lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sun, 20 Jan 2019 01:13:53 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Willem de Bruijn <willemdebruijn.kernel@...il.com>,
        netdev@...r.kernel.org
Cc:     ast@...nel.org, kafai@...com, tgraf@...g.ch,
        Willem de Bruijn <willemb@...gle.com>,
        syzbot <syzkaller@...glegroups.com>
Subject: Re: [PATCH net] bpf: in __bpf_redirect_no_mac pull mac only if
 present

On 01/16/2019 02:19 AM, Willem de Bruijn wrote:
> From: Willem de Bruijn <willemb@...gle.com>
> 
> Syzkaller was able to construct a packet of negative length by
> redirecting from bpf_prog_test_run_skb with BPF_PROG_TYPE_LWT_XMIT:
> 
>     BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline]
>     BUG: KASAN: slab-out-of-bounds in skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
>     BUG: KASAN: slab-out-of-bounds in __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
>     Read of size 4294967282 at addr ffff8801d798009c by task syz-executor2/12942
> 
>     kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
>     check_memory_region_inline mm/kasan/kasan.c:260 [inline]
>     check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
>     memcpy+0x23/0x50 mm/kasan/kasan.c:302
>     memcpy include/linux/string.h:345 [inline]
>     skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
>     __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
>     __pskb_copy include/linux/skbuff.h:1053 [inline]
>     pskb_copy include/linux/skbuff.h:2904 [inline]
>     skb_realloc_headroom+0xe7/0x120 net/core/skbuff.c:1539
>     ipip6_tunnel_xmit net/ipv6/sit.c:965 [inline]
>     sit_tunnel_xmit+0xe1b/0x30d0 net/ipv6/sit.c:1029
>     __netdev_start_xmit include/linux/netdevice.h:4325 [inline]
>     netdev_start_xmit include/linux/netdevice.h:4334 [inline]
>     xmit_one net/core/dev.c:3219 [inline]
>     dev_hard_start_xmit+0x295/0xc90 net/core/dev.c:3235
>     __dev_queue_xmit+0x2f0d/0x3950 net/core/dev.c:3805
>     dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
>     __bpf_tx_skb net/core/filter.c:2016 [inline]
>     __bpf_redirect_common net/core/filter.c:2054 [inline]
>     __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2061
>     ____bpf_clone_redirect net/core/filter.c:2094 [inline]
>     bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2066
>     bpf_prog_41f2bcae09cd4ac3+0xb25/0x1000
> 
> The generated test constructs a packet with mac header, network
> header, skb->data pointing to network header and skb->len 0.
> 
> Redirecting to a sit0 through __bpf_redirect_no_mac pulls the
> mac length, even though skb->data already is at skb->network_header.
> bpf_prog_test_run_skb has already pulled it as LWT_XMIT !is_l2.
> 
> Update the offset calculation to pull only if skb->data differs
> from skb->network_header, which is not true in this case.
> 
> The test itself can be run only from commit 1cf1cae963c2 ("bpf:
> introduce BPF_PROG_TEST_RUN command"), but the same type of packets
> with skb at network header could already be built from lwt xmit hooks,
> so this fix is more relevant to that commit.
> 
> Also set the mac header on redirect from LWT_XMIT, as even after this
> change to __bpf_redirect_no_mac that field is expected to be set, but
> is not yet in ip_finish_output2.
> 
> Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure")
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Signed-off-by: Willem de Bruijn <willemb@...gle.com>

Applied, thanks!

Powered by blists - more mailing lists