* [PATCH bpf-next] bpf: Make sure internal and UAPI bpf_redirect flags don't overlap
@ 2024-09-20 12:56 Toke Høiland-Jørgensen
2024-10-01 19:49 ` Daniel Borkmann
2024-10-01 19:50 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 4+ messages in thread
From: Toke Høiland-Jørgensen @ 2024-09-20 12:56 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
Hangbin Liu, Jesper Dangaard Brouer,
Toke Høiland-Jørgensen
Cc: syzbot+cca39e6e84a367a7e6f6, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, bpf, netdev
The bpf_redirect_info is shared between the SKB and XDP redirect paths,
and the two paths use the same numeric flag values in the ri->flags
field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that
if skb bpf_redirect_neigh() is used with a non-NULL params argument and,
subsequently, an XDP redirect is performed using the same
bpf_redirect_info struct, the XDP path will get confused and end up
crashing, which syzbot managed to trigger.
With the stack-allocated bpf_redirect_info, the structure is no longer
shared between the SKB and XDP paths, so the crash doesn't happen
anymore. However, different code paths using identically-numbered flag
values in the same struct field still seems like a bit of a mess, so
this patch cleans that up by moving the flag definitions together and
redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap
with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make
sure the overlap is not re-introduced by mistake.
Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support")
Reported-by: syzbot+cca39e6e84a367a7e6f6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cca39e6e84a367a7e6f6
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
---
include/uapi/linux/bpf.h | 14 ++++++--------
net/core/filter.c | 8 +++++---
2 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index c3a5728db115..0c6154272ab3 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -6047,11 +6047,6 @@ enum {
BPF_F_MARK_ENFORCE = (1ULL << 6),
};
-/* BPF_FUNC_clone_redirect and BPF_FUNC_redirect flags. */
-enum {
- BPF_F_INGRESS = (1ULL << 0),
-};
-
/* BPF_FUNC_skb_set_tunnel_key and BPF_FUNC_skb_get_tunnel_key flags. */
enum {
BPF_F_TUNINFO_IPV6 = (1ULL << 0),
@@ -6198,11 +6193,14 @@ enum {
BPF_F_BPRM_SECUREEXEC = (1ULL << 0),
};
-/* Flags for bpf_redirect_map helper */
+/* Flags for bpf_redirect and bpf_redirect_map helpers */
enum {
- BPF_F_BROADCAST = (1ULL << 3),
- BPF_F_EXCLUDE_INGRESS = (1ULL << 4),
+ BPF_F_INGRESS = (1ULL << 0), /* used for skb path */
+ BPF_F_BROADCAST = (1ULL << 3), /* used for XDP path */
+ BPF_F_EXCLUDE_INGRESS = (1ULL << 4), /* used for XDP path */
};
+#define BPF_F_REDIRECT_ALL_FLAGS (BPF_F_INGRESS | BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS)
+
#define __bpf_md_ptr(type, name) \
union { \
diff --git a/net/core/filter.c b/net/core/filter.c
index e4a4454df5f9..db99f2b38e06 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2437,9 +2437,9 @@ static int __bpf_redirect_neigh(struct sk_buff *skb, struct net_device *dev,
/* Internal, non-exposed redirect flags. */
enum {
- BPF_F_NEIGH = (1ULL << 1),
- BPF_F_PEER = (1ULL << 2),
- BPF_F_NEXTHOP = (1ULL << 3),
+ BPF_F_NEIGH = (1ULL << 16),
+ BPF_F_PEER = (1ULL << 17),
+ BPF_F_NEXTHOP = (1ULL << 18),
#define BPF_F_REDIRECT_INTERNAL (BPF_F_NEIGH | BPF_F_PEER | BPF_F_NEXTHOP)
};
@@ -2449,6 +2449,8 @@ BPF_CALL_3(bpf_clone_redirect, struct sk_buff *, skb, u32, ifindex, u64, flags)
struct sk_buff *clone;
int ret;
+ BUILD_BUG_ON(BPF_F_REDIRECT_INTERNAL & BPF_F_REDIRECT_ALL_FLAGS);
+
if (unlikely(flags & (~(BPF_F_INGRESS) | BPF_F_REDIRECT_INTERNAL)))
return -EINVAL;
--
2.46.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH bpf-next] bpf: Make sure internal and UAPI bpf_redirect flags don't overlap
2024-09-20 12:56 [PATCH bpf-next] bpf: Make sure internal and UAPI bpf_redirect flags don't overlap Toke Høiland-Jørgensen
@ 2024-10-01 19:49 ` Daniel Borkmann
2024-10-02 8:35 ` Toke Høiland-Jørgensen
2024-10-01 19:50 ` patchwork-bot+netdevbpf
1 sibling, 1 reply; 4+ messages in thread
From: Daniel Borkmann @ 2024-10-01 19:49 UTC (permalink / raw)
To: Toke Høiland-Jørgensen, Alexei Starovoitov,
Andrii Nakryiko, Martin KaFai Lau, Eduard Zingerman, Song Liu,
Yonghong Song, John Fastabend, KP Singh, Stanislav Fomichev,
Hao Luo, Jiri Olsa, Hangbin Liu, Jesper Dangaard Brouer
Cc: syzbot+cca39e6e84a367a7e6f6, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, bpf, netdev
On 9/20/24 2:56 PM, Toke Høiland-Jørgensen wrote:
> The bpf_redirect_info is shared between the SKB and XDP redirect paths,
> and the two paths use the same numeric flag values in the ri->flags
> field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that
> if skb bpf_redirect_neigh() is used with a non-NULL params argument and,
> subsequently, an XDP redirect is performed using the same
> bpf_redirect_info struct, the XDP path will get confused and end up
> crashing, which syzbot managed to trigger.
>
> With the stack-allocated bpf_redirect_info, the structure is no longer
> shared between the SKB and XDP paths, so the crash doesn't happen
> anymore. However, different code paths using identically-numbered flag
> values in the same struct field still seems like a bit of a mess, so
> this patch cleans that up by moving the flag definitions together and
> redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap
> with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make
> sure the overlap is not re-introduced by mistake.
>
> Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support")
> Reported-by: syzbot+cca39e6e84a367a7e6f6@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=cca39e6e84a367a7e6f6
> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
> ---
> include/uapi/linux/bpf.h | 14 ++++++--------
> net/core/filter.c | 8 +++++---
> 2 files changed, 11 insertions(+), 11 deletions(-)
Lgtm, applied, thanks! I also added a tools header sync.I took this into
bpf tree, so that stable can pick it up.
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index c3a5728db115..0c6154272ab3 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -6047,11 +6047,6 @@ enum {
> BPF_F_MARK_ENFORCE = (1ULL << 6),
> };
>
> -/* BPF_FUNC_clone_redirect and BPF_FUNC_redirect flags. */
> -enum {
> - BPF_F_INGRESS = (1ULL << 0),
> -};
> -
> /* BPF_FUNC_skb_set_tunnel_key and BPF_FUNC_skb_get_tunnel_key flags. */
> enum {
> BPF_F_TUNINFO_IPV6 = (1ULL << 0),
> @@ -6198,11 +6193,14 @@ enum {
> BPF_F_BPRM_SECUREEXEC = (1ULL << 0),
> };
>
> -/* Flags for bpf_redirect_map helper */
> +/* Flags for bpf_redirect and bpf_redirect_map helpers */
> enum {
> - BPF_F_BROADCAST = (1ULL << 3),
> - BPF_F_EXCLUDE_INGRESS = (1ULL << 4),
> + BPF_F_INGRESS = (1ULL << 0), /* used for skb path */
> + BPF_F_BROADCAST = (1ULL << 3), /* used for XDP path */
> + BPF_F_EXCLUDE_INGRESS = (1ULL << 4), /* used for XDP path */
> };
> +#define BPF_F_REDIRECT_ALL_FLAGS (BPF_F_INGRESS | BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS)
> +
>
Also fixed up extra newline.
