From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F28372BEC43 for ; Tue, 23 Dec 2025 10:34:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766486096; cv=none; b=usHRR2Dcq5v9XLMvp7Bx5J8fvyXNj4ktfVd4MSHLG/7LxTqSHlP69IVR+PGwInyDsfYXdfUiYGGdF1m0Uh5HBEvCaDQFM6FxOumlj8zljNa/TnOQVxzqQG0dJ0rvASBb24ct3y86Rks1ONz4e8L8Hv/b+HSIvu8ypdDAT5uuFKw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766486096; c=relaxed/simple; bh=0zm4G+1GdLQfD2IBCPH9R96LHqfSKrACONu8xhMMGi4=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=qQoA3eTx3s/armsfygbwXd9xhewTt8ze7L5qoMRJqgHwfuUG7j5hOQ7vfBQhCdXLhOLO9DDV17rekTLVfCyooqtdU/7WhszUGazlm4tZSwmXEVNFnQDqZ2Dk0sDpzjofRRPWkVUCoL1fRq1ZXlLbhZKW/NF/GF/QgqX3bpM7AsE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Ag8OmzvL; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=MOtaVYCq; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Ag8OmzvL"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="MOtaVYCq" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1766486092; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Sgf79+KA5/2HyLhaa050yjAFUTyo5/Zu334BYj4E1Ho=; b=Ag8OmzvLXF8508AYaawmHPqSCfB+d9j3f0xuNnt2XIyqhvNsqWsN3skRQm8bLM+xmtKl8O JNGkRneEBj4yuV+cgH4s/57h3H6Uy2LFxY23EUZ72+nq5Hg2Y6M4sTMoymAjCvsTM5h4tQ mfE6wFkWaa3nnAV58q3Rb29GA06yDHI= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-571-duzSkZ7GNgmlX72acqHA4g-1; Tue, 23 Dec 2025 05:34:50 -0500 X-MC-Unique: duzSkZ7GNgmlX72acqHA4g-1 X-Mimecast-MFC-AGG-ID: duzSkZ7GNgmlX72acqHA4g_1766486089 Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-477cf25ceccso57442035e9.0 for ; Tue, 23 Dec 2025 02:34:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1766486089; x=1767090889; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=Sgf79+KA5/2HyLhaa050yjAFUTyo5/Zu334BYj4E1Ho=; b=MOtaVYCqj6M8FvTyHrCuI0JrlHRfviuRKhlwlPXw9ESAFxzTTw9KKpr8WPQ0NBYbqP bh/0k7UxWseISpowIOnAO4bBK6CBbIMKax8OueRx5YL3dSSxrXFwKxASfB3yACii3KQu eu6ik5mjNDIRdbyFHXyqK+fLUcB8oD916MBhynKF8qt0eWJCFO4nIKr4zzXz0s0+jCuE T8DN4oKl014VFEcbkIDRY7a1+17ZE9qE8znis6wnYkEz7Lmfu/7jfsHHqUomD0iOlpcR ldy1kMlzgfWW7sUkUsrA+SFyhK3qeYJOvAj21Ufn4J+NV6MPL/Vml0bXkydPEtrP73Bz dw+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766486089; x=1767090889; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Sgf79+KA5/2HyLhaa050yjAFUTyo5/Zu334BYj4E1Ho=; b=UZ+QtEstgxRTVMO6XB35dRsTkyXVqQ99IlrSXd1K2rV/nyY54Z2XvR1sOO5sPvpfDR UNN0CRmsCU+XbA7UD+m31VzC0uKmdslMezjPghONhRxPpYNuBaea6rKL38hs4PjLicrD qxqOQw8n03b/XM4d2XkQWLleKQDdWjhfFrSDSHnSnUhxeS/3TWqKBR+/QG9TynFLdvrx CURfc2JUQG3iEL+qNn01YZznYz6qAhHSNsJdkgLEdmzeUjc706oT32NgwwrjFIhpR2Vn ejj/j6pErCkHlT6QdbcE9mXmO1FvXmb0gZXDY/aGf8sS9zTcLMZ1O+1NaZhmPhNirsF0 RTGw== X-Forwarded-Encrypted: i=1; AJvYcCVsaAJuZZ5qWM7F6e65OPa9xwi3wrObclBgfCJH0ux81NKDiceG/E5ago58Z+Dmz9p3XMNbhUOx1fa1V5Y=@vger.kernel.org X-Gm-Message-State: AOJu0YylULiqTPi7irny+1xwoS6bWGuRnPrGz+mtWTkd+AY6CIX0l8p5 Zt2ufkAsCPb1bOybiep4zuJC0XC7MYM8xi6p4yAfKs77LmaLj5TPiI7Jpw5nWYG+reW2Wzn+kz4 IOcCSMc0+QUa34rGa+kP98KT0FI7LOiMKUIFdd+UMxvAwO8cW+bj7ekm2arQoKv7VAw== X-Gm-Gg: AY/fxX67eb7SN6UA5pumkF27Kq5WGeqXng1xJiHTXVgbZUnvFuANQWL06ROj11X1SCB Yw9aWxTwZGn83E+dlMSL86XDTp3BeS9Ld0A/UiRZrbbrBd0s0sQt96nplnJWOutG7sY/n9YIT6o mTilYysnIqNikfuPhDciLhkPGb7M0qciwDK495APMHMtHjQrdRYOeW/JdC1N1UIvANfRB1HzyAF QdP/5Ki829o4RqrDPOsHrFybjdzKm+ej5q20+4tnpL9guktiYka9u6WQIrTZWRC5dlPZCmHRZ3z 3droXenk2wbGBqvTiomi0mesNo+uKrYG38bgZDeRvEhQ27SJeI+XWGjSn6hGZD18DI6t64n+n9J ZEZ0Zz9iLA0I5 X-Received: by 2002:a05:600c:8183:b0:477:fad:acd9 with SMTP id 5b1f17b1804b1-47d195a9834mr132598275e9.34.1766486089091; Tue, 23 Dec 2025 02:34:49 -0800 (PST) X-Google-Smtp-Source: AGHT+IHQO73a0x9t6KKSfapJWQvRs4ZyOmiT8am/1/TPeJf60pXNmr/0bKvhgo/ckE+RBk8muTVH4A== X-Received: by 2002:a05:600c:8183:b0:477:fad:acd9 with SMTP id 5b1f17b1804b1-47d195a9834mr132598075e9.34.1766486088653; Tue, 23 Dec 2025 02:34:48 -0800 (PST) Received: from [192.168.88.32] ([216.128.11.164]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be273e4d5sm293724455e9.6.2025.12.23.02.34.47 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 23 Dec 2025 02:34:48 -0800 (PST) Message-ID: Date: Tue, 23 Dec 2025 11:34:46 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH net v4] net: skbuff: add usercopy region to skbuff_fclone_cache To: