From: Florian Westphal <fw@strlen.de>
To: "D. Wythe" <alibuda@linux.alibaba.com>
Cc: pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, coreteam@netfilter.org,
netfilter-devel@vger.kernel.org, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
ast@kernel.org
Subject: Re: [PATCH net] net/netfilter: bpf: avoid leakage of skb
Date: Wed, 29 Nov 2023 14:18:46 +0100 [thread overview]
Message-ID: <20231129131846.GC27744@breakpoint.cc> (raw)
In-Reply-To: <1701252962-63418-1-git-send-email-alibuda@linux.alibaba.com>
D. Wythe <alibuda@linux.alibaba.com> wrote:
> From: "D. Wythe" <alibuda@linux.alibaba.com>
>
> A malicious eBPF program can interrupt the subsequent processing of
> a skb by returning an exceptional retval, and no one will be responsible
> for releasing the very skb.
How? The bpf verifier is supposed to reject nf bpf programs that
return a value other than accept or drop.
If this is a real bug, please also figure out why
006c0e44ed92 ("selftests/bpf: add missing netfilter return value and ctx access tests")
failed to catch it.
> Moreover, normal programs can also have the demand to return NF_STOLEN,
No, this should be disallowed already.
> net/netfilter/nf_bpf_link.c | 19 ++++++++++++++++++-
> 1 file changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
> index e502ec0..03c47d6 100644
> --- a/net/netfilter/nf_bpf_link.c
> +++ b/net/netfilter/nf_bpf_link.c
> @@ -12,12 +12,29 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb,
> const struct nf_hook_state *s)
> {
> const struct bpf_prog *prog = bpf_prog;
> + unsigned int verdict;
> struct bpf_nf_ctx ctx = {
> .state = s,
> .skb = skb,
> };
>
> - return bpf_prog_run(prog, &ctx);
> + verdict = bpf_prog_run(prog, &ctx);
> + switch (verdict) {
> + case NF_STOLEN:
> + consume_skb(skb);
> + fallthrough;
This can't be right. STOLEN really means STOLEN (free'd,
redirected, etc, "skb" MUST be "leaked".
Which is also why the bpf program is not allowed to return it.
next prev parent reply other threads:[~2023-11-29 13:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-29 10:16 [PATCH net] net/netfilter: bpf: avoid leakage of skb D. Wythe
2023-11-29 13:18 ` Florian Westphal [this message]
2023-11-29 14:42 ` D. Wythe
2023-11-29 14:47 ` Florian Westphal
2023-11-29 15:02 ` D. Wythe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231129131846.GC27744@breakpoint.cc \
--to=fw@strlen.de \
--cc=alibuda@linux.alibaba.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).