From: Florian Westphal <fw@strlen.de>
To: bpf@vger.kernel.org
Cc: martin.lau@linux.dev, daniel@iogearbox.net,
netdev@vger.kernel.org, Florian Westphal <fw@strlen.de>,
syzbot+0c4150bff9fff3bf023c@syzkaller.appspotmail.com,
Eric Dumazet <edumazet@google.com>
Subject: [PATCH bpf] bpf: avoid splat in pskb_pull_reason
Date: Fri, 14 Jun 2024 12:17:33 +0200 [thread overview]
Message-ID: <20240614101801.9496-1-fw@strlen.de> (raw)
In-Reply-To: <9f254c96-54f2-4457-b7ab-1d9f6187939c@gmail.com>
syzkaller builds (CONFIG_DEBUG_NET=y) frequently trigger a debug
hint in pskb_may_pull.
We'd like to retain this debug check because it might hint at integer
overflows and other issues (kernel code should pull headers, not huge
value).
In bpf case, this splat isn't interesting at all: such (nonsensical) bpf
programs are typically generated by a fuzzer anyway.
Do what Eric suggested and suppress such warning.
For CONFIG_DEBUG_NET=n we don't need the extra check because
pskb_may_pull will do the right thing: return an error without the
WARN() backtrace.
Reported-by: syzbot+0c4150bff9fff3bf023c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0c4150bff9fff3bf023c
Fixes: 219eee9c0d16 ("net: skbuff: add overflow debug check to pull/push helpers")
Link: https://lore.kernel.org/netdev/9f254c96-54f2-4457-b7ab-1d9f6187939c@gmail.com/
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/core/filter.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index 2510464692af..9933851c685e 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1665,6 +1665,11 @@ static DEFINE_PER_CPU(struct bpf_scratchpad, bpf_sp);
static inline int __bpf_try_make_writable(struct sk_buff *skb,
unsigned int write_len)
{
+#ifdef CONFIG_DEBUG_NET
+ /* Avoid a splat in pskb_may_pull_reason() */
+ if (write_len > INT_MAX)
+ return -EINVAL;
+#endif
return skb_ensure_writable(skb, write_len);
}
--
2.44.2
next prev parent reply other threads:[~2024-06-14 10:41 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-06 22:15 [Patch net] net: remove the bogus overflow debug check in pskb_may_pull() Cong Wang
2024-06-06 23:27 ` Florian Westphal
2024-06-07 16:14 ` Cong Wang
2024-06-07 21:32 ` Kuniyuki Iwashima
2024-06-08 8:01 ` Eric Dumazet
2024-06-08 22:24 ` Florian Westphal
2024-06-09 2:01 ` Jason Xing
2024-06-14 10:17 ` Florian Westphal [this message]
2024-06-14 12:11 ` [PATCH bpf] bpf: avoid splat in pskb_pull_reason Eric Dumazet
2024-06-14 15:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240614101801.9496-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=edumazet@google.com \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=syzbot+0c4150bff9fff3bf023c@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).