From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@plumgrid.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.2 13/54] bpf: fix panic in SO_GET_FILTER with native ebpf programs
Date: Fri, 23 Oct 2015 10:44:49 -0700 [thread overview]
Message-ID: <20151023174519.498222930@linuxfoundation.org> (raw)
In-Reply-To: <20151023174519.086915553@linuxfoundation.org>
4.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit 93d08b6966cf730ea669d4d98f43627597077153 ]
When sockets have a native eBPF program attached through
setsockopt(sk, SOL_SOCKET, SO_ATTACH_BPF, ...), and then try to
dump these over getsockopt(sk, SOL_SOCKET, SO_GET_FILTER, ...),
the following panic appears:
[49904.178642] BUG: unable to handle kernel NULL pointer dereference at (null)
[49904.178762] IP: [<ffffffff81610fd9>] sk_get_filter+0x39/0x90
[49904.182000] PGD 86fc9067 PUD 531a1067 PMD 0
[49904.185196] Oops: 0000 [#1] SMP
[...]
[49904.224677] Call Trace:
[49904.226090] [<ffffffff815e3d49>] sock_getsockopt+0x319/0x740
[49904.227535] [<ffffffff812f59e3>] ? sock_has_perm+0x63/0x70
[49904.228953] [<ffffffff815e2fc8>] ? release_sock+0x108/0x150
[49904.230380] [<ffffffff812f5a43>] ? selinux_socket_getsockopt+0x23/0x30
[49904.231788] [<ffffffff815dff36>] SyS_getsockopt+0xa6/0xc0
[49904.233267] [<ffffffff8171b9ae>] entry_SYSCALL_64_fastpath+0x12/0x71
The underlying issue is the very same as in commit b382c0865600
("sock, diag: fix panic in sock_diag_put_filterinfo"), that is,
native eBPF programs don't store an original program since this
is only needed in cBPF ones.
However, sk_get_filter() wasn't updated to test for this at the
time when eBPF could be attached. Just throw an error to the user
to indicate that eBPF cannot be dumped over this interface.
That way, it can also be known that a program _is_ attached (as
opposed to just return 0), and a different (future) method needs
to be consulted for a dump.
Fixes: 89aa075832b0 ("net: sock: allow eBPF programs to be attached to sockets")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/filter.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1701,9 +1701,13 @@ int sk_get_filter(struct sock *sk, struc
goto out;
/* We're copying the filter that has been originally attached,
- * so no conversion/decode needed anymore.
+ * so no conversion/decode needed anymore. eBPF programs that
+ * have no original program cannot be dumped through this.
*/
+ ret = -EACCES;
fprog = filter->prog->orig_prog;
+ if (!fprog)
+ goto out;
ret = fprog->len;
if (!len)
next prev parent reply other threads:[~2015-10-23 17:44 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-23 17:44 [PATCH 4.2 00/54] 4.2.5-stable review Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 01/54] net/ibm/emac: bump version numbers for correct work with ethtool Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 02/54] l2tp: protect tunnel->del_work by ref_count Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 03/54] af_unix: Convert the unix_sk macro to an inline function for type safety Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 04/54] af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 05/54] net/unix: fix logic about sk_peek_offset Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 06/54] skbuff: Fix skb checksum flag on skb pull Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 07/54] skbuff: Fix skb checksum partial check Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 08/54] net: dsa: fix preparation of a port STP update Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 09/54] inet: fix races in reqsk_queue_hash_req() Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 10/54] net: add pfmemalloc check in sk_add_backlog() Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 11/54] ppp: dont override sk->sk_state in pppoe_flush_dev() Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 12/54] inet: fix race in reqsk_queue_unlink() Greg Kroah-Hartman
2015-10-23 17:44 ` Greg Kroah-Hartman [this message]
2015-10-23 17:44 ` [PATCH 4.2 14/54] ovs: do not allocate memory from offline numa node Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 15/54] act_mirred: clear sender cpu before sending to tx Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 16/54] bpf: clear sender_cpu before xmit Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 17/54] ipv6: Dont call with rt6_uncached_list_flush_dev Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 18/54] ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 19/54] tipc: move fragment importance field to new header position Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 20/54] netlink: Trim skb to alloc size to avoid MSG_TRUNC Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 21/54] drm: Fix locking for sysfs dpms file Greg Kroah-Hartman
2015-10-23 17:44 ` [PATCH 4.2 22/54] crypto: sparc - initialize blkcipher.ivsize Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 24/54] crypto: ahash - ensure statesize is non-zero Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 25/54] memcg: convert threshold to bytes Greg Kroah-Hartman
2015-10-24 5:46 ` Ben Hutchings
2015-10-25 16:32 ` Michal Hocko
2015-10-27 10:31 ` Michal Hocko
2015-10-23 17:45 ` [PATCH 4.2 26/54] btrfs: check unsupported filters in balance arguments Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 27/54] btrfs: fix use after free iterating extrefs Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 28/54] arm64: errata: use KBUILD_CFLAGS_MODULE for erratum #843419 Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 29/54] ARM: ux500: simplify secondary CPU boot Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 30/54] nfsd/blocklayout: accept any minlength Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 31/54] mfd: max77843: Fix max77843_chg_init() return on error Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 32/54] i2c: rcar: enable RuntimePM before registering to the core Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 33/54] i2c: s3c2410: " Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 34/54] i2c: designware: Do not use parameters from ACPI on Dell Inspiron 7348 Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 35/54] i2c: designware-platdrv: enable RuntimePM before registering to the core Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 36/54] workqueue: make sure delayed work run in local cpu Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 38/54] KVM: x86: fix SMI to halted VCPU Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 39/54] KVM: x86: fix RSM into 64-bit protected mode Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 40/54] drm/qxl: fix framebuffer dirty rectangle tracking Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 41/54] drm/nouveau/fbcon: take runpm reference when userspace has an open fd Greg Kroah-Hartman
2015-10-24 6:12 ` Ben Hutchings
2015-10-23 17:45 ` [PATCH 4.2 42/54] drm/dp/mst: make mst i2c transfer code more robust Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 43/54] drm/radeon: attach tile property to mst connector Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 44/54] drm/radeon: add pm sysfs files late Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 45/54] drm/amdgpu: " Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 46/54] drm/amdgpu: fix num_crtc on CZ Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 49/54] dm thin: fix missing pool reference count decrement in pool_ctr error path Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 50/54] rbd: fix double free on rbd_dev->header_name Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 51/54] timekeeping: Increment clock_was_set_seq in timekeeping_init() Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 53/54] arm64: Fix THP protection change logic Greg Kroah-Hartman
2015-10-23 17:45 ` [PATCH 4.2 54/54] svcrdma: handle rdma read with a non-zero initial page offset Greg Kroah-Hartman
2015-10-23 21:54 ` [PATCH 4.2 00/54] 4.2.5-stable review Shuah Khan
2015-10-23 23:22 ` Greg Kroah-Hartman
2015-10-24 2:04 ` Guenter Roeck
2015-10-24 13:20 ` Greg Kroah-Hartman
[not found] ` <562ba038.8608b40a.39b42.ffffbb49@mx.google.com>
2015-10-24 15:18 ` Kevin Hilman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151023174519.498222930@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@plumgrid.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).