From: Greg KH <gregkh@linuxfoundation.org>
To: Zubin Mithra <zsm@chromium.org>
Cc: stable@vger.kernel.org, groeck@chromium.org,
daniel@iogearbox.net, ast@kernel.org, davem@davemloft.net
Subject: Re: [PATCH v4.4.y] bpf: reject wrong sized filters earlier
Date: Mon, 29 Apr 2019 14:37:33 +0200 [thread overview]
Message-ID: <20190429123733.GA31371@kroah.com> (raw)
In-Reply-To: <20190424180018.15793-1-zsm@chromium.org>
On Wed, Apr 24, 2019 at 11:00:18AM -0700, Zubin Mithra wrote:
> From: Daniel Borkmann <daniel@iogearbox.net>
>
> commit f7bd9e36ee4a4ce38e1cddd7effe6c0d9943285b upstream
>
> Add a bpf_check_basics_ok() and reject filters that are of invalid
> size much earlier, so we don't do any useless work such as invoking
> bpf_prog_alloc(). Currently, rejection happens in bpf_check_classic()
> only, but it's really unnecessarily late and they should be rejected
> at earliest point. While at it, also clean up one bpf_prog_size() to
> make it consistent with the remaining invocations.
>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> Acked-by: Alexei Starovoitov <ast@kernel.org>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Zubin Mithra <zsm@chromium.org>
> ---
> Notes:
> * Syzkaller reported a kernel BUG related to a kernel paging request in
> bpf_prog_create with the following stacktrace when fuzzing a 4.4 kernel.
> Call Trace:
> [<ffffffff822ac1c8>] bpf_prog_create+0xc8/0x210 net/core/filter.c:1067
> [<ffffffff82454699>] bpf_mt_check+0xb9/0x120 net/netfilter/xt_bpf.c:31
> [<ffffffff82437db8>] xt_check_match+0x238/0x730 net/netfilter/x_tables.c:409
> [<ffffffff82940254>] ebt_check_match net/bridge/netfilter/ebtables.c:380 [inline]
> [<ffffffff82940254>] ebt_check_entry+0x844/0x1740 net/bridge/netfilter/ebtables.c:709
> [<ffffffff82946842>] translate_table+0xcb2/0x1e80 net/bridge/netfilter/ebtables.c:946
> [<ffffffff8294a918>] do_replace_finish+0x6e8/0x1fd0 net/bridge/netfilter/ebtables.c:1002
> [<ffffffff8294c419>] do_replace+0x219/0x370 net/bridge/netfilter/ebtables.c:1145
> [<ffffffff8294c649>] do_ebt_set_ctl+0xd9/0x110 net/bridge/netfilter/ebtables.c:1492
> [<ffffffff8239a87c>] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
> [<ffffffff8239a87c>] nf_setsockopt+0x6c/0xc0 net/netfilter/nf_sockopt.c:114
> [<ffffffff825ddeb6>] ip_setsockopt+0xa6/0xc0 net/ipv4/ip_sockglue.c:1226
> [<ffffffff825fd3c7>] tcp_setsockopt+0x87/0xd0 net/ipv4/tcp.c:2701
> [<ffffffff8220343a>] sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2690
> [<ffffffff822006ed>] SYSC_setsockopt net/socket.c:1767 [inline]
> [<ffffffff822006ed>] SyS_setsockopt+0x15d/0x240 net/socket.c:1746
> [<ffffffff82a16f9b>] entry_SYSCALL_64_fastpath+0x18/0x94
>
> * This patch resolves the following conflicts when applying to v4.4.y:
> - __get_filter does not exist in v4.4. Instead the checks are moved into
> __sk_attach_filter.
>
> * This patch is present in v4.9.y.
>
> * Tests run: Chrome OS tryjobs, Syzkaller reproducer
Now queued up, thanks.
greg k-h
prev parent reply other threads:[~2019-04-29 12:37 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-24 18:00 [PATCH v4.4.y] bpf: reject wrong sized filters earlier Zubin Mithra
2019-04-29 12:37 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190429123733.GA31371@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=groeck@chromium.org \
--cc=stable@vger.kernel.org \
--cc=zsm@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).