From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: Zhang Cen <rollkingzzc@gmail.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
Stanislav Fomichev <sdf@fomichev.me>,
Jakub Sitnicki <jakub@cloudflare.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
bpf@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, zerocling0077@gmail.com,
2045gemini@gmail.com, stable@vger.kernel.org
Subject: Re: [PATCH v2] bpf, sockmap: keep sk_msg copy state in sync
Date: Wed, 20 May 2026 11:13:30 +0800 [thread overview]
Message-ID: <206188f9-5642-4348-9fa1-c48f9a890640@linux.dev> (raw)
In-Reply-To: <20260517121626.406516-1-rollkingzzc@gmail.com>
On 5/17/26 8:16 PM, Zhang Cen wrote:
> SK_MSG uses msg->sg.copy as per-scatterlist-entry provenance. Entries
> with this bit set are copied before data/data_end are exposed to SK_MSG
> BPF programs for direct packet access.
>
> bpf_msg_pull_data(), bpf_msg_push_data() and bpf_msg_pop_data() rewrite
> the sk_msg scatterlist ring by collapsing, splitting and shifting
> entries. These operations move msg->sg.data[] entries, but the parallel
> copy bitmap can be left behind or stale in slots that no longer contain
> the original entry. A copied entry can therefore later occupy a slot whose
> copy bit is clear and be exposed as directly writable packet data.
>
> Keep msg->sg.copy synchronized with scatterlist entry moves, preserve the
> copy bit when an entry is split, clear it when a helper replaces an entry
> with a private page, and clear every slot vacated by pull-data
> compaction.
>
> Fixes: 015632bb30da ("bpf: sk_msg program helper bpf_sk_msg_pull_data")
> Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
> Fixes: 7246d8ed4dcc ("bpf: helper to pop data from messages")
> Cc: stable@vger.kernel.org
> Co-developed-by: Han Guidong <2045gemini@gmail.com>
> Signed-off-by: Han Guidong <2045gemini@gmail.com>
> Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
> ---
> v2:
> Sashiko-bot pointed out that bpf_msg_pull_data() could leave stale copy
> bits on collapsed tail entries.
>
> Clear msg->sg.copy for every entry consumed by bpf_msg_pull_data()
> before compacting the scatterlist ring.
>
> While researching recent page cache bugs, we discovered this bug.
> We confirmed it allows overwriting the page cache of read-only files
> via splice(). We haven't attempted to write an exploit, but the
> corruption primitive is verified. PoC available upon request.
> Recommend fixing ASAP.
I think only "splice() + KTLS + sockmap" is vulnerable, right ?
I digded a lot but didn't find any other combo.
Actually the normal TCP/UDP with splice() will not go through sockmap
(unsupported yet)
I think only "splice() + KTLS + sockmap" is vulnerable, right ?
I digded a lot but didn't find any other combo.
next prev parent reply other threads:[~2026-05-20 3:13 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 12:16 [PATCH v2] bpf, sockmap: keep sk_msg copy state in sync Zhang Cen
2026-05-17 12:50 ` sashiko-bot
2026-05-18 21:32 ` John Fastabend
2026-05-19 12:49 ` Cen Zhang
2026-05-19 19:29 ` John Fastabend
2026-05-20 4:28 ` Cen Zhang
2026-05-20 3:13 ` Jiayuan Chen [this message]
2026-05-20 3:29 ` Han Guidong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=206188f9-5642-4348-9fa1-c48f9a890640@linux.dev \
--to=jiayuan.chen@linux.dev \
--cc=2045gemini@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jakub@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rollkingzzc@gmail.com \
--cc=sdf@fomichev.me \
--cc=stable@vger.kernel.org \
--cc=zerocling0077@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.