mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/kernel/bpf
History
Eric Dumazet 5b8662790f bpf: Make sure mac_header was set before using it 
commit 0326195f52 upstream.

Classic BPF has a way to load bytes starting from the mac header.

Some skbs do not have a mac header, and skb_mac_header()
in this case is returning a pointer that 65535 bytes after
skb->head.

Existing range check in bpf_internal_load_pointer_neg_helper()
was properly kicking and no illegal access was happening.

New sanity check in skb_mac_header() is firing, so we need
to avoid it.

WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 skb_mac_header include/linux/skbuff.h:2785 [inline]
WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 bpf_internal_load_pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.c:74
Modules linked in:
CPU: 1 PID: 28990 Comm: syz-executor.0 Not tainted 5.19.0-rc4-syzkaller-00865-g4874fb9484be #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
RIP: 0010:skb_mac_header include/linux/skbuff.h:2785 [inline]
RIP: 0010:bpf_internal_load_pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.c:74
Code: ff ff 45 31 f6 e9 5a ff ff ff e8 aa 27 40 00 e9 3b ff ff ff e8 90 27 40 00 e9 df fe ff ff e8 86 27 40 00 eb 9e e8 2f 2c f3 ff <0f> 0b eb b1 e8 96 27 40 00 e9 79 fe ff ff 90 41 57 41 56 41 55 41
RSP: 0018:ffffc9000309f668 EFLAGS: 00010216
RAX: 0000000000000118 RBX: ffffffffffeff00c RCX: ffffc9000e417000
RDX: 0000000000040000 RSI: ffffffff81873f21 RDI: 0000000000000003
RBP: ffff8880842878c0 R08: 0000000000000003 R09: 000000000000ffff
R10: 000000000000ffff R11: 0000000000000001 R12: 0000000000000004
R13: ffff88803ac56c00 R14: 000000000000ffff R15: dffffc0000000000
FS: 00007f5c88a16700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdaa9f6c058 CR3: 000000003a82c000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
____bpf_skb_load_helper_32 net/core/filter.c:276 [inline]
bpf_skb_load_helper_32+0x191/0x220 net/core/filter.c:264

Fixes: f9aefd6b2a ("net: warn if mac header was not set")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20220707123900.945305-1-edumazet@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2022-07-29 17:28:14 +02:00
..
preload bpf: Remove redundant slash 2022-03-07 22:19:32 -08:00
Kconfig bpf: Add "live packet" mode for XDP in BPF_PROG_RUN 2022-03-09 14:19:22 -08:00
Makefile bpf: Prepare relo_core.c for kernel duty. 2021-12-02 11:18:34 -08:00
arraymap.c bpf: generalise tail call map compatibility check 2022-01-21 14:14:03 -08:00
bloom_filter.c bpf: Add missing map_get_next_key method to bloom filter map. 2021-12-29 09:38:31 -08:00
bpf_inode_storage.c bpf: Fix usage of trace RCU in local storage. 2022-06-06 08:48:59 +02:00
bpf_iter.c bpf: Add support for bpf iterator programs to use sleepable helpers 2022-01-24 19:55:40 -08:00
bpf_local_storage.c bpf: Fix usage of trace RCU in local storage. 2022-06-06 08:48:59 +02:00
bpf_lru_list.c bpf_lru_list: Read double-checked variable once without lock 2021-02-10 15:54:26 -08:00
bpf_lru_list.h
bpf_lsm.c bpf-lsm: Make bpf_lsm_kernel_read_file() as sleepable 2022-03-10 18:57:55 -08:00
bpf_struct_ops.c bpf: Rename btf_member accessors. 2021-12-02 11:18:34 -08:00
bpf_struct_ops_types.h bpf: Add dummy BPF STRUCT_OPS for test purpose 2021-11-01 14:10:00 -07:00
bpf_task_storage.c bpf: Fix usage of trace RCU in local storage. 2022-06-06 08:48:59 +02:00
btf.c bpf: Fix calling global functions from BPF_PROG_TYPE_EXT programs 2022-06-25 15:29:47 +02:00
cgroup.c bpf: Move rcu lock management out of BPF_PROG_RUN routines 2022-06-09 10:29:59 +02:00
core.c bpf: Make sure mac_header was set before using it 2022-07-29 17:28:14 +02:00
cpumap.c bpf: generalise tail call map compatibility check 2022-01-21 14:14:03 -08:00
devmap.c bpf: generalise tail call map compatibility check 2022-01-21 14:14:03 -08:00
disasm.c bpf: Relicense disassembler as GPL-2.0-only OR BSD-2-Clause 2021-09-02 14:49:23 +02:00
disasm.h bpf: Relicense disassembler as GPL-2.0-only OR BSD-2-Clause 2021-09-02 14:49:23 +02:00
dispatcher.c
hashtab.c bpf: Cleanup comments 2022-02-23 15:17:51 -08:00
helpers.c bpf: Replace strncpy() with strscpy() 2022-03-07 22:04:33 -08:00
inode.c bpf: Convert bpf_preload.ko to use light skeleton. 2022-02-10 23:31:51 +01:00
local_storage.c bpf: Cleanup comments 2022-02-23 15:17:51 -08:00
lpm_trie.c bpf: Fix typo in a comment in bpf lpm_trie. 2021-12-30 18:42:34 -08:00
map_in_map.c bpf: Remember BTF of inner maps. 2021-07-15 22:31:10 +02:00
map_in_map.h
map_iter.c bpf: Introduce MEM_RDONLY flag 2021-12-18 13:27:41 -08:00
mmap_unlock_work.h bpf: Introduce helper bpf_find_vma 2021-11-07 11:54:51 -08:00
net_namespace.c net: Add includes masked by netdevice.h including uapi/bpf.h 2021-12-29 20:03:05 -08:00
offload.c
percpu_freelist.c bpf: Use raw_spin_trylock() for pcpu_freelist_push/pop in NMI 2020-10-06 00:04:11 +02:00
percpu_freelist.h bpf: Use raw_spin_trylock() for pcpu_freelist_push/pop in NMI 2020-10-06 00:04:11 +02:00
prog_iter.c
queue_stack_maps.c bpf: Eliminate rlimit-based memory accounting for queue_stack_maps maps 2020-12-02 18:32:46 -08:00
reuseport_array.c bpf: Cleanup comments 2022-02-23 15:17:51 -08:00
ringbuf.c bpf: Use VM_MAP instead of VM_ALLOC for ringbuf 2022-02-02 23:15:24 -08:00
stackmap.c bpf: Fix excessive memory allocation in stack_map_alloc() 2022-06-06 08:48:59 +02:00
syscall.c bpf: Add cookie support to programs attached with kprobe multi link 2022-03-17 20:17:19 -07:00
sysfs_btf.c bpf: Load and verify kernel module BTFs 2020-11-10 15:25:53 -08:00
task_iter.c bpf: Introduce btf_tracing_ids 2021-11-12 10:19:09 -08:00
tnum.c bpf, tnums: Provably sound, faster, and more precise algorithm for tnum_mul 2021-06-01 13:34:15 +02:00
trampoline.c bpf: Fix potential array overflow in bpf_trampoline_get_progs() 2022-06-06 08:48:59 +02:00
verifier.c bpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals 2022-07-12 16:42:13 +02:00