Re: [PATCH bpf-next] net: Fix slab-out-of-bounds in inet[6]_steal_sock

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Martin KaFai Lau <martin.lau@linux.dev>
To: Lorenz Bauer <lmb@isovalent.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Kuniyuki Iwashima <kuniyu@amazon.com>,
	Martin KaFai Lau <martin.lau@kernel.org>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	bpf@vger.kernel.org, Kumar Kartikeya Dwivedi <memxor@gmail.com>
Subject: Re: [PATCH bpf-next] net: Fix slab-out-of-bounds in inet[6]_steal_sock
Date: Wed, 9 Aug 2023 07:39:28 -0700	[thread overview]
Message-ID: <6acbbf63-ba10-4a66-5e31-b9a499f79489@linux.dev> (raw)
In-Reply-To: <20230809-bpf-next-v1-1-c1b80712e83b@isovalent.com>

On 8/9/23 1:33 AM, Lorenz Bauer wrote:
> Kumar reported a KASAN splat in tcp_v6_rcv:
> 
>    bash-5.2# ./test_progs -t btf_skc_cls_ingress
>    ...
>    [   51.810085] BUG: KASAN: slab-out-of-bounds in tcp_v6_rcv+0x2d7d/0x3440
>    [   51.810458] Read of size 2 at addr ffff8881053f038c by task test_progs/226
> 
> The problem is that inet[6]_steal_sock accesses sk->sk_protocol without
> accounting for request sockets. I added the check to ensure that we only
> every try to perform a reuseport lookup on a supported socket.
> 
> It turns out that this isn't necessary at all. struct sock_common contains
> a skc_reuseport flag which indicates whether a socket is part of a

Does it go back to the earlier discussion 
(https://lore.kernel.org/bpf/7188429a-c380-14c8-57bb-9d05d3ba4e5e@linux.dev/) 
that the sk->sk_reuseport is 1 from sk_clone for TCP_ESTABLISHED? It works 
because there is sk->sk_reuseport"_cb" check going deeper into 
reuseport_select_sock() but there is an extra inet6_ehashfn for all TCP_ESTABLISHED.

> reuseport group. inet[6]_lookup_reuseport already check this flag,
> so we can't execute an erroneous reuseport lookup by definition.
> 
> Remove the unnecessary assertions to fix the out of bounds access.
> 
> Fixes: 9c02bec95954 ("bpf, net: Support SO_REUSEPORT sockets with bpf_sk_assign")
> Reported-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
> Signed-off-by: Lorenz Bauer <lmb@isovalent.com>
> ---
>   include/net/inet6_hashtables.h | 10 ----------
>   include/net/inet_hashtables.h  | 10 ----------
>   2 files changed, 20 deletions(-)
> 
> diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h
> index 284b5ce7205d..f9907ed36d54 100644
> --- a/include/net/inet6_hashtables.h
> +++ b/include/net/inet6_hashtables.h
> @@ -119,16 +119,6 @@ struct sock *inet6_steal_sock(struct net *net, struct sk_buff *skb, int doff,
>   	if (!prefetched)
>   		return sk;
>   
> -	if (sk->sk_protocol == IPPROTO_TCP) {
> -		if (sk->sk_state != TCP_LISTEN)
> -			return sk;
> -	} else if (sk->sk_protocol == IPPROTO_UDP) {
> -		if (sk->sk_state != TCP_CLOSE)
> -			return sk;
> -	} else {
> -		return sk;
> -	}
> -
>   	reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff,
>   					  saddr, sport, daddr, ntohs(dport),
>   					  ehashfn);
> diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
> index 1177effabed3..57a46993383a 100644
> --- a/include/net/inet_hashtables.h
> +++ b/include/net/inet_hashtables.h
> @@ -465,16 +465,6 @@ struct sock *inet_steal_sock(struct net *net, struct sk_buff *skb, int doff,
>   	if (!prefetched)
>   		return sk;
>   
> -	if (sk->sk_protocol == IPPROTO_TCP) {
> -		if (sk->sk_state != TCP_LISTEN)
> -			return sk;
> -	} else if (sk->sk_protocol == IPPROTO_UDP) {
> -		if (sk->sk_state != TCP_CLOSE)
> -			return sk;
> -	} else {
> -		return sk;
> -	}
> -
>   	reuse_sk = inet_lookup_reuseport(net, sk, skb, doff,
>   					 saddr, sport, daddr, ntohs(dport),
>   					 ehashfn);
> 
> ---
> base-commit: eb62e6aef940fcb1879100130068369d4638088f
> change-id: 20230808-bpf-next-a442a095562b
> 
> Best regards,

next prev parent reply	other threads:[~2023-08-09 14:39 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-09  8:33 [PATCH bpf-next] net: Fix slab-out-of-bounds in inet[6]_steal_sock Lorenz Bauer
2023-08-09 11:58 ` Kumar Kartikeya Dwivedi
2023-08-09 14:39 ` Martin KaFai Lau [this message]
2023-08-09 15:08   ` Lorenz Bauer
2023-08-09 15:55     ` Kuniyuki Iwashima
2023-08-09 16:55       ` Lorenz Bauer
2023-08-09 17:14         ` Kuniyuki Iwashima
2023-08-09 17:12       ` Martin KaFai Lau
2023-08-12  3:35         ` Martin KaFai Lau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6acbbf63-ba10-4a66-5e31-b9a499f79489@linux.dev \
    --to=martin.lau@linux.dev \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=kuniyu@amazon.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lmb@isovalent.com \
    --cc=martin.lau@kernel.org \
    --cc=memxor@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.