Re: [PATCH bpf-next] net: Fix slab-out-of-bounds in inet[6]_steal_sock

public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed

From: Martin KaFai Lau <martin.lau@linux.dev>
To: Lorenz Bauer <lmb@isovalent.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Kuniyuki Iwashima <kuniyu@amazon.com>,
	Martin KaFai Lau <martin.lau@kernel.org>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	bpf@vger.kernel.org, Kumar Kartikeya Dwivedi <memxor@gmail.com>
Subject: Re: [PATCH bpf-next] net: Fix slab-out-of-bounds in inet[6]_steal_sock
Date: Wed, 9 Aug 2023 07:39:28 -0700	[thread overview]
Message-ID: <6acbbf63-ba10-4a66-5e31-b9a499f79489@linux.dev> (raw)
In-Reply-To: <20230809-bpf-next-v1-1-c1b80712e83b@isovalent.com>

On 8/9/23 1:33 AM, Lorenz Bauer wrote:
> Kumar reported a KASAN splat in tcp_v6_rcv:
> 
>    bash-5.2# ./test_progs -t btf_skc_cls_ingress
>    ...
>    [   51.810085] BUG: KASAN: slab-out-of-bounds in tcp_v6_rcv+0x2d7d/0x3440
>    [   51.810458] Read of size 2 at addr ffff8881053f038c by task test_progs/226
> 
> The problem is that inet[6]_steal_sock accesses sk->sk_protocol without
> accounting for request sockets. I added the check to ensure that we only
> every try to perform a reuseport lookup on a supported socket.
> 
> It turns out that this isn't necessary at all. struct sock_common contains
> a skc_reuseport flag which indicates whether a socket is part of a

Does it go back to the earlier discussion 
(https://lore.kernel.org/bpf/7188429a-c380-14c8-57bb-9d05d3ba4e5e@linux.dev/) 
that the sk->sk_reuseport is 1 from sk_clone for TCP_ESTABLISHED? It works 
because there is sk->sk_reuseport"_cb" check going deeper into 
reuseport_select_sock() but there is an extra inet6_ehashfn for all TCP_ESTABLISHED.

> reuseport group. inet[6]_lookup_reuseport already check this flag,
> so we can't execute an erroneous reuseport lookup by definition.
> 
> Remove the unnecessary assertions to fix the out of bounds access.
> 
> Fixes: 9c02bec95954 ("bpf, net: Support SO_REUSEPORT sockets with bpf_sk_assign")
> Reported-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
> Signed-off-by: Lorenz Bauer <lmb@isovalent.com>
> ---
>   include/net/inet6_hashtables.h | 10 ----------
>   include/net/inet_hashtables.h  | 10 ----------
>   2 files changed, 20 deletions(-)
> 
> diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h
> index 284b5ce7205d..f9907ed36d54 100644
> --- a/include/net/inet6_hashtables.h
> +++ b/include/net/inet6_hashtables.h
> @@ -119,16 +119,6 @@ struct sock *inet6_steal_sock(struct net *net, struct sk_buff *skb, int doff,
>   	if (!prefetched)
>   		return sk;
>   
> -	if (sk->sk_protocol == IPPROTO_TCP) {
> -		if (sk->sk_state != TCP_LISTEN)
> -			return sk;
> -	} else if (sk->sk_protocol == IPPROTO_UDP) {
> -		if (sk->sk_state != TCP_CLOSE)
> -			return sk;
> -	} else {
> -		return sk;
> -	}
> -
>   	reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff,
>   					  saddr, sport, daddr, ntohs(dport),
>   					  ehashfn);
> diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
> index 1177effabed3..57a46993383a 100644
> --- a/include/net/inet_hashtables.h
> +++ b/include/net/inet_hashtables.h
> @@ -465,16 +465,6 @@ struct sock *inet_steal_sock(struct net *net, struct sk_buff *skb, int doff,
>   	if (!prefetched)
>   		return sk;
>   
> -	if (sk->sk_protocol == IPPROTO_TCP) {
> -		if (sk->sk_state != TCP_LISTEN)
> -			return sk;
> -	} else if (sk->sk_protocol == IPPROTO_UDP) {
> -		if (sk->sk_state != TCP_CLOSE)
> -			return sk;
> -	} else {
> -		return sk;
> -	}
> -
>   	reuse_sk = inet_lookup_reuseport(net, sk, skb, doff,
>   					 saddr, sport, daddr, ntohs(dport),
>   					 ehashfn);
> 
> ---
> base-commit: eb62e6aef940fcb1879100130068369d4638088f
> change-id: 20230808-bpf-next-a442a095562b
> 
> Best regards,

next prev parent reply	other threads:[~2023-08-09 14:39 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-09  8:33 [PATCH bpf-next] net: Fix slab-out-of-bounds in inet[6]_steal_sock Lorenz Bauer
2023-08-09 11:58 ` Kumar Kartikeya Dwivedi
2023-08-09 14:39 ` Martin KaFai Lau [this message]
2023-08-09 15:08   ` Lorenz Bauer
2023-08-09 15:55     ` Kuniyuki Iwashima
2023-08-09 16:55       ` Lorenz Bauer
2023-08-09 17:14         ` Kuniyuki Iwashima
2023-08-09 17:12       ` Martin KaFai Lau
2023-08-12  3:35         ` Martin KaFai Lau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6acbbf63-ba10-4a66-5e31-b9a499f79489@linux.dev \
    --to=martin.lau@linux.dev \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=kuniyu@amazon.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lmb@isovalent.com \
    --cc=martin.lau@kernel.org \
    --cc=memxor@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox