Re: [PATCH bpf-next v9 1/5] bpf: add bpf_icmp_send kfunc

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Alexei Starovoitov" <alexei.starovoitov@gmail.com>
To: <sashiko-reviews@lists.linux.dev>, "Mahe Tardy" <mahe.tardy@gmail.com>
Cc: <bpf@vger.kernel.org>
Subject: Re: [PATCH bpf-next v9 1/5] bpf: add bpf_icmp_send kfunc
Date: Wed, 24 Jun 2026 13:51:05 -0700	[thread overview]
Message-ID: <DJHKRM5FGZUU.1UF7CLMVRGYJF@gmail.com> (raw)
In-Reply-To: <20260624191927.BE72B1F000E9@smtp.kernel.org>

On Wed Jun 24, 2026 at 12:19 PM PDT, sashiko-bot wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [High] Missing `skb_valid_dst()` check for IPv6 allows type confusion with metadata dst entries, leading to an out-of-bounds read and kernel crash.
> --
>
> commit a59a53956c9b8f69a9dfa47bc54cc9fbcd9759ec
> Author: Mahe Tardy <mahe.tardy@gmail.com>
>
> bpf: add bpf_icmp_send kfunc
>
> This commit introduces a new bpf_icmp_send kfunc to allow BPF programs to
> generate ICMP error messages. It clones the original skb and invokes the
> underlying IPv4 or IPv6 ICMP send routines.
>
>> diff --git a/net/core/filter.c b/net/core/filter.c
>> index 2e96b4b847ce1..f3aa494ed1053 100644
>> --- a/net/core/filter.c
>> +++ b/net/core/filter.c
>
> [ ... ]
>
>> +__bpf_kfunc int bpf_icmp_send(struct __sk_buff *skb_ctx, int type, int code)
>> +{
>> +	struct sk_buff *skb = (struct sk_buff *)skb_ctx;
>> +	struct sk_buff *nskb;
>> +	struct sock *sk;
>
> [ ... ]
>
>> +	switch (skb->protocol) {
>> +#if IS_ENABLED(CONFIG_INET)
>> +	case htons(ETH_P_IP): {
>> +		if (type != ICMP_DEST_UNREACH)
>> +			return -EOPNOTSUPP;
>> +		if (code < 0 || code > NR_ICMP_UNREACH ||
>> +		    code == ICMP_FRAG_NEEDED) /* needs a valid next-hop MTU */
>> +			return -EINVAL;
>> +
>> +		/* icmp_send requires a rtable; test-run synthetic skbs lack one. */
>> +		if (!skb_valid_dst(skb))
>> +			return -ENETUNREACH;
>> +
>> +		nskb = skb_clone(skb, GFP_ATOMIC);
>
> [ ... ]
>
>> +#if IS_ENABLED(CONFIG_IPV6)
>> +	case htons(ETH_P_IPV6):
>> +		if (type != ICMPV6_DEST_UNREACH)
>> +			return -EOPNOTSUPP;
>> +		if (code < 0 || code > ICMPV6_REJECT_ROUTE)
>> +			return -EINVAL;
>> +
>
> [Severity: High]
> Should there be a check for skb_valid_dst(skb) here before cloning and
> sending the IPv6 ICMP message?
>
> It looks like the IPv4 branch validates the dst to prevent routing table
> lookups on synthetic or metadata-dst packets, but the IPv6 branch does not.
>
> If an IPv6 packet with a metadata_dst (e.g., from LWT or a tunnel) is
> passed to bpf_icmp_send(), could icmpv6_send() process the invalid dst and
> cast it to a struct rt6_info in icmp6_dev()? Dereferencing rt6->rt6i_idev
> might then read out of bounds from the metadata_dst struct and cause a
> kernel crash.

Sounds like a real issue.

Mahe,
when you respin please cc netdev.
We need an ack from networking maintainers.

pw-bot: cr

next prev parent reply	other threads:[~2026-06-24 20:51 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-24 18:55 [PATCH bpf-next v9 0/5] bpf: add icmp_send kfunc Mahe Tardy
2026-06-24 18:55 ` [PATCH bpf-next v9 1/5] bpf: add bpf_icmp_send kfunc Mahe Tardy
2026-06-24 19:10   ` Emil Tsalapatis
2026-06-24 19:19   ` sashiko-bot
2026-06-24 20:51     ` Alexei Starovoitov [this message]
2026-06-24 21:24   ` Jordan Rife
2026-06-24 18:55 ` [PATCH bpf-next v9 2/5] selftests/bpf: add bpf_icmp_send kfunc cgroup_skb tests Mahe Tardy
2026-06-24 18:55 ` [PATCH bpf-next v9 3/5] selftests/bpf: add bpf_icmp_send kfunc cgroup_skb IPv6 tests Mahe Tardy
2026-06-24 21:24   ` Jordan Rife
2026-06-24 18:55 ` [PATCH bpf-next v9 4/5] selftests/bpf: add bpf_icmp_send recursion test Mahe Tardy
2026-06-24 21:24   ` Jordan Rife
2026-06-24 18:55 ` [PATCH bpf-next v9 5/5] selftests/bpf: add bpf_icmp_send no route test Mahe Tardy
2026-06-24 19:13   ` Emil Tsalapatis
2026-06-24 21:24   ` Jordan Rife

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJHKRM5FGZUU.1UF7CLMVRGYJF@gmail.com \
    --to=alexei.starovoitov@gmail.com \
    --cc=bpf@vger.kernel.org \
    --cc=mahe.tardy@gmail.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.