BPF List
 help / color / mirror / Atom feed
* [PATCH bpf] bpf: reject mini-sockets in bpf_sock_destroy()
@ 2026-07-02 22:45 Xiang Mei (Microsoft)
  2026-07-02 23:05 ` sashiko-bot
  0 siblings, 1 reply; 3+ messages in thread
From: Xiang Mei (Microsoft) @ 2026-07-02 22:45 UTC (permalink / raw)
  To: ast, daniel, andrii, eddyz87, memxor, bpf
  Cc: netdev, martin.lau, song, yonghong.song, jolsa, emil,
	john.fastabend, sdf, aditi.ghag, AutonomousCodeSecurity,
	tgopinath, kys, linux-kernel, Xiang Mei (Microsoft)

bpf_sock_destroy() casts its struct sock_common * argument to a full
struct sock and reads sk->sk_protocol. The BPF tcp iterator can pass a
TIME_WAIT or NEW_SYN_RECV mini-socket, which only embeds a sock_common
prefix. Unlike sk_prot (which aliases skc_prot inside sock_common),
sk_protocol lives beyond that prefix, so the read goes out of bounds of
the small tw_sock_TCP object (type confusion).

Reject non-full sockets with sk_fullsock() before touching any
full-sock field. sk_fullsock() only reads sk_state (in sock_common),
and these mini-sockets have no ->diag_destroy(), This matches the other
sock_common consumers in this file, e.g. bpf_skc_to_tcp_sock(), which 
already sk_fullsock() before reading sk_protocol.

  BUG: KASAN: slab-out-of-bounds in bpf_sock_destroy (net/core/filter.c:12673)
  Read of size 2 at addr ffff888013ffc71c by task exploit/143
  Call Trace:
   kasan_report (mm/kasan/report.c:595)
   bpf_sock_destroy (net/core/filter.c:12673)
   bpf_prog_8b5bd55c189cabc9_sock_destroy_tw+0x31/0x3e
   bpf_iter_run_prog (kernel/bpf/bpf_iter.c:697)
   bpf_iter_tcp_seq_show (net/ipv4/tcp_ipv4.c:3247)
   bpf_seq_read (kernel/bpf/bpf_iter.c:184)
   vfs_read (fs/read_write.c:572)
   ksys_read (fs/read_write.c:716)
   do_syscall_64 (arch/x86/entry/syscall_64.c:94)
   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
  ...
  The buggy address belongs to the object at ffff888013ffc640
   which belongs to the cache tw_sock_TCP of size 256
  The buggy address is located 220 bytes inside of
   allocated 256-byte region [ffff888013ffc640, ffff888013ffc740)

Fixes: 4ddbcb886268 ("bpf: Add bpf_sock_destroy kfunc")
Reported-by: AutonomousCodeSecurity@microsoft.com
Signed-off-by: Xiang Mei (Microsoft) <xmei5@asu.edu>
---
 net/core/filter.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/core/filter.c b/net/core/filter.c
index 69ec1a4c0f9d..a0fcafb08b96 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -12665,6 +12665,9 @@ __bpf_kfunc int bpf_sock_destroy(struct sock_common *sock)
 {
 	struct sock *sk = (struct sock *)sock;
 
+	if (!sk_fullsock(sk))
+		return -EOPNOTSUPP;
+
 	/* The locking semantics that allow for synchronous execution of the
 	 * destroy handlers are only supported for TCP and UDP.
 	 * Supporting protocols will need to acquire sock lock in the BPF context
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-07-03  2:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 22:45 [PATCH bpf] bpf: reject mini-sockets in bpf_sock_destroy() Xiang Mei (Microsoft)
2026-07-02 23:05 ` sashiko-bot
2026-07-03  2:15   ` Jiayuan Chen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox