* [PATCH v1 bpf 0/2] bpf: tcp: Fix type confusion in bpf_tcp_sock(). @ 2026-04-30 18:43 Kuniyuki Iwashima 2026-04-30 18:43 ` [PATCH v1 bpf 1/2] " Kuniyuki Iwashima 2026-04-30 18:43 ` [PATCH v1 bpf 2/2] selftest: bpf: Add test for bpf_tcp_sock() and RAW socket Kuniyuki Iwashima 0 siblings, 2 replies; 6+ messages in thread From: Kuniyuki Iwashima @ 2026-04-30 18:43 UTC (permalink / raw) To: Martin KaFai Lau, Daniel Borkmann, Alexei Starovoitov, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi Cc: John Fastabend, Stanislav Fomichev, Song Liu, Yonghong Song, Jiri Olsa, Eric Dumazet, Kuniyuki Iwashima, Kuniyuki Iwashima, bpf, netdev bpf_tcp_sock() only check if sk->sk_protocol is IPPROTO_TCP, but RAW socket can bypass it: socket(AF_INET, SOCK_RAW, IPPROTO_TCP) Patch 1 fixes it and Patch 2 adds a test. Kuniyuki Iwashima (2): bpf: tcp: Fix type confusion in bpf_tcp_sock(). selftest: bpf: Add test for bpf_tcp_sock() and RAW socket. net/core/filter.c | 2 +- .../selftests/bpf/prog_tests/sockopt_sk.c | 17 ++++++++++++++++- tools/testing/selftests/bpf/progs/sockopt_sk.c | 16 ++++++++++++++++ 3 files changed, 33 insertions(+), 2 deletions(-) -- 2.54.0.545.g6539524ca2-goog ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v1 bpf 1/2] bpf: tcp: Fix type confusion in bpf_tcp_sock(). 2026-04-30 18:43 [PATCH v1 bpf 0/2] bpf: tcp: Fix type confusion in bpf_tcp_sock() Kuniyuki Iwashima @ 2026-04-30 18:43 ` Kuniyuki Iwashima 2026-04-30 21:00 ` Daniel Borkmann 2026-04-30 18:43 ` [PATCH v1 bpf 2/2] selftest: bpf: Add test for bpf_tcp_sock() and RAW socket Kuniyuki Iwashima 1 sibling, 1 reply; 6+ messages in thread From: Kuniyuki Iwashima @ 2026-04-30 18:43 UTC (permalink / raw) To: Martin KaFai Lau, Daniel Borkmann, Alexei Starovoitov, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi Cc: John Fastabend, Stanislav Fomichev, Song Liu, Yonghong Song, Jiri Olsa, Eric Dumazet, Kuniyuki Iwashima, Kuniyuki Iwashima, bpf, netdev, Damiano Melotti bpf_tcp_sock() only check if sk->sk_protocol is IPPROTO_TCP, but RAW socket can bypass it: socket(AF_INET, SOCK_RAW, IPPROTO_TCP) Calling bpf_setsockopt() in SOCKOPT prog triggers out-of-bounds access to another slab object. [0] Let's use sk_is_tcp(). [0]: BUG: KASAN: slab-out-of-bounds in sol_tcp_sockopt (net/core/filter.c:5519) Read of size 8 at addr ffff88801083d760 by task test_progs/1259 CPU: 1 UID: 0 PID: 1259 Comm: test_progs Tainted: G OE 7.0.0-11175-gb5c111f4967b #1 PREEMPT(full) Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) print_report (mm/kasan/report.c:378 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:595) sol_tcp_sockopt (net/core/filter.c:5519) __bpf_getsockopt (net/core/filter.c:5633) bpf_sk_getsockopt (net/core/filter.c:5654) bpf_prog_629ba00a1601e9f2__setsockopt+0x86/0x22c __cgroup_bpf_run_filter_setsockopt (./include/linux/bpf.h:1402 ./include/linux/filter.h:722 ./include/linux/filter.h:729 kernel/bpf/cgroup.c:81 kernel/bpf/cgroup.c:2026) do_sock_setsockopt (net/socket.c:2363) __x64_sys_setsockopt (net/socket.c:2406) do_syscall_64 (arch/x86/entry/syscall_64.c:63) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121) RIP: 0033:0x7f85f82fe7de Code: 55 48 63 c9 48 63 ff 45 89 c9 48 89 e5 48 83 ec 08 6a 2c e8 34 69 f7 ff c9 c3 66 90 f3 0f 1e fa 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 e1 RSP: 002b:00007ffe59dcecd8 EFLAGS: 00000202 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f85f82fe7de RDX: 000000000000001c RSI: 0000000000000006 RDI: 000000000000000d RBP: 00007ffe59dcef20 R08: 000000000000003c R09: 0000000000000000 R10: 00007ffe59dcef00 R11: 0000000000000202 R12: 00007ffe59dcf268 R13: 0000000000000003 R14: 00007f85f9da5000 R15: 000055b2f3201400 </TASK> The buggy address belongs to the object at ffff88801083d280 which belongs to the cache RAW of size 1792 The buggy address is located 1248 bytes inside of allocated 1792-byte region [ffff88801083d280, ffff88801083d980) Fixes: 655a51e536c0 ("bpf: Add struct bpf_tcp_sock and BPF_FUNC_tcp_sock") Reported-by: Damiano Melotti <melotti@google.com> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> --- net/core/filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/filter.c b/net/core/filter.c index bc96c18df4e0..cd88633f8dc1 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -7475,7 +7475,7 @@ u32 bpf_tcp_sock_convert_ctx_access(enum bpf_access_type type, BPF_CALL_1(bpf_tcp_sock, struct sock *, sk) { - if (sk_fullsock(sk) && sk->sk_protocol == IPPROTO_TCP) + if (sk_fullsock(sk) && sk_is_tcp(sk)) return (unsigned long)sk; return (unsigned long)NULL; -- 2.54.0.545.g6539524ca2-goog ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v1 bpf 1/2] bpf: tcp: Fix type confusion in bpf_tcp_sock(). 2026-04-30 18:43 ` [PATCH v1 bpf 1/2] " Kuniyuki Iwashima @ 2026-04-30 21:00 ` Daniel Borkmann 0 siblings, 0 replies; 6+ messages in thread From: Daniel Borkmann @ 2026-04-30 21:00 UTC (permalink / raw) To: Kuniyuki Iwashima, Martin KaFai Lau, Alexei Starovoitov, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi Cc: John Fastabend, Stanislav Fomichev, Song Liu, Yonghong Song, Jiri Olsa, Eric Dumazet, Kuniyuki Iwashima, bpf, netdev, Damiano Melotti On 4/30/26 8:43 PM, Kuniyuki Iwashima wrote: > bpf_tcp_sock() only check if sk->sk_protocol is IPPROTO_TCP, > but RAW socket can bypass it: > > socket(AF_INET, SOCK_RAW, IPPROTO_TCP) > > Calling bpf_setsockopt() in SOCKOPT prog triggers out-of-bounds > access to another slab object. [0] > > Let's use sk_is_tcp(). > > [0]: > BUG: KASAN: slab-out-of-bounds in sol_tcp_sockopt (net/core/filter.c:5519) > Read of size 8 at addr ffff88801083d760 by task test_progs/1259 > > CPU: 1 UID: 0 PID: 1259 Comm: test_progs Tainted: G OE 7.0.0-11175-gb5c111f4967b #1 PREEMPT(full) > Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) > print_report (mm/kasan/report.c:378 mm/kasan/report.c:482) > kasan_report (mm/kasan/report.c:595) > sol_tcp_sockopt (net/core/filter.c:5519) > __bpf_getsockopt (net/core/filter.c:5633) > bpf_sk_getsockopt (net/core/filter.c:5654) > bpf_prog_629ba00a1601e9f2__setsockopt+0x86/0x22c > __cgroup_bpf_run_filter_setsockopt (./include/linux/bpf.h:1402 ./include/linux/filter.h:722 ./include/linux/filter.h:729 kernel/bpf/cgroup.c:81 kernel/bpf/cgroup.c:2026) > do_sock_setsockopt (net/socket.c:2363) > __x64_sys_setsockopt (net/socket.c:2406) > do_syscall_64 (arch/x86/entry/syscall_64.c:63) > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121) > RIP: 0033:0x7f85f82fe7de > Code: 55 48 63 c9 48 63 ff 45 89 c9 48 89 e5 48 83 ec 08 6a 2c e8 34 69 f7 ff c9 c3 66 90 f3 0f 1e fa 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 e1 > RSP: 002b:00007ffe59dcecd8 EFLAGS: 00000202 ORIG_RAX: 0000000000000036 > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f85f82fe7de > RDX: 000000000000001c RSI: 0000000000000006 RDI: 000000000000000d > RBP: 00007ffe59dcef20 R08: 000000000000003c R09: 0000000000000000 > R10: 00007ffe59dcef00 R11: 0000000000000202 R12: 00007ffe59dcf268 > R13: 0000000000000003 R14: 00007f85f9da5000 R15: 000055b2f3201400 > </TASK> > > The buggy address belongs to the object at ffff88801083d280 > which belongs to the cache RAW of size 1792 > The buggy address is located 1248 bytes inside of > allocated 1792-byte region [ffff88801083d280, ffff88801083d980) > > Fixes: 655a51e536c0 ("bpf: Add struct bpf_tcp_sock and BPF_FUNC_tcp_sock") > Reported-by: Damiano Melotti <melotti@google.com> > Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> First one lgtm: Acked-by: Daniel Borkmann <daniel@iogearbox.net> Thanks! ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v1 bpf 2/2] selftest: bpf: Add test for bpf_tcp_sock() and RAW socket. 2026-04-30 18:43 [PATCH v1 bpf 0/2] bpf: tcp: Fix type confusion in bpf_tcp_sock() Kuniyuki Iwashima 2026-04-30 18:43 ` [PATCH v1 bpf 1/2] " Kuniyuki Iwashima @ 2026-04-30 18:43 ` Kuniyuki Iwashima 2026-04-30 20:32 ` Kuniyuki Iwashima 1 sibling, 1 reply; 6+ messages in thread From: Kuniyuki Iwashima @ 2026-04-30 18:43 UTC (permalink / raw) To: Martin KaFai Lau, Daniel Borkmann, Alexei Starovoitov, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi Cc: John Fastabend, Stanislav Fomichev, Song Liu, Yonghong Song, Jiri Olsa, Eric Dumazet, Kuniyuki Iwashima, Kuniyuki Iwashima, bpf, netdev Let's extend sockopt_sk.c to cover bpf_tcp_sock() for the wrong socket type. Before: # ./test_progs -t sockopt_sk [ 151.948613] ================================================================== [ 151.951376] BUG: KASAN: slab-out-of-bounds in sol_tcp_sockopt+0xc7/0x8e0 [ 151.954159] Read of size 8 at addr ffff88801083d760 by task test_progs/1259 ... run_test:FAIL:getsetsockopt unexpected error: -1 (errno 22) #427 sockopt_sk:FAIL After: #427 sockopt_sk:OK While at it, missing free() is fixed up. Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> --- .../selftests/bpf/prog_tests/sockopt_sk.c | 17 ++++++++++++++++- tools/testing/selftests/bpf/progs/sockopt_sk.c | 16 ++++++++++++++++ 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c b/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c index 53637431ec5d..87e771c8991f 100644 --- a/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c +++ b/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c @@ -190,7 +190,7 @@ static int getsetsockopt(void) fd = socket(AF_NETLINK, SOCK_RAW, 0); if (fd < 0) { log_err("Failed to create AF_NETLINK socket"); - return -1; + goto err; } buf.u32 = 1; @@ -211,6 +211,21 @@ static int getsetsockopt(void) } ASSERT_EQ(optlen, 8, "Unexpected NETLINK_LIST_MEMBERSHIPS value"); + /* Trick bpf_tcp_sock() with IPPROTO_TCP */ + close(fd); + fd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); + if (fd < 0) { + log_err("Failed to create RAW socket"); + goto err; + } + + optlen = 60; + err = setsockopt(fd, SOL_TCP, TCP_SAVED_SYN, &buf, optlen); + if (err) { + log_err("Unexpected setsockopt(TCP_SAVED_SYN)"); + goto err; + } + free(big_buf); close(fd); return 0; diff --git a/tools/testing/selftests/bpf/progs/sockopt_sk.c b/tools/testing/selftests/bpf/progs/sockopt_sk.c index cb990a7d3d45..5e0b27e7855c 100644 --- a/tools/testing/selftests/bpf/progs/sockopt_sk.c +++ b/tools/testing/selftests/bpf/progs/sockopt_sk.c @@ -149,6 +149,20 @@ int _setsockopt(struct bpf_sockopt *ctx) if (sk && sk->family == AF_NETLINK) goto out; + if (sk && sk->family == AF_INET && sk->type == SOCK_RAW) { + struct bpf_tcp_sock *tp = bpf_tcp_sock(sk); + + if (tp) { + char saved_syn[60]; + + bpf_getsockopt(sk, SOL_TCP, TCP_SAVED_SYN, + &saved_syn, sizeof(saved_syn)); + goto consumed; + } + + goto out; + } + /* Make sure bpf_get_netns_cookie is callable. */ if (bpf_get_netns_cookie(NULL) == 0) @@ -224,6 +238,8 @@ int _setsockopt(struct bpf_sockopt *ctx) return 0; /* couldn't get sk storage */ storage->val = optval[0]; + +consumed: ctx->optlen = -1; /* BPF has consumed this option, don't call kernel * setsockopt handler. */ -- 2.54.0.545.g6539524ca2-goog ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v1 bpf 2/2] selftest: bpf: Add test for bpf_tcp_sock() and RAW socket. 2026-04-30 18:43 ` [PATCH v1 bpf 2/2] selftest: bpf: Add test for bpf_tcp_sock() and RAW socket Kuniyuki Iwashima @ 2026-04-30 20:32 ` Kuniyuki Iwashima 2026-04-30 21:14 ` Kuniyuki Iwashima 0 siblings, 1 reply; 6+ messages in thread From: Kuniyuki Iwashima @ 2026-04-30 20:32 UTC (permalink / raw) To: Martin KaFai Lau, Daniel Borkmann, Alexei Starovoitov, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi Cc: John Fastabend, Stanislav Fomichev, Song Liu, Yonghong Song, Jiri Olsa, Eric Dumazet, Kuniyuki Iwashima, bpf, netdev On Thu, Apr 30, 2026 at 11:44 AM Kuniyuki Iwashima <kuniyu@google.com> wrote: > > Let's extend sockopt_sk.c to cover bpf_tcp_sock() for the > wrong socket type. > > Before: > # ./test_progs -t sockopt_sk > [ 151.948613] ================================================================== > [ 151.951376] BUG: KASAN: slab-out-of-bounds in sol_tcp_sockopt+0xc7/0x8e0 > [ 151.954159] Read of size 8 at addr ffff88801083d760 by task test_progs/1259 > ... > run_test:FAIL:getsetsockopt unexpected error: -1 (errno 22) > #427 sockopt_sk:FAIL > > After: > #427 sockopt_sk:OK > > While at it, missing free() is fixed up. > > Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> > --- > .../selftests/bpf/prog_tests/sockopt_sk.c | 17 ++++++++++++++++- > tools/testing/selftests/bpf/progs/sockopt_sk.c | 16 ++++++++++++++++ > 2 files changed, 32 insertions(+), 1 deletion(-) > > diff --git a/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c b/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c > index 53637431ec5d..87e771c8991f 100644 > --- a/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c > +++ b/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c > @@ -190,7 +190,7 @@ static int getsetsockopt(void) > fd = socket(AF_NETLINK, SOCK_RAW, 0); > if (fd < 0) { > log_err("Failed to create AF_NETLINK socket"); > - return -1; > + goto err; > } > > buf.u32 = 1; > @@ -211,6 +211,21 @@ static int getsetsockopt(void) > } > ASSERT_EQ(optlen, 8, "Unexpected NETLINK_LIST_MEMBERSHIPS value"); > > + /* Trick bpf_tcp_sock() with IPPROTO_TCP */ > + close(fd); > + fd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); > + if (fd < 0) { > + log_err("Failed to create RAW socket"); > + goto err; > + } > + > + optlen = 60; > + err = setsockopt(fd, SOL_TCP, TCP_SAVED_SYN, &buf, optlen); > + if (err) { Ugh, I forgot to commit s/err/!err/ change.. :/ pw-bot: cr ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v1 bpf 2/2] selftest: bpf: Add test for bpf_tcp_sock() and RAW socket. 