From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: Xingwang Xiang <v3rdant.xiang@gmail.com>, john.fastabend@gmail.com
Cc: kuba@kernel.org, jakub@cloudflare.com, sd@queasysnail.net,
davem@davemloft.net, pabeni@redhat.com, horms@kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH net v3] selftests: bpf: add test for KTLS+sockmap reverse-order UAF
Date: Mon, 11 May 2026 22:13:02 +0800 [thread overview]
Message-ID: <ac03371e-4183-4ac5-aad5-0c7370c37ecc@linux.dev> (raw)
In-Reply-To: <20260511124149.14834-1-v3rdant.xiang@gmail.com>
On 5/11/26 8:41 PM, Xingwang Xiang wrote:
> Add a selftest that reproduces the use-after-free triggered when a TCP
> socket is inserted into a sockmap *before* TLS RX is configured on it
> (the reverse of the order that is already blocked by the kernel).
>
> Vulnerable sequence:
>
> 1. bpf_map_update_elem(sockmap, server_fd)
> -> sk->sk_data_ready = sk_psock_verdict_data_ready
>
> 2. setsockopt(server_fd, SOL_TLS, TLS_RX, ...)
> -> tls_sw_strparser_arm() saves sk_psock_verdict_data_ready as
> rx_ctx->saved_data_ready, then sets
> sk->sk_data_ready = tls_data_ready
>
> When data arrives:
> tls_data_ready -> tls_strp_data_ready -> tls_rx_msg_ready ->
> saved_data_ready() [= sk_psock_verdict_data_ready] ->
> tcp_read_skb() drains sk_receive_queue via __skb_unlink() without
> calling tcp_eat_skb(), so copied_seq is never advanced.
>
> tls_strp_msg_load() then finds tcp_inq() >= full_len (stale), calls
> tcp_recv_skb() on an empty queue, hits WARN_ON_ONCE(!first), and
> returns with frag_list still pointing at the now psock-owned (or
> already freed) skb. tls_decrypt_sg() subsequently walks that stale
> frag_list: a use-after-free.
Hi Xingwang,
Thanks for your selftest.
I think sockmap + TLS_RX has no useful semantics(fix me if i'm wrong).
sk_skb sees ciphertext and the TLS keys are pinned to this socket, so
redirect is meaningless. And both sides racing on sk_receive_queue is
what produces the UAF.
The fix should be to reject TLS_RX when the socket is already in a sockmap.
Note TLS_TX + sockmap remains useful and unaffected.
---
Please don't send this as a standalone selftest [1]. Without the kernel
fix, this
patch just lands a reproducer for an exploitable UAF in the tree.
Please send fix + selftest together as a 2-patch series with a proper
cover letter. Also, LLM will give you more details.
[1]: https://docs.kernel.org/process/submitting-patches.html
Thanks.
prev parent reply other threads:[~2026-05-11 14:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 12:41 [PATCH net v3] selftests: bpf: add test for KTLS+sockmap reverse-order UAF Xingwang Xiang
2026-05-11 14:13 ` Jiayuan Chen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ac03371e-4183-4ac5-aad5-0c7370c37ecc@linux.dev \
--to=jiayuan.chen@linux.dev \
--cc=davem@davemloft.net \
--cc=horms@kernel.org \
--cc=jakub@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sd@queasysnail.net \
--cc=v3rdant.xiang@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox