* [PATCH net] net/netfilter: bpf: avoid leakage of skb
@ 2023-11-29 10:16 D. Wythe
2023-11-29 13:18 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: D. Wythe @ 2023-11-29 10:16 UTC (permalink / raw)
To: pablo, kadlec, fw
Cc: bpf, linux-kernel, netdev, coreteam, netfilter-devel, davem,
edumazet, kuba, pabeni, ast
From: "D. Wythe" <alibuda@linux.alibaba.com>
A malicious eBPF program can interrupt the subsequent processing of
a skb by returning an exceptional retval, and no one will be responsible
for releasing the very skb.
Moreover, normal programs can also have the demand to return NF_STOLEN,
usually, the hook needs to take responsibility for releasing this skb
itself, but currently, there is no such helper function to achieve that.
Ignoring NF_STOLEN will also lead to skb leakage.
Fixes: fd9c663b9ad6 ("bpf: minimal support for programs hooked into netfilter framework")
Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
---
net/netfilter/nf_bpf_link.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
index e502ec0..03c47d6 100644
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@@ -12,12 +12,29 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb,
const struct nf_hook_state *s)
{
const struct bpf_prog *prog = bpf_prog;
+ unsigned int verdict;
struct bpf_nf_ctx ctx = {
.state = s,
.skb = skb,
};
- return bpf_prog_run(prog, &ctx);
+ verdict = bpf_prog_run(prog, &ctx);
+ switch (verdict) {
+ case NF_STOLEN:
+ consume_skb(skb);
+ fallthrough;
+ case NF_ACCEPT:
+ case NF_DROP:
+ case NF_QUEUE:
+ /* restrict the retval of the ebpf programs */
+ break;
+ default:
+ /* force it to be dropped */
+ verdict = NF_DROP_ERR(-EINVAL);
+ break;
+ }
+
+ return verdict;
}
struct bpf_nf_link {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH net] net/netfilter: bpf: avoid leakage of skb 2023-11-29 10:16 [PATCH net] net/netfilter: bpf: avoid leakage of skb D. Wythe @ 2023-11-29 13:18 ` Florian Westphal 2023-11-29 14:42 ` D. Wythe 0 siblings, 1 reply; 5+ messages in thread From: Florian Westphal @ 2023-11-29 13:18 UTC (permalink / raw) To: D. Wythe Cc: pablo, kadlec, fw, bpf, linux-kernel, netdev, coreteam, netfilter-devel, davem, edumazet, kuba, pabeni, ast D. Wythe <alibuda@linux.alibaba.com> wrote: > From: "D. Wythe" <alibuda@linux.alibaba.com> > > A malicious eBPF program can interrupt the subsequent processing of > a skb by returning an exceptional retval, and no one will be responsible > for releasing the very skb. How? The bpf verifier is supposed to reject nf bpf programs that return a value other than accept or drop. If this is a real bug, please also figure out why 006c0e44ed92 ("selftests/bpf: add missing netfilter return value and ctx access tests") failed to catch it. > Moreover, normal programs can also have the demand to return NF_STOLEN, No, this should be disallowed already. > net/netfilter/nf_bpf_link.c | 19 ++++++++++++++++++- > 1 file changed, 18 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c > index e502ec0..03c47d6 100644 > --- a/net/netfilter/nf_bpf_link.c > +++ b/net/netfilter/nf_bpf_link.c > @@ -12,12 +12,29 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb, > const struct nf_hook_state *s) > { > const struct bpf_prog *prog = bpf_prog; > + unsigned int verdict; > struct bpf_nf_ctx ctx = { > .state = s, > .skb = skb, > }; > > - return bpf_prog_run(prog, &ctx); > + verdict = bpf_prog_run(prog, &ctx); > + switch (verdict) { > + case NF_STOLEN: > + consume_skb(skb); > + fallthrough; This can't be right. STOLEN really means STOLEN (free'd, redirected, etc, "skb" MUST be "leaked". Which is also why the bpf program is not allowed to return it. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net] net/netfilter: bpf: avoid leakage of skb 2023-11-29 13:18 ` Florian Westphal @ 2023-11-29 14:42 ` D. Wythe 2023-11-29 14:47 ` Florian Westphal 0 siblings, 1 reply; 5+ messages in thread From: D. Wythe @ 2023-11-29 14:42 UTC (permalink / raw) To: Florian Westphal Cc: pablo, kadlec, bpf, linux-kernel, netdev, coreteam, netfilter-devel, davem, edumazet, kuba, pabeni, ast On 11/29/23 9:18 PM, Florian Westphal wrote: > D. Wythe <alibuda@linux.alibaba.com> wrote: >> From: "D. Wythe" <alibuda@linux.alibaba.com> >> >> A malicious eBPF program can interrupt the subsequent processing of >> a skb by returning an exceptional retval, and no one will be responsible >> for