From: Daniel Borkmann <dborkman@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: davem@davemloft.net, ast@plumgrid.com, netdev@vger.kernel.org,
Pavel Emelyanov <xemul@parallels.com>
Subject: Re: [PATCH net-next v4 2/9] net: filter: keep original BPF program around
Date: Fri, 12 Sep 2014 08:09:31 +0200 [thread overview]
Message-ID: <54128E1B.7020407@redhat.com> (raw)
In-Reply-To: <1410492457.7106.72.camel@edumazet-glaptop2.roam.corp.google.com>
On 09/12/2014 05:27 AM, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@google.com>
>
> On Fri, 2014-03-28 at 18:58 +0100, Daniel Borkmann wrote:
>> In order to open up the possibility to internally transform a BPF program
>> into an alternative and possibly non-trivial reversible representation, we
>> need to keep the original BPF program around, so that it can be passed back
>> to user space w/o the need of a complex decoder.
>>
>> The reason for that use case resides in commit a8fc92778080 ("sk-filter:
>> Add ability to get socket filter program (v2)"), that is, the ability
>> to retrieve the currently attached BPF filter from a given socket used
>> mainly by the checkpoint-restore project, for example.
>>
>> Therefore, we add two helpers sk_{store,release}_orig_filter for taking
>> care of that. In the sk_unattached_filter_create() case, there's no such
>> possibility/requirement to retrieve a loaded BPF program. Therefore, we
>> can spare us the work in that case.
>>
>> This approach will simplify and slightly speed up both, sk_get_filter()
>> and sock_diag_put_filterinfo() handlers as we won't need to successively
>> decode filters anymore through sk_decode_filter(). As we still need
>> sk_decode_filter() later on, we're keeping it around.
>>
>> Joint work with Alexei Starovoitov.
>>
>> Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
>> Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
>> Cc: Pavel Emelyanov <xemul@parallels.com>
>> ---
>
> Note that this patch added a possible use after free.
>
> Following patch should be sent to stable trees only, as 3.17+
> incidentally fixed this with
> commit 278571baca2aecf5fb5cb5c8b002dbfa0a6c524c
> net: filter: simplify socket charging
>
> [PATCH] net: filter: fix possible use after free
>
> If kmemdup() fails, we free fp->orig_prog and return -ENOMEM
>
> sk_attach_filter()
> -> sk_filter_uncharge(sk, fp)
> -> sk_filter_release(fp)
> -> call_rcu(&fp->rcu, sk_filter_release_rcu)
> -> sk_filter_release_rcu()
> -> sk_release_orig_filter()
> fprog = fp->orig_prog; // not NULL, but points to freed memory
> kfree(fprog->filter); // use after free, potential corruption
> kfree(fprog); // double free or corruption
>
> Note: This was fixed in 3.17+ with commit 278571baca2a
> ("net: filter: simplify socket charging")
>
> Found by AddressSanitizer
>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Fixes: a3ea269b8bcdb ("net: filter: keep original BPF program around")
Thanks Eric!
Acked-by: Daniel Borkmann <dborkman@redhat.com>
next prev parent reply other threads:[~2014-09-12 6:09 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-28 17:58 [PATCH net-next v4 0/9] BPF updates Daniel Borkmann
2014-03-28 17:58 ` [PATCH net-next v4 1/9] net: filter: add jited flag to indicate jit compiled filters Daniel Borkmann
2014-03-28 17:58 ` [PATCH net-next v4 2/9] net: filter: keep original BPF program around Daniel Borkmann
2014-09-12 3:27 ` Eric Dumazet
2014-09-12 3:51 ` Alexei Starovoitov
2014-09-12 6:09 ` Daniel Borkmann [this message]
2014-09-13 21:05 ` David Miller
2014-03-28 17:58 ` [PATCH net-next v4 3/9] net: filter: move filter accounting to filter core Daniel Borkmann
2014-03-28 17:58 ` [PATCH net-next v4 4/9] net: ptp: use sk_unattached_filter_create() for BPF Daniel Borkmann
2014-03-28 17:58 ` [PATCH net-next v4 5/9] net: ptp: do not reimplement PTP/BPF classifier Daniel Borkmann
2014-03-31 9:13 ` Richard Cochran
2014-03-31 20:37 ` Daniel Borkmann
2014-03-28 17:58 ` [PATCH net-next v4 6/9] net: ppp: use sk_unattached_filter api Daniel Borkmann
2014-03-28 17:58 ` Daniel Borkmann
2014-03-28 17:58 ` [PATCH net-next v4 7/9] net: isdn: " Daniel Borkmann
2014-03-28 17:58 ` [PATCH net-next v4 8/9] net: filter: rework/optimize internal BPF interpreter's instruction set Daniel Borkmann
2014-03-28 17:58 ` [PATCH net-next v4 9/9] doc: filter: extend BPF documentation to document new internals Daniel Borkmann
2014-03-31 4:46 ` [PATCH net-next v4 0/9] BPF updates David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54128E1B.7020407@redhat.com \
--to=dborkman@redhat.com \
--cc=ast@plumgrid.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.