Re: [PATCH net 13/16] net/sched: act_skbedit: validate the control action inside init()

[Vlad Buslov <vladbu@mellanox.com>]

On Wed 27 Feb 2019 at 17:40, Davide Caratti <dcaratti@redhat.com> wrote:
> the following script:
>
>  # tc qdisc add dev crash0 clsact
>  # tc filter add dev crash0 egress matchall \
>  > action skbedit ptype host pass index 90
>  # tc actions replace action skbedit \
>  > ptype host goto chain 42 index 90 cookie c1a0c1a0
>  # tc actions show action skbedit
>
> had the following output:
>
>  Error: Failed to init TC action chain.
>  We have an error talking to the kernel
>  total acts 1
>
>          action order 0: skbedit  ptype host goto chain 42
>           index 90 ref 2 bind 1
>          cookie c1a0c1a0
>
> Then, the first packet transmitted by crash0 made the kernel crash:
>
>  BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
>  #PF error: [normal kernel read fault]
>  PGD 0 P4D 0
>  Oops: 0000 [#1] SMP PTI
>  CPU: 3 PID: 3467 Comm: kworker/3:3 Not tainted 5.0.0-rc4.gotochain_crash+ #536
>  Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
>  Workqueue: ipv6_addrconf addrconf_dad_work
>  RIP: 0010:tcf_action_exec+0xb8/0x100
>  Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
>  RSP: 0018:ffffb50a81e1fad0 EFLAGS: 00010246
>  RAX: 000000002000002a RBX: ffff9aa47ba4ea00 RCX: 0000000000000001
>  RDX: 0000000000000000 RSI: ffff9aa469eeb3c0 RDI: ffff9aa47ba4ea00
>  RBP: ffffb50a81e1fb70 R08: 0000000000000000 R09: 0000000000000000
>  R10: 0000000000000000 R11: ffff9aa47bce0638 R12: ffff9aa4793b0c00
>  R13: ffff9aa4793b0c08 R14: 0000000000000001 R15: ffff9aa469eeb3c0
>  FS:  0000000000000000(0000) GS:ffff9aa474780000(0000) knlGS:0000000000000000
>  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>  CR2: 0000000000000000 CR3: 000000007360e005 CR4: 00000000001606e0
>  Call Trace:
>   tcf_classify+0x58/0x120
>   __dev_queue_xmit+0x40a/0x890
>   ? ndisc_next_option+0x50/0x50
>   ? ___neigh_create+0x4d5/0x680
>   ? ip6_finish_output2+0x1b5/0x590
>   ip6_finish_output2+0x1b5/0x590
>   ? ip6_output+0x68/0x110
>   ip6_output+0x68/0x110
>   ? nf_hook.constprop.28+0x79/0xc0
>   ndisc_send_skb+0x248/0x2e0
>   ndisc_send_ns+0xf8/0x200
>   ? addrconf_dad_work+0x389/0x4b0
>   addrconf_dad_work+0x389/0x4b0
>   ? __switch_to_asm+0x34/0x70
>   ? process_one_work+0x195/0x380
>   ? addrconf_dad_completed+0x370/0x370
>   process_one_work+0x195/0x380
>   worker_thread+0x30/0x390
>   ? process_one_work+0x380/0x380
>   kthread+0x113/0x130
>   ? kthread_park+0x90/0x90
>   ret_from_fork+0x35/0x40
>  Modules linked in: act_skbedit veth ip6table_filter ip6_tables iptable_filter binfmt_misc crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ext4 snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep mbcache snd_hda_core jbd2 snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd cryptd snd_timer glue_helper snd joydev soundcore pcspkr virtio_balloon i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_net net_failover drm failover virtio_blk virtio_console ata_piix virtio_pci crc32c_intel serio_raw libata virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod
>  CR2: 0000000000000000
>
> Validating the control action within tcf_skbedit_init() proved to fix the
> above issue. A TDC selftest is added to verify the correct behavior.
>
> Fixes: db50514f9a9c ("net: sched: add termination action to allow goto chain")
> Fixes: 97763dc0f401 ("net_sched: reject unknown tcfa_action values")
> Signed-off-by: Davide Caratti <dcaratti@redhat.com>
> ---
>  net/sched/act_skbedit.c                       | 22 +++++++++++++---
>  .../tc-testing/tc-tests/actions/skbedit.json  | 25 +++++++++++++++++++
>  2 files changed, 43 insertions(+), 4 deletions(-)
>
> diff --git a/net/sched/act_skbedit.c b/net/sched/act_skbedit.c
> index 9a8a0f2d4418..5a0d35b2dac3 100644
> --- a/net/sched/act_skbedit.c
> +++ b/net/sched/act_skbedit.c
> @@ -26,6 +26,7 @@
>  #include <net/ip.h>
>  #include <net/ipv6.h>
>  #include <net/dsfield.h>
> +#include <net/pkt_cls.h>
>  
>  #include <linux/tc_act/tc_skbedit.h>
>  #include <net/tc_act/tc_skbedit.h>
> @@ -100,6 +101,7 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
>  			    struct netlink_ext_ack *extack)
>  {
>  	struct tc_action_net *tn = net_generic(net, skbedit_net_id);
> +	struct tcf_chain *newchain = NULL, *oldchain;
>  	struct tcf_skbedit_params *params_new;
>  	struct nlattr *tb[TCA_SKBEDIT_MAX + 1];
>  	struct tc_skbedit *parm;
> @@ -187,12 +189,13 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
>  			return -EEXIST;
>  		}
>  	}
> +	err = tcf_action_check_ctrlact(parm->action, tp, &newchain, extack);
> +	if (err)
> +		goto release_idr;
>  
>  	params_new = kzalloc(sizeof(*params_new), GFP_KERNEL);
> -	if (unlikely(!params_new)) {
> -		tcf_idr_release(*a, bind);
> -		return -ENOMEM;
> -	}
> +	if (unlikely(!params_new))
> +		goto put_chain;