bestswngs@gmail.com, security@kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, horms@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, xmei5@asu.edu References: <20251216084449.973244-5-bestswngs@gmail.com> Content-Language: en-US From: Paolo Abeni In-Reply-To: <20251216084449.973244-5-bestswngs@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 12/16/25 9:44 AM, bestswngs@gmail.com wrote: > From: Weiming Shi > > skbuff_fclone_cache was created without defining a usercopy region, [1] > unlike skbuff_head_cache which properly whitelists the cb[] field. [2] > This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled > and the kernel attempts to copy sk_buff.cb data to userspace via > sock_recv_errqueue() -> put_cmsg(). > > The crash occurs when: > 1. TCP allocates an skb using alloc_skb_fclone() > (from skbuff_fclone_cache) [1] > 2. The skb is cloned via skb_clone() using the pre-allocated fclone [3] > 3. The cloned skb is queued to sk_error_queue for timestamp reporting > 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) > 5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb [4] > 6. __check_heap_object() fails because skbuff_fclone_cache has no > usercopy whitelist [5] > > When cloned skbs allocated from skbuff_fclone_cache are used in the > socket error queue, accessing the sock_exterr_skb structure in skb->cb > via put_cmsg() triggers a usercopy hardening violation: > > [ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)! > [ 5.382796] kernel BUG at mm/usercopy.c:102! > [ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI > [ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 > [ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 > [ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 > [ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 > [ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 > [ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 > [ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 > [ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 > [ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 > [ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 > [ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 > [ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 > [ 5.384903] PKRU: 55555554 > [ 5.384903] Call Trace: > [ 5.384903] > [ 5.384903] __check_heap_object+0x9a/0xd0 > [ 5.384903] __check_object_size+0x46c/0x690 > [ 5.384903] put_cmsg+0x129/0x5e0 > [ 5.384903] sock_recv_errqueue+0x22f/0x380 > [ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 > [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 > [ 5.384903] ? schedule+0x6d/0x270 > [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 > [ 5.384903] ? mutex_unlock+0x81/0xd0 > [ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 > [ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 > [ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 > [ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 > [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 > > The crash offset 296 corresponds to skb2->cb within skbuff_fclones: > - sizeof(struct sk_buff) = 232 > - offsetof(struct sk_buff, cb) = 40 > - offset of skb2.cb in fclones = 232 + 40 = 272 > - crash offset 296 = 272 + 24 (inside sock_exterr_skb.ee) > > Fix this by using kmem_cache_create_usercopy() for skbuff_fclone_cache > and whitelisting the cb regions. > In our patch, we referenced > net: Whitelist the `skb_head_cache` "cb" field. [6] > > Fix by using kmem_cache_create_usercopy() with the same cb[] region > whitelist as skbuff_head_cache. > > [1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 > [2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 > [3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 > [4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 > [5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719 > [6] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=79a8a642bf05c > > Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") > Reported-by: Xiang Mei > Signed-off-by: Weiming Shi Rephrasing Eric's comment (and hoping to have not misread it), you should fix the issue differently, catching and fclones before adding them to the error queue and try to unclone them. Thanks, Paolo