2026-04-30 20:32 ` Kuniyuki Iwashima @ 2026-04-30 21:14 ` Kuniyuki Iwashima 0 siblings, 0 replies; 6+ messages in thread From: Kuniyuki Iwashima @ 2026-04-30 21:14 UTC (permalink / raw) To: Martin KaFai Lau, Daniel Borkmann, Alexei Starovoitov, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi Cc: John Fastabend, Stanislav Fomichev, Song Liu, Yonghong Song, Jiri Olsa, Eric Dumazet, Kuniyuki Iwashima, bpf, netdev On Thu, Apr 30, 2026 at 1:32 PM Kuniyuki Iwashima <kuniyu@google.com> wrote: > > On Thu, Apr 30, 2026 at 11:44 AM Kuniyuki Iwashima <kuniyu@google.com> wrote: > > > > Let's extend sockopt_sk.c to cover bpf_tcp_sock() for the > > wrong socket type. > > > > Before: > > # ./test_progs -t sockopt_sk > > [ 151.948613] ================================================================== > > [ 151.951376] BUG: KASAN: slab-out-of-bounds in sol_tcp_sockopt+0xc7/0x8e0 > > [ 151.954159] Read of size 8 at addr ffff88801083d760 by task test_progs/1259 > > ... > > run_test:FAIL:getsetsockopt unexpected error: -1 (errno 22) > > #427 sockopt_sk:FAIL > > > > After: > > #427 sockopt_sk:OK > > > > While at it, missing free() is fixed up. > > > > Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> > > --- > > .../selftests/bpf/prog_tests/sockopt_sk.c | 17 ++++++++++++++++- > > tools/testing/selftests/bpf/progs/sockopt_sk.c | 16 ++++++++++++++++ > > 2 files changed, 32 insertions(+), 1 deletion(-) > > > > diff --git a/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c b/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c > > index 53637431ec5d..87e771c8991f 100644 > > --- a/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c > > +++ b/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c > > @@ -190,7 +190,7 @@ static int getsetsockopt(void) > > fd = socket(AF_NETLINK, SOCK_RAW, 0); > > if (fd < 0) { > > log_err("Failed to create AF_NETLINK socket"); > > - return -1; > > + goto err; > > } > > > > buf.u32 = 1; > > @@ -211,6 +211,21 @@ static int getsetsockopt(void) > > } > > ASSERT_EQ(optlen, 8, "Unexpected NETLINK_LIST_MEMBERSHIPS value"); > > > > + /* Trick bpf_tcp_sock() with IPPROTO_TCP */ > > + close(fd); > > + fd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); > > + if (fd < 0) { > > + log_err("Failed to create RAW socket"); > > + goto err; > > + } > > + > > + optlen = 60; > > + err = setsockopt(fd, SOL_TCP, TCP_SAVED_SYN, &buf, optlen); > > + if (err) { > > Ugh, I forgot to commit s/err/!err/ change.. :/ > I'll include Matt's followup and extend the test accordingly in v2. https://lore.kernel.org/mptcp/20260430-mptcp-bpf-mptcp-sock-type-v1-1-d2ed5cda7da9@kernel.org/ ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-04-30 21:14 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-04-30 18:43 [PATCH v1 bpf 0/2] bpf: tcp: Fix type confusion in bpf_tcp_sock() Kuniyuki Iwashima 2026-04-30 18:43 ` [PATCH v1 bpf 1/2] " Kuniyuki Iwashima 2026-04-30 21:00 ` Daniel Borkmann 2026-04-30 18:43 ` [PATCH v1 bpf 2/2] selftest: bpf: Add test for bpf_tcp_sock() and RAW socket Kuniyuki Iwashima 2026-04-30 20:32 ` Kuniyuki Iwashima 2026-04-30 21:14 ` Kuniyuki Iwashima
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox