From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 85C6313D62A; Tue, 25 Jun 2024 09:40:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719308418; cv=none; b=MAKV/rwPEw2XrM8b/twfgAU/CcDmhMk7hr7PoL7x9ZemPiCDYYA5wS6Gqo1zDMBJ/nQvpQU7OQDMIoABMB3s2HxhBPgrrQPY8ylBRd1sE3ZOMn4F5XVce+jUF3uvobuRCJdL2PVquH0Gr0xEXani1BXQ0zA6O0PjxmQuZVGHNI8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719308418; c=relaxed/simple; bh=XS0YS4B9DxnXCowR3XvmIkmtAuERFd8Q+c3+dROlViI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hL7ULKeIhJ2EMiCu6LZ12duoPySS83kDAfHSAXgeyxsXw0aCj1VgMALDpkY5u7O8/q6zIKedc85dkGOFW5W6mBRjxPS2GdMIm7nwWCQxTDeD8uLAWZZ8sDhcfF20qwcs0/Jwuqg1VzuuumANW10XF8PIlfLrbODQXfRGeregYkY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=sgHDckQj; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="sgHDckQj" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0BEEEC32781; Tue, 25 Jun 2024 09:40:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1719308418; bh=XS0YS4B9DxnXCowR3XvmIkmtAuERFd8Q+c3+dROlViI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sgHDckQjLLSfQq94+6+i1v1K6rkZOqRod0Frq8orDt+OoWvsEUJ1FN7YncXbYotNt GlJhpHD0+cYtUCP+25/oo6mpawLfzOq5fQh1ouIfojnu8dDv+f3q8VSiVO09wljMg5 v904K3ynmKTQP9HDB6zvw+zOprlQCL8gh22M5xs0= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, syzbot+0c4150bff9fff3bf023c@syzkaller.appspotmail.com, Eric Dumazet , Florian Westphal , Daniel Borkmann , Sasha Levin Subject: [PATCH 6.9 114/250] bpf: Avoid splat in pskb_pull_reason Date: Tue, 25 Jun 2024 11:31:12 +0200 Message-ID: <20240625085552.447467619@linuxfoundation.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240625085548.033507125@linuxfoundation.org> References: <20240625085548.033507125@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal [ Upstream commit 2bbe3e5a2f4ef69d13be54f1cf895b4658287080 ] syzkaller builds (CONFIG_DEBUG_NET=y) frequently trigger a debug hint in pskb_may_pull. We'd like to retain this debug check because it might hint at integer overflows and other issues (kernel code should pull headers, not huge value). In bpf case, this splat isn't interesting at all: such (nonsensical) bpf programs are typically generated by a fuzzer anyway. Do what Eric suggested and suppress such warning. For CONFIG_DEBUG_NET=n we don't need the extra check because pskb_may_pull will do the right thing: return an error without the WARN() backtrace. Fixes: 219eee9c0d16 ("net: skbuff: add overflow debug check to pull/push helpers") Reported-by: syzbot+0c4150bff9fff3bf023c@syzkaller.appspotmail.com Suggested-by: Eric Dumazet Signed-off-by: Florian Westphal Signed-off-by: Daniel Borkmann Reviewed-by: Eric Dumazet Acked-by: Daniel Borkmann Closes: https://syzkaller.appspot.com/bug?extid=0c4150bff9fff3bf023c Link: https://lore.kernel.org/netdev/9f254c96-54f2-4457-b7ab-1d9f6187939c@gmail.com/ Link: https://lore.kernel.org/bpf/20240614101801.9496-1-fw@strlen.de Signed-off-by: Sasha Levin --- net/core/filter.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index a5856a8b4498b..ce255e0a2fbd9 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -1662,6 +1662,11 @@ static DEFINE_PER_CPU(struct bpf_scratchpad, bpf_sp); static inline int __bpf_try_make_writable(struct sk_buff *skb, unsigned int write_len) { +#ifdef CONFIG_DEBUG_NET + /* Avoid a splat in pskb_may_pull_reason() */ + if (write_len > INT_MAX) + return -EINVAL; +#endif return skb_ensure_writable(skb, write_len); } -- 2.43.0