[PATCH net] Drop packets with invalid headers to prevent KMSAN infoleak

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Daniel Yang <danielyangkang@gmail.com>
To: Martin KaFai Lau <martin.lau@linux.dev>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	KP Singh <kpsingh@kernel.org>,
	Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	bpf@vger.kernel.org (open list:BPF [NETWORKING] (tcx & tc BPF,
	sock_addr)),
	netdev@vger.kernel.org (open list:BPF [NETWORKING] (tcx & tc BPF,
	sock_addr)), linux-kernel@vger.kernel.org (open list)
Cc: Daniel Yang <danielyangkang@gmail.com>,
	syzbot+346474e3bf0b26bd3090@syzkaller.appspotmail.com
Subject: [PATCH net] Drop packets with invalid headers to prevent KMSAN infoleak
Date: Sun,  3 Nov 2024 20:02:07 -0800	[thread overview]
Message-ID: <20241104040218.193632-1-danielyangkang@gmail.com> (raw)

KMSAN detects uninitialized memory stored to memory by
bpf_clone_redirect(). Adding a check to the transmission path to find
malformed headers prevents this issue. Specifically, we check if the length
of the data stored in skb is less than the minimum device header length. If
so, drop the packet since the skb cannot contain a valid device header.
Also check if mac_header_len(skb) is outside the range provided of valid
device header lengths.

Testing this patch with syzbot removes the bug.

Macro added to not affect normal builds.

Fixes: 88264981f208 ("Merge tag 'sched_ext-for-6.12' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext")
Reported-by: syzbot+346474e3bf0b26bd3090@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=346474e3bf0b26bd3090
Signed-off-by: Daniel Yang <danielyangkang@gmail.com>
---
v1: Enclosed in macro to not affect normal builds

 net/core/filter.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/core/filter.c b/net/core/filter.c
index cd3524cb3..9c5786f9c 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2191,6 +2191,14 @@ static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev,
 		return -ERANGE;
 	}
 
+#if IS_ENABLED(CONFIG_KMSAN)
+	if (unlikely(skb->len < dev->min_header_len ||
+		     skb_mac_header_len(skb) < dev->min_header_len ||
+		     skb_mac_header_len(skb) > dev->hard_header_len)) {
+		kfree_skb(skb);
+		return -ERANGE;
+	}
+#endif
 	bpf_push_mac_rcsum(skb);
 	return flags & BPF_F_INGRESS ?
 	       __bpf_rx_skb(dev, skb) : __bpf_tx_skb(dev, skb);
-- 
2.39.2

next             reply	other threads:[~2024-11-04  4:02 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-04  4:02 Daniel Yang [this message]
2024-11-04 10:03 ` [PATCH net] Drop packets with invalid headers to prevent KMSAN infoleak Eric Dumazet
  -- strict thread matches above, loose matches on Subject: below --
2024-10-19  7:11 Daniel Yang
2024-10-21 22:25 ` Martin KaFai Lau
2024-10-22  1:37   ` Daniel Yang
2024-10-22 15:30     ` Paolo Abeni
2024-10-22 18:14     ` Martin KaFai Lau
2024-10-27  8:49       ` Daniel Yang
2024-10-28  5:42         ` Yonghong Song
2024-10-29 21:23           ` Daniel Yang
2024-10-29 16:40 ` Alexander Lobakin
2024-10-29 21:34   ` Daniel Yang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:cd3524cb dfblob:9c5786f9 )
 OR (
bs:"[PATCH net] Drop packets with invalid headers to prevent KMSAN infoleak" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241104040218.193632-1-danielyangkang@gmail.com \
    --to=danielyangkang@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=eddyz87@gmail.com \
    --cc=edumazet@google.com \
    --cc=haoluo@google.com \
    --cc=horms@kernel.org \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=sdf@fomichev.me \
    --cc=song@kernel.org \
    --cc=syzbot+346474e3bf0b26bd3090@syzkaller.appspotmail.com \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).