Re: [PATCH bpf 1/3] bpf: Explicitly check accesses to bpf_sock_addr

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paul Chaignon <paul.chaignon@gmail.com>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: bpf@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Eduard Zingerman <eddyz87@gmail.com>
Subject: Re: [PATCH bpf 1/3] bpf: Explicitly check accesses to bpf_sock_addr
Date: Wed, 17 Sep 2025 09:51:22 +0200	[thread overview]
Message-ID: <aMpoepoZkXZ9qOmf@mail.gmail.com> (raw)
In-Reply-To: <2e1f2075-bef0-456f-82c4-483b5db3dd11@iogearbox.net>

On Tue, Sep 16, 2025 at 09:44:28PM +0200, Daniel Borkmann wrote:
> On 9/16/25 5:17 PM, Paul Chaignon wrote:
> > Syzkaller found a kernel warning on the following sock_addr program:
> > 
> >      0: r0 = 0
> >      1: r2 = *(u32 *)(r1 +60)
> >      2: exit
> > 
> > which triggers:
> > 
> >      verifier bug: error during ctx access conversion (0)
> > 
> > This is happening because offset 60 in bpf_sock_addr corresponds to an
> > implicit padding of 4 bytes, right after msg_src_ip4. Access to this
> > padding isn't rejected in sock_addr_is_valid_access and it thus later
> > fails to convert the access.
> > 
> > This patch fixes it by explicitly checking the various fields of
> > bpf_sock_addr in sock_addr_is_valid_access.
> > 
> > I checked the other ctx structures and is_valid_access functions and
> > didn't find any other similar cases. Other cases of (properly handled)
> > padding are covered in new tests in a subsequent patch.
> > 
> > Fixes: 1cedee13d25a ("bpf: Hooks for sys_sendmsg")
> > Reported-by: syzbot+136ca59d411f92e821b7@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=136ca59d411f92e821b7
> > Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
> > ---
> >   net/core/filter.c | 8 +++++++-
> >   1 file changed, 7 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index da391e2b0788..9ac58960e59e 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -9284,13 +9284,19 @@ static bool sock_addr_is_valid_access(int off, int size,
> >   			return false;
> >   		info->reg_type = PTR_TO_SOCKET;
> >   		break;
> > -	default:
> > +	case bpf_ctx_range(struct bpf_sock_addr, user_family):
> > +	case bpf_ctx_range(struct bpf_sock_addr, family):
> > +	case bpf_ctx_range(struct bpf_sock_addr, type):
> > +	case bpf_ctx_range(struct bpf_sock_addr, protocol):
> >   		if (type == BPF_READ) {
> >   			if (size != size_default)
> >   				return false;
> >   		} else {
> >   			return false;
> >   		}
> > +		break;
> 
> Looks good to me, we can probably also simplify this a bit into:

Thanks for the review!

> 
>                 if (type != BPF_READ)
>                         return false;
>                 if (size != size_default)
>                         return false;
>                 break;
> 
> Also, targeting bpf-next tree seems okay here since the verifier
> can gracefully handle and reject such program (and WARN_ONCE is
> only triggered on CONFIG_DEBUG_KERNEL)?

Yep, that makes sense. I did not think this through :')

> 
> > +	default:
> > +		return false;
> >   	}
> >   	return true;
> 
> Thanks,
> Daniel

next prev parent reply	other threads:[~2025-09-17  7:51 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-16 15:17 [PATCH bpf 1/3] bpf: Explicitly check accesses to bpf_sock_addr Paul Chaignon
2025-09-16 15:18 ` [PATCH bpf 2/3] selftests/bpf: Move macros to bpf_misc.h Paul Chaignon
2025-09-16 22:53   ` Eduard Zingerman
2025-09-16 15:19 ` [PATCH bpf 3/3] selftest/bpf: Test accesses to ctx padding Paul Chaignon
2025-09-16 22:59   ` Eduard Zingerman
2025-09-16 19:44 ` [PATCH bpf 1/3] bpf: Explicitly check accesses to bpf_sock_addr Daniel Borkmann
2025-09-17  7:51   ` Paul Chaignon [this message]
2025-09-16 22:45 ` Eduard Zingerman
2025-09-17  8:02   ` Paul Chaignon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aMpoepoZkXZ9qOmf@mail.gmail.com \
    --to=paul.chaignon@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=martin.lau@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.