releasing the very skb. > How? The bpf verifier is supposed to reject nf bpf programs that > return a value other than accept or drop. > > If this is a real bug, please also figure out why > 006c0e44ed92 ("selftests/bpf: add missing netfilter return value and ctx access tests") > failed to catch it. Hi Florian, You are right, i make a mistake.. , it's not a bug.. And my origin intention was to allow ebpf progs to return NF_STOLEN, we are trying to modify some netfilter modules via ebpf, and some scenarios require the use of NF_STOLEN, but from your description, it seems that at least currently, you do not want to return NF_STOLEN, until there is a helper for sonsume_skb(), right ? Again, very sorry to bother you. Best wishes, D. Wythe. >> Moreover, normal programs can also have the demand to return NF_STOLEN, > No, this should be disallowed already. > >> net/netfilter/nf_bpf_link.c | 19 ++++++++++++++++++- >> 1 file changed, 18 insertions(+), 1 deletion(-) >> >> diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c >> index e502ec0..03c47d6 100644 >> --- a/net/netfilter/nf_bpf_link.c >> +++ b/net/netfilter/nf_bpf_link.c >> @@ -12,12 +12,29 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb, >> const struct nf_hook_state *s) >> { >> const struct bpf_prog *prog = bpf_prog; >> + unsigned int verdict; >> struct bpf_nf_ctx ctx = { >> .state = s, >> .skb = skb, >> }; >> >> - return bpf_prog_run(prog, &ctx); >> + verdict = bpf_prog_run(prog, &ctx); >> + switch (verdict) { >> + case NF_STOLEN: >> + consume_skb(skb); >> + fallthrough; > This can't be right. STOLEN really means STOLEN (free'd, > redirected, etc, "skb" MUST be "leaked". > > Which is also why the bpf program is not allowed to return it. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net] net/netfilter: bpf: avoid leakage of skb 2023-11-29 14:42 ` D. Wythe @ 2023-11-29 14:47 ` Florian Westphal 2023-11-29 15:02 ` D. Wythe 0 siblings, 1 reply; 5+ messages in thread From: Florian Westphal @ 2023-11-29 14:47 UTC (permalink / raw) To: D. Wythe Cc: Florian Westphal, pablo, kadlec, bpf, linux-kernel, netdev, coreteam, netfilter-devel, davem, edumazet, kuba, pabeni, ast D. Wythe <alibuda@linux.alibaba.com> wrote: > And my origin intention was to allow ebpf progs to return NF_STOLEN, we are > trying to modify some netfilter modules via ebpf, > and some scenarios require the use of NF_STOLEN, but from your description, NF_STOLEN can only be supported via a trusted helper, as least as far as I understand. Otherwise verifier would have to guarantee that any branch that returns NF_STOLEN has released the skb, or passed it to a function that will release the skb in the near future. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net] net/netfilter: bpf: avoid leakage of skb 2023-11-29 14:47 ` Florian Westphal @ 2023-11-29 15:02 ` D. Wythe 0 siblings, 0 replies; 5+ messages in thread From: D. Wythe @ 2023-11-29 15:02 UTC (permalink / raw) To: Florian Westphal Cc: pablo, kadlec, bpf, linux-kernel, netdev, coreteam, netfilter-devel, davem, edumazet, kuba, pabeni, ast On 11/29/23 10:47 PM, Florian Westphal wrote: > D. Wythe <alibuda@linux.alibaba.com> wrote: >> And my origin intention was to allow ebpf progs to return NF_STOLEN, we are >> trying to modify some netfilter modules via ebpf, >> and some scenarios require the use of NF_STOLEN, but from your description, > NF_STOLEN can only be supported via a trusted helper, as least as far as > I understand. > > Otherwise verifier would have to guarantee that any branch that returns > NF_STOLEN has released the skb, or passed it to a function that will > release the skb in the near future. Thank you very much for your help. I now understand the difficulty here. The verifier cannot determine whether the consume_skb() was executed or not, when the return value goes to NF_STOLEN. We may use NF_DROP at first, it won't be make much difference for us now. Also, do you have any plans to support this helper? Best wishes, D. Wythe ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-11-29 15:02 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-11-29 10:16 [PATCH net] net/netfilter: bpf: avoid leakage of skb D. Wythe 2023-11-29 13:18 ` Florian Westphal 2023-11-29 14:42 ` D. Wythe 2023-11-29 14:47 ` Florian Westphal 2023-11-29 15:02 ` D. Wythe
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).