Set err=-ENOMEM before goto.

>  
>  	params_new->flags = flags;
>  	if (flags & SKBEDIT_F_PRIORITY)
> @@ -209,6 +212,8 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
>  		params_new->mask = *mask;
>  
>  	spin_lock_bh(&d->tcf_lock);
> +	oldchain = d->tcf_goto_chain;
> +	d->tcf_goto_chain = newchain;
>  	d->tcf_action = parm->action;
>  	rcu_swap_protected(d->params, params_new,
>  			   lockdep_is_held(&d->tcf_lock));
> @@ -218,7 +223,16 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
>  
>  	if (ret == ACT_P_CREATED)
>  		tcf_idr_insert(tn, *a);
> +	if (oldchain)
> +		tcf_chain_put_by_act(oldchain);
>  	return ret;
> +
> +put_chain:
> +	if (newchain)
> +		tcf_chain_put_by_act(newchain);
> +release_idr:
> +	tcf_idr_release(*a, bind);
> +	return err;
>  }
>  
>  static int tcf_skbedit_dump(struct sk_buff *skb, struct tc_action *a,
> diff --git a/tools/testing/selftests/tc-testing/tc-tests/actions/skbedit.json b/tools/testing/selftests/tc-testing/tc-tests/actions/skbedit.json
> index 5aaf593b914a..ecd96eda7f6a 100644
> --- a/tools/testing/selftests/tc-testing/tc-tests/actions/skbedit.json
> +++ b/tools/testing/selftests/tc-testing/tc-tests/actions/skbedit.json
> @@ -484,5 +484,30 @@
>          "teardown": [
>              "$TC actions flush action skbedit"
>          ]
> +    },
> +    {
> +        "id": "1b2b",
> +        "name": "Replace skbedit action with invalid goto_chain control",
> +        "category": [
> +            "actions",
> +            "skbedit"
> +        ],
> +        "setup": [
> +            [
> +                "$TC actions flush action skbedit",
> +                0,
> +                1,
> +                255
> +            ],
> +            "$TC actions add action skbedit ptype host pass index 90"
> +        ],
> +        "cmdUnderTest": "$TC actions replace action skbedit ptype host goto chain 42 index 90 cookie c1a0c1a0",
> +        "expExitCode": "255",
> +        "verifyCmd": "$TC actions list action skbedit",
> +        "matchPattern": "action order [0-9]*: skbedit  ptype host pass.*index 90 ref",
> +        "matchCount": "1",
> +        "teardown": [
> +            "$TC actions flush action skbedit"
> +        ]
>      }
>  ]