Thanks,
Daniel
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH bpf-next] bpf: Make sure internal and UAPI bpf_redirect flags don't overlap
2024-10-01 19:49 ` Daniel Borkmann
@ 2024-10-02 8:35 ` Toke Høiland-Jørgensen
0 siblings, 0 replies; 4+ messages in thread
From: Toke Høiland-Jørgensen @ 2024-10-02 8:35 UTC (permalink / raw)
To: Daniel Borkmann, Alexei Starovoitov, Andrii Nakryiko,
Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
Hangbin Liu, Jesper Dangaard Brouer
Cc: syzbot+cca39e6e84a367a7e6f6, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, bpf, netdev
Daniel Borkmann <daniel@iogearbox.net> writes:
> On 9/20/24 2:56 PM, Toke Høiland-Jørgensen wrote:
>> The bpf_redirect_info is shared between the SKB and XDP redirect paths,
>> and the two paths use the same numeric flag values in the ri->flags
>> field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that
>> if skb bpf_redirect_neigh() is used with a non-NULL params argument and,
>> subsequently, an XDP redirect is performed using the same
>> bpf_redirect_info struct, the XDP path will get confused and end up
>> crashing, which syzbot managed to trigger.
>>
>> With the stack-allocated bpf_redirect_info, the structure is no longer
>> shared between the SKB and XDP paths, so the crash doesn't happen
>> anymore. However, different code paths using identically-numbered flag
>> values in the same struct field still seems like a bit of a mess, so
>> this patch cleans that up by moving the flag definitions together and
>> redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap
>> with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make
>> sure the overlap is not re-introduced by mistake.
>>
>> Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support")
>> Reported-by: syzbot+cca39e6e84a367a7e6f6@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=cca39e6e84a367a7e6f6
>> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
>> ---
>> include/uapi/linux/bpf.h | 14 ++++++--------
>> net/core/filter.c | 8 +++++---
>> 2 files changed, 11 insertions(+), 11 deletions(-)
> Lgtm, applied, thanks! I also added a tools header sync.I took this into
> bpf tree, so that stable can pick it up.
Great! Thanks for the fixups :)
-Toke
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH bpf-next] bpf: Make sure internal and UAPI bpf_redirect flags don't overlap
2024-09-20 12:56 [PATCH bpf-next] bpf: Make sure internal and UAPI bpf_redirect flags don't overlap Toke Høiland-Jørgensen
2024-10-01 19:49 ` Daniel Borkmann
@ 2024-10-01 19:50 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-10-01 19:50 UTC (permalink / raw)
To: =?utf-8?b?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2VuIDx0b2tlQHJlZGhhdC5jb20+?=
Cc: ast, daniel, andrii, martin.lau, eddyz87, song, yonghong.song,
john.fastabend, kpsingh, sdf, haoluo, jolsa, liuhangbin, brouer,
syzbot+cca39e6e84a367a7e6f6, davem, edumazet, kuba, pabeni, bpf,
netdev
Hello:
This patch was applied to bpf/bpf.git (master)
by Daniel Borkmann <daniel@iogearbox.net>:
On Fri, 20 Sep 2024 14:56:24 +0200 you wrote:
> The bpf_redirect_info is shared between the SKB and XDP redirect paths,
> and the two paths use the same numeric flag values in the ri->flags
> field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that
> if skb bpf_redirect_neigh() is used with a non-NULL params argument and,
> subsequently, an XDP redirect is performed using the same
> bpf_redirect_info struct, the XDP path will get confused and end up
> crashing, which syzbot managed to trigger.
>
> [...]
Here is the summary with links:
- [bpf-next] bpf: Make sure internal and UAPI bpf_redirect flags don't overlap
https://git.kernel.org/bpf/bpf/c/09d88791c7cd
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-10-02 8:36 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-20 12:56 [PATCH bpf-next] bpf: Make sure internal and UAPI bpf_redirect flags don't overlap Toke Høiland-Jørgensen
2024-10-01 19:49 ` Daniel Borkmann
2024-10-02 8:35 ` Toke Høiland-Jørgensen
2024-10-01 19:50 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).