From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-174.mta0.migadu.com (out-174.mta0.migadu.com [91.218.175.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C31B19048F for ; Fri, 4 Apr 2025 00:27:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.174 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743726480; cv=none; b=D1SB/jD6DZJqduTcb0ZNLi4DR7jL7uqMw7J9zXiDkYmDAJTu+KM5qPu6V1eSjKZFjskEci5yRIJTJWceDJiZsHpqvkPBhGFyqg9PNNx9gSBn5KKyLxxwUewoWLbKrvLNRp6isFYqbKJgmx3cuJBnZVFbrfTMRBn5g5uoXOJ6yVg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743726480; c=relaxed/simple; bh=sZCuFd4nf1NVtLGFqso9PSbFQ53jt5gd2JBpo8x0AYk=; h=MIME-Version:Date:Content-Type:From:Message-ID:Subject:To:Cc: In-Reply-To:References; b=optkZ9rfSvpuCrI0UrhXMu4REkOzPWySV35ttJPlu+LZrWRJL3JLxaAh71bXpKRSrhsbU4JZRKLy6rIcPazj+I2JgRkoTgLSt1P0cjio9vy+B6pmDt/2HS0ZoKRiygFZ+5tsEt7eLlxhC5LhWo6+Wu8D/6BN4zykwhG4y8e7UcY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=o0pYuFHS; arc=none smtp.client-ip=91.218.175.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="o0pYuFHS" Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1743726466; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xBkmuETqkFanCorV9XII3T38OpLgK/5FcDlEGxS6XPw=; b=o0pYuFHS4a16tKKp9qPixsi8OkmZfIh/VoQNM467L8R0c/GR+tYyqm5x2K/ZHU2ZArSZ0M EpIEZ+nb7humYj32cSPTWpEq8Uat13ol/fFWrg0y8UVvTfBPWLDD713oUl/Hf3NPpULtDL aYvRGeZ7p9Pt3qbOd8TXVpYiVsAUulQ= Date: Fri, 04 Apr 2025 00:27:42 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: "Jiayuan Chen" Message-ID: TLS-Required: No Subject: Re: [PATCH bpf v2 1/2] bpf, xdp: clean head/meta when expanding it To: "Alexei Starovoitov" Cc: "bpf" , "Jiayuan Chen" , syzbot+0e6ddb1ef80986bdfe64@syzkaller.appspotmail.com, "Alexei Starovoitov" , "Daniel Borkmann" , "Andrii Nakryiko" , "Martin KaFai Lau" , "Eduard Zingerman" , "Song Liu" , "Yonghong Song" , "John Fastabend" , "KP Singh" , "Stanislav Fomichev" , "Hao Luo" , "Jiri Olsa" , "David S. Miller" , "Eric Dumazet" , "Jakub Kicinski" , "Paolo Abeni" , "Simon Horman" , "Jesper Dangaard Brouer" , "Mykola Lysenko" , "Shuah Khan" , "Willem de Bruijn" , "Jason Xing" , "Anton Protopopov" , "Abhishek Chauhan" , "Jordan Rome" , "Martin Kelly" , "David Lechner" , "LKML" , "Network Development" , "open list:KERNEL SELFTEST FRAMEWORK" In-Reply-To: References: <20250331032354.75808-1-jiayuan.chen@linux.dev> <20250331032354.75808-2-jiayuan.chen@linux.dev> X-Migadu-Flow: FLOW_OUT April 3, 2025 at 22:24, "Alexei Starovoitov" wrote: >=20 >=20On Sun, Mar 30, 2025 at 8:27 PM Jiayuan Chen = wrote: >=20 >=20>=20 >=20> The device allocates an skb, it additionally allocates a prepad siz= e > >=20 >=20> (usually equal to NET_SKB_PAD or XDP_PACKET_HEADROOM) but leaves i= t > >=20 >=20> uninitialized. > >=20 >=20> The bpf_xdp_adjust_head function moves skb->data forward, which al= lows > >=20 >=20> users to access data belonging to other programs, posing a securit= y risk. > >=20 >=20> Reported-by: syzbot+0e6ddb1ef80986bdfe64@syzkaller.appspotmail.com > >=20 >=20> Closes: https://lore.kernel.org/all/00000000000067f65105edbd295d@g= oogle.com/T/ > >=20 >=20> Signed-off-by: Jiayuan Chen > >=20 >=20> --- > >=20 >=20> include/uapi/linux/bpf.h | 8 +++++--- > >=20 >=20> net/core/filter.c | 5 ++++- > >=20 >=20> tools/include/uapi/linux/bpf.h | 6 ++++-- > >=20 >=20> 3 files changed, 13 insertions(+), 6 deletions(-) > >=20 >=20> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h > >=20 >=20> index defa5bb881f4..be01a848cbbf 100644 > >=20 >=20> --- a/include/uapi/linux/bpf.h > >=20 >=20> +++ b/include/uapi/linux/bpf.h > >=20 >=20> @@ -2760,8 +2760,9 @@ union bpf_attr { > >=20 >=20> * > >=20 >=20> * long bpf_xdp_adjust_head(struct xdp_buff *xdp_md, int delta) > >=20 >=20> * Description > >=20 >=20> - * Adjust (move) *xdp_md*\ **->data** by *delta* bytes. Note that > >=20 >=20> - * it is possible to use a negative value for *delta*. This helpe= r > >=20 >=20> + * Adjust (move) *xdp_md*\ **->data** by *delta* bytes. Note that > >=20 >=20> + * it is possible to use a negative value for *delta*. If *delta* > >=20 >=20> + * is negative, the new header will be memset to zero. This helpe= r > >=20 >=20> * can be used to prepare the packet for pushing or popping > >=20 >=20> * headers. > >=20 >=20> * > >=20 >=20> @@ -2989,7 +2990,8 @@ union bpf_attr { > >=20 >=20> * long bpf_xdp_adjust_meta(struct xdp_buff *xdp_md, int delta) > >=20 >=20> * Description > >=20 >=20> * Adjust the address pointed by *xdp_md*\ **->data_meta** by > >=20 >=20> - * *delta* (which can be positive or negative). Note that this > >=20 >=20> + * *delta* (which can be positive or negative). If *delta* is > >=20 >=20> + * negative, the new meta will be memset to zero. Note that this > >=20 >=20> * operation modifies the address stored in *xdp_md*\ **->data**, > >=20 >=20> * so the latter must be loaded only after the helper has been > >=20 >=20> * called. > >=20 >=20> diff --git a/net/core/filter.c b/net/core/filter.c > >=20 >=20> index 46ae8eb7a03c..5f01d373b719 100644 > >=20 >=20> --- a/net/core/filter.c > >=20 >=20> +++ b/net/core/filter.c > >=20 >=20> @@ -3947,6 +3947,8 @@ BPF_CALL_2(bpf_xdp_adjust_head, struct xdp_b= uff *, xdp, int, offset) > >=20 >=20> if (metalen) > >=20 >=20> memmove(xdp->data_meta + offset, > >=20 >=20> xdp->data_meta, metalen); > >=20 >=20> + if (offset < 0) > >=20 >=20> + memset(data, 0, -offset); > >=20 >=20> xdp->data_meta +=3D offset; > >=20 >=20> xdp->data =3D data; > >=20 >=20> @@ -4239,7 +4241,8 @@ BPF_CALL_2(bpf_xdp_adjust_meta, struct xdp_b= uff *, xdp, int, offset) > >=20 >=20> return -EINVAL; > >=20 >=20> if (unlikely(xdp_metalen_invalid(metalen))) > >=20 >=20> return -EACCES; > >=20 >=20> - > >=20 >=20> + if (offset < 0) > >=20 >=20> + memset(meta, 0, -offset); > >=20 >=20 > Let's make everyone pay a performance penalty to silence > KMSAN warning? > I don't think it's a good trade off. > Soft nack. > It's not just about simply suppressing KMSAN warnings, but for security considerations. So I'd like to confirm: currently, loading an XDP program only requires CAP_NET_ADMIN and CAP_BPF permissions. If we consider this as a super privilege, then even if uninitialized memory is exposed, I think it's oka= y, as it's the developer's responsibility, for example, like the CVE in meta https://vuldb.com/?id.246309. Or I'm thinking, can we rely on the verifier to force the initialization of the newly added packet boundary behavior, specifically for this specia= l case (although it won't be easy to implement).