From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6538D847A for ; Wed, 1 Mar 2023 18:10:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E1A5EC433D2; Wed, 1 Mar 2023 18:10:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1677694243; bh=kiquuDoY3vOpc5vZLNMCZ1F2+fjemVTNZ6DrDvZgk7U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VtZlmGjNee3yRa2NWcRa1Q4dyMwpiZOakoGQoY4jgsnfc8KUp1jRxC+wwJB6OXU6v 6pq4IDJczPGFtfQoxhAWhZC5Xifjq3IcHr9etkOiSHHhpdmCt4gNpTKqtIw3c21AzH IUGPlSs/sRmxXWJJmDxp2CIFCO8vJVOMhm21CtA4= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Martin KaFai Lau , Daniel Borkmann Subject: [PATCH 5.15 14/22] bpf: bpf_fib_lookup should not return neigh in NUD_FAILED state Date: Wed, 1 Mar 2023 19:08:47 +0100 Message-Id: <20230301180653.221539252@linuxfoundation.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230301180652.658125575@linuxfoundation.org> References: <20230301180652.658125575@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Martin KaFai Lau commit 1fe4850b34ab512ff911e2c035c75fb6438f7307 upstream. The bpf_fib_lookup() helper does not only look up the fib (ie. route) but it also looks up the neigh. Before returning the neigh, the helper does not check for NUD_VALID. When a neigh state (neigh->nud_state) is in NUD_FAILED, its dmac (neigh->ha) could be all zeros. The helper still returns SUCCESS instead of NO_NEIGH in this case. Because of the SUCCESS return value, the bpf prog directly uses the returned dmac and ends up filling all zero in the eth header. This patch checks for NUD_VALID and returns NO_NEIGH if the neigh is not valid. Signed-off-by: Martin KaFai Lau Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20230217004150.2980689-3-martin.lau@linux.dev Signed-off-by: Greg Kroah-Hartman --- net/core/filter.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/net/core/filter.c +++ b/net/core/filter.c @@ -5506,7 +5506,7 @@ static int bpf_ipv4_fib_lookup(struct ne neigh = __ipv6_neigh_lookup_noref_stub(dev, dst); } - if (!neigh) + if (!neigh || !(neigh->nud_state & NUD_VALID)) return BPF_FIB_LKUP_RET_NO_NEIGH; return bpf_fib_set_fwd_params(params, neigh, dev, mtu); @@ -5621,7 +5621,7 @@ static int bpf_ipv6_fib_lookup(struct ne * not needed here. */ neigh = __ipv6_neigh_lookup_noref_stub(dev, dst); - if (!neigh) + if (!neigh || !(neigh->nud_state & NUD_VALID)) return BPF_FIB_LKUP_RET_NO_NEIGH; return bpf_fib_set_fwd_params(params, neigh, dev, mtu);