* [PATCH bpf v2 0/2] bpf: tcp: Fix null-ptr-deref in arbitrary SYN Cookie @ 2026-03-26 6:26 Jiayuan Chen 2026-03-26 6:26 ` [PATCH bpf v2 1/2] bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk() Jiayuan Chen 2026-03-26 6:26 ` [PATCH bpf v2 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk() Jiayuan Chen 0 siblings, 2 replies; 4+ messages in thread From: Jiayuan Chen @ 2026-03-26 6:26 UTC (permalink / raw) To: netdev Cc: Jiayuan Chen, Martin KaFai Lau, Daniel Borkmann, John Fastabend, Stanislav Fomichev, Alexei Starovoitov, Andrii Nakryiko, Eduard Zingerman, Song Liu, Yonghong Song, KP Singh, Hao Luo, Jiri Olsa, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman, Shuah Khan, Kuniyuki Iwashima, bpf, linux-kernel, linux-kselftest From: Jiayuan Chen <jiayuan.chen@shopee.com> bpf_sk_assign_tcp_reqsk() does not validate the L4 protocol of the skb, only checking skb->protocol (L3). A BPF program that calls this kfunc on a non-TCP skb (e.g. UDP) will succeed, attaching a TCP reqsk to the skb. When the skb enters the UDP receive path, skb_steal_sock() returns the TCP listener socket from the reqsk. The UDP code then casts this TCP socket to udp_sock and accesses UDP-specific fields at invalid offsets, causing a null pointer dereference: BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x19d/0x1df0 Read of size 4 at addr 0000000000000008 by task test_progs/537 CPU: 1 UID: 0 PID: 537 Comm: test_progs Not tainted 7.0.0-rc4+ #46 PREEMPT Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:487) kasan_report (mm/kasan/report.c:597) __kasan_check_read (mm/kasan/shadow.c:32) __udp_enqueue_schedule_skb (net/ipv4/udp.c:1719) udp_queue_rcv_one_skb (net/ipv4/udp.c:2370 net/ipv4/udp.c:2500) udp_queue_rcv_skb (net/ipv4/udp.c:2532) udp_unicast_rcv_skb (net/ipv4/udp.c:2684) __udp4_lib_rcv (net/ipv4/udp.c:2742) udp_rcv (net/ipv4/udp.c:2937) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:209) ip_local_deliver_finish (./include/linux/rcupdate.h:879 net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:265) __netif_receive_skb_one_core (net/core/dev.c:6164 (discriminator 4)) __netif_receive_skb (net/core/dev.c:6280) Solution Patch 1: Add L4 protocol validation in bpf_sk_assign_tcp_reqsk(). Check ip_hdr(skb)->protocol (IPv4) and ipv6_hdr(skb)->nexthdr (IPv6) against IPPROTO_TCP, returning -EINVAL for non-TCP skbs. Patch 2: Add selftest that calls bpf_sk_assign_tcp_reqsk() on a UDP skb and verifies the kfunc rejects it. --- v1: https://lore.kernel.org/bpf/20260323105510.51990-1-jiayuan.chen@linux.dev/ Changes in v2: - Add Reviewed-by tag from Kuniyuki Iwashima for patch 1 - Use UDP socket recv() instead of kern_sync_rcu() for synchronization in selftest Jiayuan Chen (2): bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk() selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk() net/core/filter.c | 6 ++ .../bpf/prog_tests/tcp_custom_syncookie.c | 84 ++++++++++++++++++- .../bpf/progs/test_tcp_custom_syncookie.c | 79 +++++++++++++++++ 3 files changed, 165 insertions(+), 4 deletions(-) -- 2.43.0 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH bpf v2 1/2] bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk() 2026-03-26 6:26 [PATCH bpf v2 0/2] bpf: tcp: Fix null-ptr-deref in arbitrary SYN Cookie Jiayuan Chen @ 2026-03-26 6:26 ` Jiayuan Chen 2026-03-26 6:26 ` [PATCH bpf v2 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk() Jiayuan Chen 1 sibling, 0 replies; 4+ messages in thread From: Jiayuan Chen @ 2026-03-26 6:26 UTC (permalink / raw) To: netdev Cc: Jiayuan Chen, Jiayuan Chen, Kuniyuki Iwashima, Martin KaFai Lau, Daniel Borkmann, John Fastabend, Stanislav Fomichev, Alexei Starovoitov, Andrii Nakryiko, Eduard Zingerman, Song Liu, Yonghong Song, KP Singh, Hao Luo, Jiri Olsa, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman, Shuah Khan, bpf, linux-kernel, linux-kselftest From: Jiayuan Chen <jiayuan.chen@shopee.com> bpf_sk_assign_tcp_reqsk() only validates skb->protocol (L3) but does not check the L4 protocol in the IP header. A BPF program can call this kfunc on a UDP skb with a valid TCP listener socket, which will succeed and attach a TCP reqsk to the UDP skb. When the UDP skb enters the UDP receive path, skb_steal_sock() returns the TCP listener from the reqsk. The UDP code then passes this TCP socket to udp_unicast_rcv_skb() -> __udp_enqueue_schedule_skb(), which casts it to udp_sock and accesses UDP-specific fields at invalid offsets, causing a null pointer dereference and kernel panic: BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x19d/0x1df0 Read of size 4 at addr 0000000000000008 by task test_progs/537 CPU: 1 UID: 0 PID: 537 Comm: test_progs Not tainted 7.0.0-rc4+ #46 PREEMPT Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:487) kasan_report (mm/kasan/report.c:597) __kasan_check_read (mm/kasan/shadow.c:32) __udp_enqueue_schedule_skb (net/ipv4/udp.c:1719) udp_queue_rcv_one_skb (net/ipv4/udp.c:2370 net/ipv4/udp.c:2500) udp_queue_rcv_skb (net/ipv4/udp.c:2532) udp_unicast_rcv_skb (net/ipv4/udp.c:2684) __udp4_lib_rcv (net/ipv4/udp.c:2742) udp_rcv (net/ipv4/udp.c:2937) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:209) ip_local_deliver_finish (./include/linux/rcupdate.h:879 net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:265) __netif_receive_skb_one_core (net/core/dev.c:6164 (discriminator 4)) __netif_receive_skb (net/core/dev.c:6280) Fix this by checking the IP header's protocol field in bpf_sk_assign_tcp_reqsk() and rejecting non-TCP skbs with -EINVAL. Fixes: e472f88891ab ("bpf: tcp: Support arbitrary SYN Cookie.") Cc: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com> --- net/core/filter.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index 78b548158fb0..fb975bcce804 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -12248,11 +12248,17 @@ __bpf_kfunc int bpf_sk_assign_tcp_reqsk(struct __sk_buff *s, struct sock *sk, switch (skb->protocol) { case htons(ETH_P_IP): + if (ip_hdr(skb)->protocol != IPPROTO_TCP) + return -EINVAL; + ops = &tcp_request_sock_ops; min_mss = 536; break; #if IS_BUILTIN(CONFIG_IPV6) case htons(ETH_P_IPV6): + if (ipv6_hdr(skb)->nexthdr != IPPROTO_TCP) + return -EINVAL; + ops = &tcp6_request_sock_ops; min_mss = IPV6_MIN_MTU - 60; break; -- 2.43.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH bpf v2 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk() 2026-03-26 6:26 [PATCH bpf v2 0/2] bpf: tcp: Fix null-ptr-deref in arbitrary SYN Cookie Jiayuan Chen 2026-03-26 6:26 ` [PATCH bpf v2 1/2] bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk() Jiayuan Chen @ 2026-03-26 6:26 ` Jiayuan Chen 2026-03-26 17:33 ` Kuniyuki Iwashima 1 sibling, 1 reply; 4+ messages in thread From: Jiayuan Chen @ 2026-03-26 6:26 UTC (permalink / raw) To: netdev Cc: Jiayuan Chen, Jiayuan Chen, Martin KaFai Lau, Daniel Borkmann, John Fastabend, Stanislav Fomichev, Alexei Starovoitov, Andrii Nakryiko, Eduard Zingerman, Song Liu, Yonghong Song, KP Singh, Hao Luo, Jiri Olsa, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman, Shuah Khan, Kuniyuki Iwashima, bpf, linux-kernel, linux-kselftest From: Jiayuan Chen <jiayuan.chen@shopee.com> Add test_tcp_custom_syncookie_protocol_check to verify that bpf_sk_assign_tcp_reqsk() rejects non-TCP skbs. The test sends a UDP packet through TC ingress where a BPF program calls bpf_sk_assign_tcp_reqsk() on it and checks that the kfunc returns an error. A UDP server recv() is used as synchronization to ensure the BPF program has finished processing before checking the result. Without the fix in bpf_sk_assign_tcp_reqsk(), the kfunc succeeds and attaches a TCP reqsk to the UDP skb, which causes a null pointer dereference panic when the kernel processes it through the UDP receive path. Test result: ./test_progs -a tcp_custom_syncookie_protocol_check -v setup_netns:PASS:create netns 0 nsec setup_netns:PASS:ip 0 nsec write_sysctl:PASS:open sysctl 0 nsec write_sysctl:PASS:write sysctl 0 nsec setup_netns:PASS:write_sysctl 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:open_and_load 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:start tcp_server 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:start udp_server 0 nsec setup_tc:PASS:qdisc add dev lo clsact 0 nsec setup_tc:PASS:filter add dev lo ingress 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:udp socket 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:sendto udp 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:recv udp 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:udp_intercepted 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:assign_ret 0 nsec #471 tcp_custom_syncookie_protocol_check:OK Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED Cc: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com> --- .../bpf/prog_tests/tcp_custom_syncookie.c | 84 ++++++++++++++++++- .../bpf/progs/test_tcp_custom_syncookie.c | 79 +++++++++++++++++ 2 files changed, 159 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c index eaf441dc7e79..c50b76f70988 100644 --- a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c +++ b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c @@ -5,6 +5,7 @@ #include <sched.h> #include <stdlib.h> #include <net/if.h> +#include <netinet/in.h> #include "test_progs.h" #include "cgroup_helpers.h" @@ -47,11 +48,10 @@ static int setup_netns(void) return -1; } -static int setup_tc(struct test_tcp_custom_syncookie *skel) +static int setup_tc(int prog_fd) { LIBBPF_OPTS(bpf_tc_hook, qdisc_lo, .attach_point = BPF_TC_INGRESS); - LIBBPF_OPTS(bpf_tc_opts, tc_attach, - .prog_fd = bpf_program__fd(skel->progs.tcp_custom_syncookie)); + LIBBPF_OPTS(bpf_tc_opts, tc_attach, .prog_fd = prog_fd); qdisc_lo.ifindex = if_nametoindex("lo"); if (!ASSERT_OK(bpf_tc_hook_create(&qdisc_lo), "qdisc add dev lo clsact")) @@ -127,7 +127,7 @@ void test_tcp_custom_syncookie(void) if (!ASSERT_OK_PTR(skel, "open_and_load")) return; - if (setup_tc(skel)) + if (setup_tc(bpf_program__fd(skel->progs.tcp_custom_syncookie))) goto destroy_skel; for (i = 0; i < ARRAY_SIZE(test_cases); i++) { @@ -145,6 +145,82 @@ void test_tcp_custom_syncookie(void) destroy_skel: system("tc qdisc del dev lo clsact"); + test_tcp_custom_syncookie__destroy(skel); +} +/* Test: bpf_sk_assign_tcp_reqsk() should reject non-TCP skb. + * + * Send a UDP packet through TC ingress where a BPF program calls + * bpf_sk_assign_tcp_reqsk() on it. The kfunc should return an error + * because the skb carries UDP, not TCP. + */ +void test_tcp_custom_syncookie_protocol_check(void) +{ + int tcp_server = -1, udp_server = -1, udp_client = -1; + struct test_tcp_custom_syncookie *skel; + struct sockaddr_in udp_addr; + char buf[32] = "test"; + int udp_port, ret; + + if (setup_netns()) + return; + + skel = test_tcp_custom_syncookie__open_and_load(); + if (!ASSERT_OK_PTR(skel, "open_and_load")) + return; + + /* Create a TCP listener so the BPF can find a LISTEN socket */ + tcp_server = start_server(AF_INET, SOCK_STREAM, "127.0.0.1", 0, 0); + if (!ASSERT_NEQ(tcp_server, -1, "start tcp_server")) + goto destroy_skel; + + /* Create a UDP server to receive the packet as synchronization */ + udp_server = start_server(AF_INET, SOCK_DGRAM, "127.0.0.1", 0, 0); + if (!ASSERT_NEQ(udp_server, -1, "start udp_server")) + goto close_tcp; + + skel->bss->tcp_listener_port = ntohs(get_socket_local_port(tcp_server)); + udp_port = ntohs(get_socket_local_port(udp_server)); + skel->bss->udp_test_port = udp_port; + + ret = bpf_program__fd(skel->progs.tcp_custom_syncookie_badproto); + if (setup_tc(ret)) + goto close_udp_server; + + udp_client = socket(AF_INET, SOCK_DGRAM, 0); + if (!ASSERT_NEQ(udp_client, -1, "udp socket")) + goto cleanup_tc; + + memset(&udp_addr, 0, sizeof(udp_addr)); + udp_addr.sin_family = AF_INET; + udp_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + udp_addr.sin_port = htons(udp_port); + + ret = sendto(udp_client, buf, sizeof(buf), 0, + (struct sockaddr *)&udp_addr, sizeof(udp_addr)); + if (!ASSERT_EQ(ret, sizeof(buf), "sendto udp")) + goto cleanup_tc; + + /* recv() ensures TC ingress BPF has processed the skb */ + ret = recv(udp_server, buf, sizeof(buf), 0); + if (!ASSERT_EQ(ret, sizeof(buf), "recv udp")) + goto cleanup_tc; + + ASSERT_EQ(skel->bss->udp_intercepted, true, "udp_intercepted"); + + /* assign_ret == 0 means kfunc accepted UDP skb (bug). + * assign_ret < 0 means kfunc correctly rejected it (fixed). + */ + ASSERT_NEQ(skel->data->assign_ret, 0, "assign_ret"); + +cleanup_tc: + system("tc qdisc del dev lo clsact"); + if (udp_client >= 0) + close(udp_client); +close_udp_server: + close(udp_server); +close_tcp: + close(tcp_server); +destroy_skel: test_tcp_custom_syncookie__destroy(skel); } diff --git a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c index 7d5293de1952..386705b6c9f2 100644 --- a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c +++ b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c @@ -588,4 +588,83 @@ int tcp_custom_syncookie(struct __sk_buff *skb) return tcp_handle_ack(&ctx); } +/* Test: call bpf_sk_assign_tcp_reqsk() on a UDP skb. + * The kfunc should reject it, but currently it doesn't check L4 protocol. + */ +__u16 tcp_listener_port = 0; +__u16 udp_test_port = 0; +int assign_ret = -1; +bool udp_intercepted = false; + +SEC("tc") +int tcp_custom_syncookie_badproto(struct __sk_buff *skb) +{ + void *data = (void *)(long)skb->data; + void *data_end = (void *)(long)skb->data_end; + struct bpf_sock_tuple tuple = {}; + struct bpf_tcp_req_attrs attrs = {}; + struct ethhdr *eth; + struct iphdr *iph; + struct udphdr *udp; + struct bpf_sock *skc; + struct sock *sk; + + eth = (struct ethhdr *)data; + if (eth + 1 > data_end) + return TC_ACT_OK; + + if (bpf_ntohs(eth->h_proto) != ETH_P_IP) + return TC_ACT_OK; + + iph = (struct iphdr *)(eth + 1); + if (iph + 1 > data_end) + return TC_ACT_OK; + + if (iph->protocol != IPPROTO_UDP) + return TC_ACT_OK; + + udp = (struct udphdr *)(iph + 1); + if (udp + 1 > data_end) + return TC_ACT_OK; + + if (bpf_ntohs(udp->dest) != udp_test_port) + return TC_ACT_OK; + + udp_intercepted = true; + + tuple.ipv4.saddr = iph->saddr; + tuple.ipv4.daddr = iph->daddr; + tuple.ipv4.sport = udp->source; + tuple.ipv4.dport = bpf_htons(tcp_listener_port); + + skc = bpf_skc_lookup_tcp(skb, &tuple, sizeof(tuple.ipv4), -1, 0); + if (!skc) + return TC_ACT_OK; + + if (skc->state != TCP_LISTEN) { + bpf_sk_release(skc); + return TC_ACT_OK; + } + + sk = (struct sock *)bpf_skc_to_tcp_sock(skc); + if (!sk) { + bpf_sk_release(skc); + return TC_ACT_OK; + } + + attrs.mss = 1460; + attrs.wscale_ok = 1; + attrs.snd_wscale = 7; + attrs.rcv_wscale = 7; + attrs.sack_ok = 1; + + /* Call bpf_sk_assign_tcp_reqsk on a UDP skb. */ + assign_ret = bpf_sk_assign_tcp_reqsk(skb, sk, &attrs, sizeof(attrs)); + + bpf_sk_release(skc); + + /* Let the packet continue into the kernel */ + return TC_ACT_OK; +} + char _license[] SEC("license") = "GPL"; -- 2.43.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH bpf v2 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk() 2026-03-26 6:26 ` [PATCH bpf v2 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk() Jiayuan Chen @ 2026-03-26 17:33 ` Kuniyuki Iwashima 0 siblings, 0 replies; 4+ messages in thread From: Kuniyuki Iwashima @ 2026-03-26 17:33 UTC (permalink / raw) To: Jiayuan Chen Cc: netdev, Jiayuan Chen, Martin KaFai Lau, Daniel Borkmann, John Fastabend, Stanislav Fomichev, Alexei Starovoitov, Andrii Nakryiko, Eduard Zingerman, Song Liu, Yonghong Song, KP Singh, Hao Luo, Jiri Olsa, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman, Shuah Khan, bpf, linux-kernel, linux-kselftest On Wed, Mar 25, 2026 at 11:27 PM Jiayuan Chen <jiayuan.chen@linux.dev> wrote: > > From: Jiayuan Chen <jiayuan.chen@shopee.com> > > Add test_tcp_custom_syncookie_protocol_check to verify that > bpf_sk_assign_tcp_reqsk() rejects non-TCP skbs. The test sends a UDP > packet through TC ingress where a BPF program calls > bpf_sk_assign_tcp_reqsk() on it and checks that the kfunc returns an > error. A UDP server recv() is used as synchronization to ensure the > BPF program has finished processing before checking the result. > > Without the fix in bpf_sk_assign_tcp_reqsk(), the kfunc succeeds and > attaches a TCP reqsk to the UDP skb, which causes a null pointer > dereference panic when the kernel processes it through the UDP receive > path. > > Test result: > > ./test_progs -a tcp_custom_syncookie_protocol_check -v > setup_netns:PASS:create netns 0 nsec > setup_netns:PASS:ip 0 nsec > write_sysctl:PASS:open sysctl 0 nsec > write_sysctl:PASS:write sysctl 0 nsec > setup_netns:PASS:write_sysctl 0 nsec > test_tcp_custom_syncookie_protocol_check:PASS:open_and_load 0 nsec > test_tcp_custom_syncookie_protocol_check:PASS:start tcp_server 0 nsec > test_tcp_custom_syncookie_protocol_check:PASS:start udp_server 0 nsec > setup_tc:PASS:qdisc add dev lo clsact 0 nsec > setup_tc:PASS:filter add dev lo ingress 0 nsec > test_tcp_custom_syncookie_protocol_check:PASS:udp socket 0 nsec > test_tcp_custom_syncookie_protocol_check:PASS:sendto udp 0 nsec > test_tcp_custom_syncookie_protocol_check:PASS:recv udp 0 nsec > test_tcp_custom_syncookie_protocol_check:PASS:udp_intercepted 0 nsec > test_tcp_custom_syncookie_protocol_check:PASS:assign_ret 0 nsec > #471 tcp_custom_syncookie_protocol_check:OK > Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED > > Cc: Jiayuan Chen <jiayuan.chen@linux.dev> > Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com> > --- > .../bpf/prog_tests/tcp_custom_syncookie.c | 84 ++++++++++++++++++- > .../bpf/progs/test_tcp_custom_syncookie.c | 79 +++++++++++++++++ > 2 files changed, 159 insertions(+), 4 deletions(-) > > diff --git a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c > index eaf441dc7e79..c50b76f70988 100644 > --- a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c > +++ b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c > @@ -5,6 +5,7 @@ > #include <sched.h> > #include <stdlib.h> > #include <net/if.h> > +#include <netinet/in.h> > > #include "test_progs.h" > #include "cgroup_helpers.h" > @@ -47,11 +48,10 @@ static int setup_netns(void) > return -1; > } > > -static int setup_tc(struct test_tcp_custom_syncookie *skel) > +static int setup_tc(int prog_fd) > { > LIBBPF_OPTS(bpf_tc_hook, qdisc_lo, .attach_point = BPF_TC_INGRESS); > - LIBBPF_OPTS(bpf_tc_opts, tc_attach, > - .prog_fd = bpf_program__fd(skel->progs.tcp_custom_syncookie)); > + LIBBPF_OPTS(bpf_tc_opts, tc_attach, .prog_fd = prog_fd); > > qdisc_lo.ifindex = if_nametoindex("lo"); > if (!ASSERT_OK(bpf_tc_hook_create(&qdisc_lo), "qdisc add dev lo clsact")) > @@ -127,7 +127,7 @@ void test_tcp_custom_syncookie(void) > if (!ASSERT_OK_PTR(skel, "open_and_load")) > return; > > - if (setup_tc(skel)) > + if (setup_tc(bpf_program__fd(skel->progs.tcp_custom_syncookie))) > goto destroy_skel; > > for (i = 0; i < ARRAY_SIZE(test_cases); i++) { > @@ -145,6 +145,82 @@ void test_tcp_custom_syncookie(void) > > destroy_skel: > system("tc qdisc del dev lo clsact"); > + test_tcp_custom_syncookie__destroy(skel); > +} > > +/* Test: bpf_sk_assign_tcp_reqsk() should reject non-TCP skb. > + * > + * Send a UDP packet through TC ingress where a BPF program calls > + * bpf_sk_assign_tcp_reqsk() on it. The kfunc should return an error > + * because the skb carries UDP, not TCP. > + */ > +void test_tcp_custom_syncookie_protocol_check(void) > +{ > + int tcp_server = -1, udp_server = -1, udp_client = -1; > + struct test_tcp_custom_syncookie *skel; > + struct sockaddr_in udp_addr; > + char buf[32] = "test"; > + int udp_port, ret; > + > + if (setup_netns()) > + return; > + > + skel = test_tcp_custom_syncookie__open_and_load(); > + if (!ASSERT_OK_PTR(skel, "open_and_load")) > + return; > + > + /* Create a TCP listener so the BPF can find a LISTEN socket */ > + tcp_server = start_server(AF_INET, SOCK_STREAM, "127.0.0.1", 0, 0); Can you add IPv6 test as well ? You can reuse test_tcp_custom_syncookie_case[]. > + if (!ASSERT_NEQ(tcp_server, -1, "start tcp_server")) > + goto destroy_skel; > + > + /* Create a UDP server to receive the packet as synchronization */ > + udp_server = start_server(AF_INET, SOCK_DGRAM, "127.0.0.1", 0, 0); You can specify the port to get_socket_local_port(tcp_server), > + if (!ASSERT_NEQ(udp_server, -1, "start udp_server")) > + goto close_tcp; > + > + skel->bss->tcp_listener_port = ntohs(get_socket_local_port(tcp_server)); > + udp_port = ntohs(get_socket_local_port(udp_server)); > + skel->bss->udp_test_port = udp_port; then the 3 lines above will be unnecessary, > + > + ret = bpf_program__fd(skel->progs.tcp_custom_syncookie_badproto); > + if (setup_tc(ret)) > + goto close_udp_server; > + > + udp_client = socket(AF_INET, SOCK_DGRAM, 0); > + if (!ASSERT_NEQ(udp_client, -1, "udp socket")) > + goto cleanup_tc; > + > + memset(&udp_addr, 0, sizeof(udp_addr)); > + udp_addr.sin_family = AF_INET; > + udp_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); > + udp_addr.sin_port = htons(udp_port); and you can reuse get_socket_local_port(tcp_server) here too. > + > + ret = sendto(udp_client, buf, sizeof(buf), 0, > + (struct sockaddr *)&udp_addr, sizeof(udp_addr)); > + if (!ASSERT_EQ(ret, sizeof(buf), "sendto udp")) > + goto cleanup_tc; > + > + /* recv() ensures TC ingress BPF has processed the skb */ > + ret = recv(udp_server, buf, sizeof(buf), 0); > + if (!ASSERT_EQ(ret, sizeof(buf), "recv udp")) > + goto cleanup_tc; > + > + ASSERT_EQ(skel->bss->udp_intercepted, true, "udp_intercepted"); > + > + /* assign_ret == 0 means kfunc accepted UDP skb (bug). > + * assign_ret < 0 means kfunc correctly rejected it (fixed). > + */ > + ASSERT_NEQ(skel->data->assign_ret, 0, "assign_ret"); > + > +cleanup_tc: > + system("tc qdisc del dev lo clsact"); > + if (udp_client >= 0) > + close(udp_client); > +close_udp_server: > + close(udp_server); > +close_tcp: > + close(tcp_server); > +destroy_skel: > test_tcp_custom_syncookie__destroy(skel); > } > diff --git a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c > index 7d5293de1952..386705b6c9f2 100644 > --- a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c > +++ b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c > @@ -588,4 +588,83 @@ int tcp_custom_syncookie(struct __sk_buff *skb) > return tcp_handle_ack(&ctx); > } > > +/* Test: call bpf_sk_assign_tcp_reqsk() on a UDP skb. > + * The kfunc should reject it, but currently it doesn't check L4 protocol. > + */ > +__u16 tcp_listener_port = 0; > +__u16 udp_test_port = 0; > +int assign_ret = -1; > +bool udp_intercepted = false; > + > +SEC("tc") > +int tcp_custom_syncookie_badproto(struct __sk_buff *skb) > +{ > + void *data = (void *)(long)skb->data; > + void *data_end = (void *)(long)skb->data_end; > + struct bpf_sock_tuple tuple = {}; > + struct bpf_tcp_req_attrs attrs = {}; > + struct ethhdr *eth; > + struct iphdr *iph; > + struct udphdr *udp; > + struct bpf_sock *skc; > + struct sock *sk; > + > + eth = (struct ethhdr *)data; > + if (eth + 1 > data_end) > + return TC_ACT_OK; > + > + if (bpf_ntohs(eth->h_proto) != ETH_P_IP) > + return TC_ACT_OK; > + > + iph = (struct iphdr *)(eth + 1); > + if (iph + 1 > data_end) > + return TC_ACT_OK; > + > + if (iph->protocol != IPPROTO_UDP) > + return TC_ACT_OK; > + > + udp = (struct udphdr *)(iph + 1); > + if (udp + 1 > data_end) > + return TC_ACT_OK; > + > + if (bpf_ntohs(udp->dest) != udp_test_port) > + return TC_ACT_OK; You don't need to worry about other program sending UDP packets in this netns created by unshare(). > + > + udp_intercepted = true; > + > + tuple.ipv4.saddr = iph->saddr; > + tuple.ipv4.daddr = iph->daddr; > + tuple.ipv4.sport = udp->source; > + tuple.ipv4.dport = bpf_htons(tcp_listener_port); and you can simply reuse dport here too. > + > + skc = bpf_skc_lookup_tcp(skb, &tuple, sizeof(tuple.ipv4), -1, 0); > + if (!skc) > + return TC_ACT_OK; > + > + if (skc->state != TCP_LISTEN) { > + bpf_sk_release(skc); > + return TC_ACT_OK; > + } > + > + sk = (struct sock *)bpf_skc_to_tcp_sock(skc); > + if (!sk) { > + bpf_sk_release(skc); > + return TC_ACT_OK; > + } > + > + attrs.mss = 1460; > + attrs.wscale_ok = 1; > + attrs.snd_wscale = 7; > + attrs.rcv_wscale = 7; > + attrs.sack_ok = 1; > + > + /* Call bpf_sk_assign_tcp_reqsk on a UDP skb. */ > + assign_ret = bpf_sk_assign_tcp_reqsk(skb, sk, &attrs, sizeof(attrs)); > + > + bpf_sk_release(skc); > + > + /* Let the packet continue into the kernel */ > + return TC_ACT_OK; > +} > + > char _license[] SEC("license") = "GPL"; > -- > 2.43.0 > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-26 17:33 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-03-26 6:26 [PATCH bpf v2 0/2] bpf: tcp: Fix null-ptr-deref in arbitrary SYN Cookie Jiayuan Chen 2026-03-26 6:26 ` [PATCH bpf v2 1/2] bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk() Jiayuan Chen 2026-03-26 6:26 ` [PATCH bpf v2 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk() Jiayuan Chen 2026-03-26 17:33 ` Kuniyuki Iwashima
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox