From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Jiayuan Chen <jiayuan.chen@linux.dev>
Cc: bpf <bpf@vger.kernel.org>, Jiayuan Chen <mrpre@163.com>,
syzbot+0e6ddb1ef80986bdfe64@syzkaller.appspotmail.com,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>,
Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>,
Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Jesper Dangaard Brouer <hawk@kernel.org>,
Mykola Lysenko <mykolal@fb.com>, Shuah Khan <shuah@kernel.org>,
Willem de Bruijn <willemb@google.com>,
Jason Xing <kerneljasonxing@gmail.com>,
Anton Protopopov <aspsk@isovalent.com>,
Abhishek Chauhan <quic_abchauha@quicinc.com>,
Jordan Rome <linux@jordanrome.com>,
Martin Kelly <martin.kelly@crowdstrike.com>,
David Lechner <dlechner@baylibre.com>,
LKML <linux-kernel@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>
Subject: Re: [PATCH bpf v2 1/2] bpf, xdp: clean head/meta when expanding it
Date: Thu, 03 Apr 2025 10:32:09 -0400 [thread overview]
Message-ID: <67ee9be9db59b_138964294b7@willemb.c.googlers.com.notmuch> (raw)
In-Reply-To: <CAADnVQJ6NPGuY=c8kbpX_nLYq4oOxOBAxbDPFLuw+yr4WrQQOQ@mail.gmail.com>
Alexei Starovoitov wrote:
> On Sun, Mar 30, 2025 at 8:27 PM Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
> >
> > The device allocates an skb, it additionally allocates a prepad size
> > (usually equal to NET_SKB_PAD or XDP_PACKET_HEADROOM) but leaves it
> > uninitialized.
> >
> > The bpf_xdp_adjust_head function moves skb->data forward, which allows
> > users to access data belonging to other programs, posing a security risk.
> >
> > Reported-by: syzbot+0e6ddb1ef80986bdfe64@syzkaller.appspotmail.com
> > Closes: https://lore.kernel.org/all/00000000000067f65105edbd295d@google.com/T/
> > Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
> > ---
> > include/uapi/linux/bpf.h | 8 +++++---
> > net/core/filter.c | 5 ++++-
> > tools/include/uapi/linux/bpf.h | 6 ++++--
> > 3 files changed, 13 insertions(+), 6 deletions(-)
> >
> > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > index defa5bb881f4..be01a848cbbf 100644
> > --- a/include/uapi/linux/bpf.h
> > +++ b/include/uapi/linux/bpf.h
> > @@ -2760,8 +2760,9 @@ union bpf_attr {
> > *
> > * long bpf_xdp_adjust_head(struct xdp_buff *xdp_md, int delta)
> > * Description
> > - * Adjust (move) *xdp_md*\ **->data** by *delta* bytes. Note that
> > - * it is possible to use a negative value for *delta*. This helper
> > + * Adjust (move) *xdp_md*\ **->data** by *delta* bytes. Note that
> > + * it is possible to use a negative value for *delta*. If *delta*
> > + * is negative, the new header will be memset to zero. This helper
> > * can be used to prepare the packet for pushing or popping
> > * headers.
> > *
> > @@ -2989,7 +2990,8 @@ union bpf_attr {
> > * long bpf_xdp_adjust_meta(struct xdp_buff *xdp_md, int delta)
> > * Description
> > * Adjust the address pointed by *xdp_md*\ **->data_meta** by
> > - * *delta* (which can be positive or negative). Note that this
> > + * *delta* (which can be positive or negative). If *delta* is
> > + * negative, the new meta will be memset to zero. Note that this
> > * operation modifies the address stored in *xdp_md*\ **->data**,
> > * so the latter must be loaded only after the helper has been
> > * called.
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index 46ae8eb7a03c..5f01d373b719 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -3947,6 +3947,8 @@ BPF_CALL_2(bpf_xdp_adjust_head, struct xdp_buff *, xdp, int, offset)
> > if (metalen)
> > memmove(xdp->data_meta + offset,
> > xdp->data_meta, metalen);
> > + if (offset < 0)
> > + memset(data, 0, -offset);
> > xdp->data_meta += offset;
> > xdp->data = data;
> >
> > @@ -4239,7 +4241,8 @@ BPF_CALL_2(bpf_xdp_adjust_meta, struct xdp_buff *, xdp, int, offset)
> > return -EINVAL;
> > if (unlikely(xdp_metalen_invalid(metalen)))
> > return -EACCES;
> > -
> > + if (offset < 0)
> > + memset(meta, 0, -offset);
>
> Let's make everyone pay a performance penalty to silence
> KMSAN warning?
>
> I don't think it's a good trade off.
>
> Soft nack.
I also assumed that this was known when the feature was originally
introduced and left as is for performance reasons.
Might be good to have that explicit. And that it is deemed safe by
virtue of XDP requiring superuser privileges anyway. Or at least I
guess that was the thought process?
next prev parent reply other threads:[~2025-04-03 14:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-31 3:23 [PATCH bpf v2 0/2] bpf, xdp: clean adjust_{head,meta} memory when offset < 0 Jiayuan Chen
2025-03-31 3:23 ` [PATCH bpf v2 1/2] bpf, xdp: clean head/meta when expanding it Jiayuan Chen
2025-04-03 8:17 ` Jesper Dangaard Brouer
2025-04-03 14:24 ` Alexei Starovoitov
2025-04-03 14:32 ` Willem de Bruijn [this message]
2025-04-04 0:28 ` Alexei Starovoitov
2025-04-04 0:27 ` Jiayuan Chen
2025-04-04 0:29 ` Alexei Starovoitov
2025-03-31 3:23 ` [PATCH bpf v2 2/2] selftests/bpf: add perf test for adjust_{head,meta} Jiayuan Chen
2025-04-03 0:24 ` Jakub Kicinski
2025-04-03 9:37 ` Jesper Dangaard Brouer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67ee9be9db59b_138964294b7@willemb.c.googlers.com.notmuch \
--to=willemdebruijn.kernel@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=aspsk@isovalent.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dlechner@baylibre.com \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=haoluo@google.com \
--cc=hawk@kernel.org \
--cc=horms@kernel.org \
--cc=jiayuan.chen@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kerneljasonxing@gmail.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux@jordanrome.com \
--cc=martin.kelly@crowdstrike.com \
--cc=martin.lau@linux.dev \
--cc=mrpre@163.com \
--cc=mykolal@fb.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=quic_abchauha@quicinc.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=syzbot+0e6ddb1ef80986bdfe64@syzkaller.appspotmail.com \
--cc=willemb@google.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).