From: "D. Wythe" <alibuda@linux.alibaba.com>
To: pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de
Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, coreteam@netfilter.org,
netfilter-devel@vger.kernel.org, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
ast@kernel.org
Subject: [PATCH net] net/netfilter: bpf: avoid leakage of skb
Date: Wed, 29 Nov 2023 18:16:02 +0800 [thread overview]
Message-ID: <1701252962-63418-1-git-send-email-alibuda@linux.alibaba.com> (raw)
From: "D. Wythe" <alibuda@linux.alibaba.com>
A malicious eBPF program can interrupt the subsequent processing of
a skb by returning an exceptional retval, and no one will be responsible
for releasing the very skb.
Moreover, normal programs can also have the demand to return NF_STOLEN,
usually, the hook needs to take responsibility for releasing this skb
itself, but currently, there is no such helper function to achieve that.
Ignoring NF_STOLEN will also lead to skb leakage.
Fixes: fd9c663b9ad6 ("bpf: minimal support for programs hooked into netfilter framework")
Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
---
net/netfilter/nf_bpf_link.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
index e502ec0..03c47d6 100644
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@@ -12,12 +12,29 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb,
const struct nf_hook_state *s)
{
const struct bpf_prog *prog = bpf_prog;
+ unsigned int verdict;
struct bpf_nf_ctx ctx = {
.state = s,
.skb = skb,
};
- return bpf_prog_run(prog, &ctx);
+ verdict = bpf_prog_run(prog, &ctx);
+ switch (verdict) {
+ case NF_STOLEN:
+ consume_skb(skb);
+ fallthrough;
+ case NF_ACCEPT:
+ case NF_DROP:
+ case NF_QUEUE:
+ /* restrict the retval of the ebpf programs */
+ break;
+ default:
+ /* force it to be dropped */
+ verdict = NF_DROP_ERR(-EINVAL);
+ break;
+ }
+
+ return verdict;
}
struct bpf_nf_link {
--
1.8.3.1
next reply other threads:[~2023-11-29 10:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-29 10:16 D. Wythe [this message]
2023-11-29 13:18 ` [PATCH net] net/netfilter: bpf: avoid leakage of skb Florian Westphal
2023-11-29 14:42 ` D. Wythe
2023-11-29 14:47 ` Florian Westphal
2023-11-29 15:02 ` D. Wythe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1701252962-63418-1-git-send-email-alibuda@linux.alibaba.com \
--to=alibuda@linux.alibaba.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).