[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230809155538.67000-1-kuniyu@amazon.com>
Date: Wed, 9 Aug 2023 08:55:38 -0700
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <lmb@...valent.com>
CC: <bpf@...r.kernel.org>, <daniel@...earbox.net>,
<davem@...emloft.net>, <edumazet@...gle.com>, <kuba@...nel.org>,
<kuniyu@...zon.com>, <linux-kernel@...r.kernel.org>,
<martin.lau@...nel.org>, <martin.lau@...ux.dev>,
<memxor@...il.com>, <netdev@...r.kernel.org>, <pabeni@...hat.com>
Subject: Re: [PATCH bpf-next] net: Fix slab-out-of-bounds in inet[6]_steal_sock
From: Lorenz Bauer <lmb@...valent.com>
Date: Wed, 9 Aug 2023 16:08:31 +0100
> On Wed, Aug 9, 2023 at 3:39 PM Martin KaFai Lau <martin.lau@...ux.dev> wrote:
> >
> > On 8/9/23 1:33 AM, Lorenz Bauer wrote:
> > > Kumar reported a KASAN splat in tcp_v6_rcv:
> > >
> > > bash-5.2# ./test_progs -t btf_skc_cls_ingress
> > > ...
> > > [ 51.810085] BUG: KASAN: slab-out-of-bounds in tcp_v6_rcv+0x2d7d/0x3440
> > > [ 51.810458] Read of size 2 at addr ffff8881053f038c by task test_progs/226
> > >
> > > The problem is that inet[6]_steal_sock accesses sk->sk_protocol without
> > > accounting for request sockets. I added the check to ensure that we only
> > > every try to perform a reuseport lookup on a supported socket.
> > >
> > > It turns out that this isn't necessary at all. struct sock_common contains
> > > a skc_reuseport flag which indicates whether a socket is part of a
> >
> > Does it go back to the earlier discussion
> > (https://lore.kernel.org/bpf/7188429a-c380-14c8-57bb-9d05d3ba4e5e@linux.dev/)
> > that the sk->sk_reuseport is 1 from sk_clone for TCP_ESTABLISHED? It works
> > because there is sk->sk_reuseport"_cb" check going deeper into
> > reuseport_select_sock() but there is an extra inet6_ehashfn for all TCP_ESTABLISHED.
>
> Sigh, I'd forgotten about this...
>
> For the TPROXY TCP replacement use case we sk_assign the SYN to the
> listener, which creates the reqsk. We can let follow up packets pass
> without sk_assign since they will match the reqsk and convert to a
> fullsock via the usual route. At least that is what the test does. I'm
> not even sure what it means to redirect a random packet into an
> established TCP socket TBH. It'd probably be dropped?
>
> For UDP, I'm not sure whether we even get into this situation? Doesn't
> seem like UDP sockets are cloned from each other, so we also shouldn't
> end up with a reuseport flag set erroneously.
>
> Things we could do if necessary:
> 1. Reset the flag in inet_csk_clone_lock like we do for SOCK_RCU_FREE
I think we can't do this as sk_reuseport is inherited to twsk and used
in inet_bind_conflict().
> 2. Duplicate the cb check into inet[6]_steal_sock
or 3. Add sk_fullsock() test ?
Powered by blists - more mailing lists