.c:2447 [inline]
bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419
bpf_prog_48159a89cb4a9a16+0x59/0x5e
bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline]
__bpf_prog_run include/linux/filter.h:596 [inline]
bpf_prog_run include/linux/filter.h:603 [inline]
bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402
bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170
bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648
__sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005
__do_sys_bpf kernel/bpf/syscall.c:5091 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5089 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089
do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x61/0xc6
The reproducer doesn't really reproduce outside of syzkaller
environment, so I'm taking a guess here. It looks like we
do generate correct ETH_HLEN-sized packet, but we redirect
the packet to the tunneling device. Before we do so, we
__skb_pull l2 header and arrive again at skb->len == 0.
Doesn't seem like we can do anything better than having
an explicit check after __skb_pull?
Cc: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+f635e86ec3fa0a37e019@syzkaller.appspotmail.com
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/r/20221027225537.353077-1-sdf@google.com
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index 5129e89f52bb..aa2e7baa13c4 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2025,6 +2025,10 @@ static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev,
if (mlen) {
__skb_pull(skb, mlen);
+ if (unlikely(!skb->len)) {
+ kfree_skb(skb);
+ return -ERANGE;
+ }
/* At ingress, the mac header has already been pulled once.
* At egress, skb_pospull_rcsum has to be done in case that
--
2.35.1
next prev parent reply other threads:[~2022-12-18 17:00 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-18 16:19 [PATCH AUTOSEL 4.19 01/26] wifi: ath9k: verify the expected usb_endpoints are present Sasha Levin
2022-12-18 16:19 ` [PATCH AUTOSEL 4.19 02/26] wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out Sasha Levin
2022-12-18 16:19 ` [PATCH AUTOSEL 4.19 03/26] ASoC: codecs: rt298: Add quirk for KBL-R RVP platform Sasha Levin
2022-12-18 16:19 ` Sasha Levin
2022-12-18 16:19 ` [PATCH AUTOSEL 4.19 04/26] ipmi: fix memleak when unload ipmi driver Sasha Levin
2022-12-18 16:19 ` Sasha Levin [this message]
2022-12-18 16:19 ` [PATCH AUTOSEL 4.19 06/26] net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() Sasha Levin
2022-12-18 16:19 ` [PATCH AUTOSEL 4.19 07/26] hamradio: baycom_epp: Fix return type of baycom_send_packet() Sasha Levin
2022-12-18 16:19 ` [PATCH AUTOSEL 4.19 08/26] wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() Sasha Levin
2022-12-18 16:19 ` [Intel-wired-lan] [PATCH AUTOSEL 4.19 09/26] igb: Do not free q_vector unless new one was allocated Sasha Levin
2022-12-18 16:19 ` Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 10/26] drm/amdgpu: Fix type of second parameter in trans_msg() callback Sasha Levin
2022-12-18 16:20 ` Sasha Levin
2022-12-18 16:20 ` Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 11/26] s390/ctcm: Fix return type of ctc{mp,}m_tx() Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 12/26] s390/netiucv: Fix return type of netiucv_tx() Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 13/26] s390/lcs: Fix return type of lcs_start_xmit() Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 14/26] drm/sti: Use drm_mode_copy() Sasha Levin
2022-12-18 16:20 ` Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 15/26] drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 16/26] md/raid1: stop mdx_raid1 thread when raid1 array run failed Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 17/26] mrp: introduce active flags to prevent UAF when applicant uninit Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 18/26] ppp: associate skb with a device at tx Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 19/26] media: dvb-frontends: fix leak of memory fw Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 20/26] media: dvbdev: adopts refcnt to avoid UAF Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 21/26] media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 22/26] blk-mq: fix possible memleak when register 'hctx' failed Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 23/26] regulator: core: fix use_count leakage when handling boot-on Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 24/26] mmc: f-sdh30: Add quirks for broken timeout clock capability Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 25/26] media: si470x: Fix use-after-free in si470x_int_in_callback() Sasha Levin
2022-12-18 16:20 ` [PATCH AUTOSEL 4.19 26/26] clk: st: Fix memory leak in st_of_quadfs_setup() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221218162016.934280-5-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@google.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+f635e86ec3fa0a37e019@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.