From: "Toke Høiland-Jørgensen" <toke@kernel.org>
To: Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: "Ricardo Cañuelo Navarro" <rcn@igalia.com>,
"Alexei Starovoitov" <ast@kernel.org>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"David S. Miller" <davem@davemloft.net>,
"Jakub Kicinski" <kuba@kernel.org>,
"Jesper Dangaard Brouer" <hawk@kernel.org>,
"John Fastabend" <john.fastabend@gmail.com>,
"Thomas Gleixner" <tglx@linutronix.de>
Subject: Re: [RFC] Use after free in BPF/ XDP during XDP_REDIRECT
Date: Thu, 13 Mar 2025 20:28:06 +0100 [thread overview]
Message-ID: <87ecz0u3w9.fsf@toke.dk> (raw)
In-Reply-To: <20250313183911.SPAmGLyw@linutronix.de>
Sebastian Andrzej Siewior <bigeasy@linutronix.de> writes:
> Hi,
>
> Ricardo reported a KASAN related use after free
> https://lore.kernel.org/all/20250226-20250204-kasan-slab-use-after-free-read-in-dev_map_enqueue__submit-v3-0-360efec441ba@igalia.com/
>
> in v6.6 stable and suggest a backport of commits
> 401cb7dae8130 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.")
> fecef4cd42c68 ("tun: Assign missing bpf_net_context.")
> 9da49aa80d686 ("tun: Add missing bpf_net_ctx_clear() in do_xdp_generic()")
>
> as a fix. In the meantime I have the syz reproducer+config and was able
> to investigate.
> It looks as if the syzbot starts a BPF program via xdp_test_run_batch()
> which assigns ri->tgt_value via dev_hash_map_redirect() and the return code
> isn't XDP_REDIRECT it looks like nonsense. So the print in
> bpf_warn_invalid_xdp_action() appears once. Everything goes as planned.
> Then the TUN driver runs another BPF program which returns XDP_REDIRECT
> without setting ri->tgt_value. This appears to be a trick because it
> invoked bpf_trace_printk() which printed four characters. Anyway, this
> is enough to get xdp_do_redirect() going.
>
> The commits in questions do fix it because the bpf_redirect_info becomes
> not only per-task but gets invalidated after the XDP context is left.
>
> Now that I understand it I would suggest something smaller instead as a
> stable fix, (instead the proposed patches). Any objections to the
> following:
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index be313928d272..1d906b7a541d 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -9000,8 +9000,12 @@ static bool xdp_is_valid_access(int off, int size,
>
> void bpf_warn_invalid_xdp_action(struct net_device *dev, struct bpf_prog *prog, u32 act)
> {
> + struct bpf_redirect_info *ri = this_cpu_ptr(&bpf_redirect_info);
> const u32 act_max = XDP_REDIRECT;
>
> + ri->map_id = INT_MAX;
> + ri->map_type = BPF_MAP_TYPE_UNSPEC;
> +
> pr_warn_once("%s XDP return value %u on prog %s (id %d) dev %s, expect packet loss!\n",
> act > act_max ? "Illegal" : "Driver unsupported",
> act, prog->aux->name, prog->aux->id, dev ? dev->name : "N/A");
From your description above, this will fix the particular error
encountered, but what happens if the initial return code is not in fact
nonsense (so the warn_invalid_action) is not triggered?
I.e.,
bpf_redirect_map(...);
return XDP_DROP;
would still leave ri->map_id and ri->map_type set for the later tun
driver invocation, no?
-Toke
next prev parent reply other threads:[~2025-03-13 19:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-13 18:39 [RFC] Use after free in BPF/ XDP during XDP_REDIRECT Sebastian Andrzej Siewior
2025-03-13 19:28 ` Toke Høiland-Jørgensen [this message]
2025-03-13 20:32 ` Sebastian Andrzej Siewior
2025-03-14 9:21 ` Toke Høiland-Jørgensen
2025-03-14 15:30 ` Sebastian Andrzej Siewior
2025-03-14 16:03 ` Toke Høiland-Jørgensen
2025-03-14 17:27 ` Sebastian Andrzej Siewior
2025-03-17 10:29 ` Toke Høiland-Jørgensen
2025-03-17 12:01 ` Ricardo Cañuelo Navarro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ecz0u3w9.fsf@toke.dk \
--to=toke@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bigeasy@linutronix.de \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=hawk@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rcn@igalia.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.