| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220617071855.2482-1-zhudi2@huawei.com>
Date: Fri, 17 Jun 2022 15:18:55 +0800
From: Di Zhu <zhudi2@...wei.com>
To: <ast@...nel.org>, <edumazet@...gle.com>, <daniel@...earbox.net>,
<andrii@...nel.org>, <yhs@...com>, <davem@...emloft.net>
CC: <netdev@...r.kernel.org>, <bpf@...r.kernel.org>,
<zhudi2@...wei.com>, <rose.chen@...wei.com>,
<syzbot+7a12909485b94426aceb@...kaller.appspotmail.com>
Subject: [PATCH] bpf: Don't redirect packets with pkt_len 0
Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any
skbs, that is, the flow->head is null.
The root cause, as the [2] says, is because that bpf_prog_test_run_skb()
run a bpf prog which redirects empty skbs.
So we should determine whether the length of the packet modified by bpf
prog or others like bpf_prog_test is 0 before forwarding it directly.
LINK: [1] https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16ec96c5
LINK: [2] https://www.spinics.net/lists/netdev/msg777503.html
Reported-by: syzbot+7a12909485b94426aceb@...kaller.appspotmail.com
Signed-off-by: Di Zhu <zhudi2@...wei.com>
---
net/core/filter.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index 5af58eb48587..c7fbfa90898a 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2156,6 +2156,9 @@ static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev,
static int __bpf_redirect(struct sk_buff *skb, struct net_device *dev,
u32 flags)
{
+ if (unlikely(skb->len == 0))
+ return -EINVAL;
+
if (dev_is_mac_header_xmit(dev))
return __bpf_redirect_common(skb, dev, flags);
else
--
2.27.0
Powered by blists - more mailing lists