| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190117233236.h4nfvqwvlb4l6rwx@kafai-mbp.dhcp.thefacebook.com>
Date: Thu, 17 Jan 2019 23:32:38 +0000
From: Martin Lau <kafai@...com>
To: Willem de Bruijn <willemdebruijn.kernel@...il.com>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"ast@...nel.org" <ast@...nel.org>,
"daniel@...earbox.net" <daniel@...earbox.net>,
"tgraf@...g.ch" <tgraf@...g.ch>,
Willem de Bruijn <willemb@...gle.com>,
syzbot <syzkaller@...glegroups.com>
Subject: Re: [PATCH net] bpf: in __bpf_redirect_no_mac pull mac only if
present
On Tue, Jan 15, 2019 at 08:19:22PM -0500, Willem de Bruijn wrote:
> From: Willem de Bruijn <willemb@...gle.com>
>
> Syzkaller was able to construct a packet of negative length by
> redirecting from bpf_prog_test_run_skb with BPF_PROG_TYPE_LWT_XMIT:
>
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline]
> BUG: KASAN: slab-out-of-bounds in skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
> BUG: KASAN: slab-out-of-bounds in __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
> Read of size 4294967282 at addr ffff8801d798009c by task syz-executor2/12942
>
> kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
> check_memory_region_inline mm/kasan/kasan.c:260 [inline]
> check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
> memcpy+0x23/0x50 mm/kasan/kasan.c:302
> memcpy include/linux/string.h:345 [inline]
> skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
> __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
> __pskb_copy include/linux/skbuff.h:1053 [inline]
> pskb_copy include/linux/skbuff.h:2904 [inline]
> skb_realloc_headroom+0xe7/0x120 net/core/skbuff.c:1539
> ipip6_tunnel_xmit net/ipv6/sit.c:965 [inline]
> sit_tunnel_xmit+0xe1b/0x30d0 net/ipv6/sit.c:1029
> __netdev_start_xmit include/linux/netdevice.h:4325 [inline]
> netdev_start_xmit include/linux/netdevice.h:4334 [inline]
> xmit_one net/core/dev.c:3219 [inline]
> dev_hard_start_xmit+0x295/0xc90 net/core/dev.c:3235
> __dev_queue_xmit+0x2f0d/0x3950 net/core/dev.c:3805
> dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
> __bpf_tx_skb net/core/filter.c:2016 [inline]
> __bpf_redirect_common net/core/filter.c:2054 [inline]
> __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2061
> ____bpf_clone_redirect net/core/filter.c:2094 [inline]
> bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2066
> bpf_prog_41f2bcae09cd4ac3+0xb25/0x1000
>
> The generated test constructs a packet with mac header, network
> header, skb->data pointing to network header and skb->len 0.
>
> Redirecting to a sit0 through __bpf_redirect_no_mac pulls the
> mac length, even though skb->data already is at skb->network_header.
> bpf_prog_test_run_skb has already pulled it as LWT_XMIT !is_l2.
>
> Update the offset calculation to pull only if skb->data differs
> from skb->network_header, which is not true in this case.
>
> The test itself can be run only from commit 1cf1cae963c2 ("bpf:
> introduce BPF_PROG_TEST_RUN command"), but the same type of packets
> with skb at network header could already be built from lwt xmit hooks,
> so this fix is more relevant to that commit.
>
> Also set the mac header on redirect from LWT_XMIT, as even after this
> change to __bpf_redirect_no_mac that field is expected to be set, but
> is not yet in ip_finish_output2.
LGTM.
Acked-by: Martin KaFai Lau <kafai@...com>
Powered by blists - more mailing lists