* [PATCH bpf] bpf: reject mini-sockets in bpf_sock_destroy()
@ 2026-07-02 22:45 Xiang Mei (Microsoft)
0 siblings, 0 replies; only message in thread
From: Xiang Mei (Microsoft) @ 2026-07-02 22:45 UTC (permalink / raw)
To: ast, daniel, andrii, eddyz87, memxor, bpf
Cc: netdev, martin.lau, song, yonghong.song, jolsa, emil,
john.fastabend, sdf, aditi.ghag, AutonomousCodeSecurity,
tgopinath, kys, linux-kernel, Xiang Mei (Microsoft)
bpf_sock_destroy() casts its struct sock_common * argument to a full
struct sock and reads sk->sk_protocol. The BPF tcp iterator can pass a
TIME_WAIT or NEW_SYN_RECV mini-socket, which only embeds a sock_common
prefix. Unlike sk_prot (which aliases skc_prot inside sock_common),
sk_protocol lives beyond that prefix, so the read goes out of bounds of
the small tw_sock_TCP object (type confusion).
Reject non-full sockets with sk_fullsock() before touching any
full-sock field. sk_fullsock() only reads sk_state (in sock_common),
and these mini-sockets have no ->diag_destroy(), This matches the other
sock_common consumers in this file, e.g. bpf_skc_to_tcp_sock(), which
already sk_fullsock() before reading sk_protocol.
BUG: KASAN: slab-out-of-bounds in bpf_sock_destroy (net/core/filter.c:12673)
Read of size 2 at addr ffff888013ffc71c by task exploit/143
Call Trace:
kasan_report (mm/kasan/report.c:595)
bpf_sock_destroy (net/core/filter.c:12673)
bpf_prog_8b5bd55c189cabc9_sock_destroy_tw+0x31/0x3e
bpf_iter_run_prog (kernel/bpf/bpf_iter.c:697)
bpf_iter_tcp_seq_show (net/ipv4/tcp_ipv4.c:3247)
bpf_seq_read (kernel/bpf/bpf_iter.c:184)
vfs_read (fs/read_write.c:572)
ksys_read (fs/read_write.c:716)
do_syscall_64 (arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
...
The buggy address belongs to the object at ffff888013ffc640
which belongs to the cache tw_sock_TCP of size 256
The buggy address is located 220 bytes inside of
allocated 256-byte region [ffff888013ffc640, ffff888013ffc740)
Fixes: 4ddbcb886268 ("bpf: Add bpf_sock_destroy kfunc")
Reported-by: AutonomousCodeSecurity@microsoft.com
Signed-off-by: Xiang Mei (Microsoft) <xmei5@asu.edu>
---
net/core/filter.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index 69ec1a4c0f9d..a0fcafb08b96 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -12665,6 +12665,9 @@ __bpf_kfunc int bpf_sock_destroy(struct sock_common *sock)
{
struct sock *sk = (struct sock *)sock;
+ if (!sk_fullsock(sk))
+ return -EOPNOTSUPP;
+
/* The locking semantics that allow for synchronous execution of the
* destroy handlers are only supported for TCP and UDP.
* Supporting protocols will need to acquire sock lock in the BPF context
--
2.43.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-07-02 22:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 22:45 [PATCH bpf] bpf: reject mini-sockets in bpf_sock_destroy() Xiang Mei (Microsoft)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox