lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 15 Mar 2022 20:39:16 +0800
From:   Liu Jian <liujian56@...wei.com>
To:     <ast@...nel.org>, <daniel@...earbox.net>, <andrii@...nel.org>,
        <kafai@...com>, <songliubraving@...com>, <yhs@...com>,
        <john.fastabend@...il.com>, <kpsingh@...nel.org>,
        <davem@...emloft.net>, <kuba@...nel.org>, <sdf@...gle.com>,
        <netdev@...r.kernel.org>, <bpf@...r.kernel.org>
CC:     <liujian56@...wei.com>
Subject: [PATCH bpf-next] net: Use skb->len to check the validity of the parameters in bpf_skb_load_bytes

The data length of skb frags + frag_list may be greater than 0xffff,
so here use skb->len to check the validity of the parameters.

And modify bpf_flow_dissector_load_bytes and bpf_skb_load_bytes_relative
in the same way.

Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper")
Fixes: 4e1ec56cdc59 ("bpf: add skb_load_bytes_relative helper")
Fixes: 089b19a9204f ("flow_dissector: switch kernel context to struct bpf_flow_dissector")
Signed-off-by: Liu Jian <liujian56@...wei.com>
---
 net/core/filter.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index 9eb785842258..61c353caf141 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1722,7 +1722,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset,
 {
 	void *ptr;
 
-	if (unlikely(offset > 0xffff))
+	if (unlikely(offset >= skb->len))
 		goto err_clear;
 
 	ptr = skb_header_pointer(skb, offset, len, to);
@@ -1753,10 +1753,10 @@ BPF_CALL_4(bpf_flow_dissector_load_bytes,
 {
 	void *ptr;
 
-	if (unlikely(offset > 0xffff))
+	if (unlikely(!ctx->skb))
 		goto err_clear;
 
-	if (unlikely(!ctx->skb))
+	if (unlikely(offset >= ctx->skb->len))
 		goto err_clear;
 
 	ptr = skb_header_pointer(ctx->skb, offset, len, to);
@@ -1787,7 +1787,7 @@ BPF_CALL_5(bpf_skb_load_bytes_relative, const struct sk_buff *, skb,
 	u8 *end = skb_tail_pointer(skb);
 	u8 *start, *ptr;
 
-	if (unlikely(offset > 0xffff))
+	if (unlikely(offset >= skb->len))
 		goto err_clear;
 
 	switch (start_header) {
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