[RFC] Use after free in BPF/ XDP during XDP_REDIRECT

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: "Ricardo Cañuelo Navarro" <rcn@igalia.com>,
	"Alexei Starovoitov" <ast@kernel.org>,
	"Andrii Nakryiko" <andrii@kernel.org>,
	"Daniel Borkmann" <daniel@iogearbox.net>,
	"David S. Miller" <davem@davemloft.net>,
	"Jakub Kicinski" <kuba@kernel.org>,
	"Jesper Dangaard Brouer" <hawk@kernel.org>,
	"John Fastabend" <john.fastabend@gmail.com>,
	"Thomas Gleixner" <tglx@linutronix.de>
Subject: [RFC] Use after free in BPF/ XDP during XDP_REDIRECT
Date: Thu, 13 Mar 2025 19:39:11 +0100	[thread overview]
Message-ID: <20250313183911.SPAmGLyw@linutronix.de> (raw)

Hi,

Ricardo reported a KASAN related use after free
	https://lore.kernel.org/all/20250226-20250204-kasan-slab-use-after-free-read-in-dev_map_enqueue__submit-v3-0-360efec441ba@igalia.com/

in v6.6 stable and suggest a backport of commits
	401cb7dae8130 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.")
	fecef4cd42c68 ("tun: Assign missing bpf_net_context.")
	9da49aa80d686 ("tun: Add missing bpf_net_ctx_clear() in do_xdp_generic()")

as a fix. In the meantime I have the syz reproducer+config and was able
to investigate.
It looks as if the syzbot starts a BPF program via xdp_test_run_batch()
which assigns ri->tgt_value via dev_hash_map_redirect() and the return code
isn't XDP_REDIRECT it looks like nonsense. So the print in
bpf_warn_invalid_xdp_action() appears once. Everything goes as planned.
Then the TUN driver runs another BPF program which returns XDP_REDIRECT
without setting ri->tgt_value. This appears to be a trick because it
invoked bpf_trace_printk() which printed four characters. Anyway, this
is enough to get xdp_do_redirect() going.

The commits in questions do fix it because the bpf_redirect_info becomes
not only per-task but gets invalidated after the XDP context is left.

Now that I understand it I would suggest something smaller instead as a
stable fix, (instead the proposed patches). Any objections to the
following:

diff --git a/net/core/filter.c b/net/core/filter.c
index be313928d272..1d906b7a541d 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -9000,8 +9000,12 @@ static bool xdp_is_valid_access(int off, int size,

 void bpf_warn_invalid_xdp_action(struct net_device *dev, struct bpf_prog *prog, u32 act)
 {
+	struct bpf_redirect_info *ri = this_cpu_ptr(&bpf_redirect_info);
 	const u32 act_max = XDP_REDIRECT;

+	ri->map_id = INT_MAX;
+	ri->map_type = BPF_MAP_TYPE_UNSPEC;
+
 	pr_warn_once("%s XDP return value %u on prog %s (id %d) dev %s, expect packet loss!\n",
 		     act > act_max ? "Illegal" : "Driver unsupported",
 		     act, prog->aux->name, prog->aux->id, dev ? dev->name : "N/A");

Sebastian

next             reply	other threads:[~2025-03-13 18:39 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-13 18:39 Sebastian Andrzej Siewior [this message]
2025-03-13 19:28 ` [RFC] Use after free in BPF/ XDP during XDP_REDIRECT Toke Høiland-Jørgensen
2025-03-13 20:32   ` Sebastian Andrzej Siewior
2025-03-14  9:21     ` Toke Høiland-Jørgensen
2025-03-14 15:30       ` Sebastian Andrzej Siewior
2025-03-14 16:03         ` Toke Høiland-Jørgensen
2025-03-14 17:27           ` Sebastian Andrzej Siewior
2025-03-17 10:29             ` Toke Høiland-Jørgensen
2025-03-17 12:01               ` Ricardo Cañuelo Navarro

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:be313928d27 dfblob:1d906b7a541 )
 OR (
bs:"[RFC] Use after free in BPF/ XDP during XDP_REDIRECT" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250313183911.SPAmGLyw@linutronix.de \
    --to=bigeasy@linutronix.de \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=hawk@kernel.org \
    --cc=john.fastabend@gmail.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=rcn@igalia.com \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.