lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6acbbf63-ba10-4a66-5e31-b9a499f79489@linux.dev>
Date: Wed, 9 Aug 2023 07:39:28 -0700
From: Martin KaFai Lau <martin.lau@...ux.dev>
To: Lorenz Bauer <lmb@...valent.com>, "David S. Miller"
 <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
 Daniel Borkmann <daniel@...earbox.net>, Kuniyuki Iwashima
 <kuniyu@...zon.com>, Martin KaFai Lau <martin.lau@...nel.org>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
 bpf@...r.kernel.org, Kumar Kartikeya Dwivedi <memxor@...il.com>
Subject: Re: [PATCH bpf-next] net: Fix slab-out-of-bounds in
 inet[6]_steal_sock

On 8/9/23 1:33 AM, Lorenz Bauer wrote:
> Kumar reported a KASAN splat in tcp_v6_rcv:
> 
>    bash-5.2# ./test_progs -t btf_skc_cls_ingress
>    ...
>    [   51.810085] BUG: KASAN: slab-out-of-bounds in tcp_v6_rcv+0x2d7d/0x3440
>    [   51.810458] Read of size 2 at addr ffff8881053f038c by task test_progs/226
> 
> The problem is that inet[6]_steal_sock accesses sk->sk_protocol without
> accounting for request sockets. I added the check to ensure that we only
> every try to perform a reuseport lookup on a supported socket.
> 
> It turns out that this isn't necessary at all. struct sock_common contains
> a skc_reuseport flag which indicates whether a socket is part of a

Does it go back to the earlier discussion 
(https://lore.kernel.org/bpf/7188429a-c380-14c8-57bb-9d05d3ba4e5e@linux.dev/) 
that the sk->sk_reuseport is 1 from sk_clone for TCP_ESTABLISHED? It works 
because there is sk->sk_reuseport"_cb" check going deeper into 
reuseport_select_sock() but there is an extra inet6_ehashfn for all TCP_ESTABLISHED.

> reuseport group. inet[6]_lookup_reuseport already check this flag,
> so we can't execute an erroneous reuseport lookup by definition.
> 
> Remove the unnecessary assertions to fix the out of bounds access.
> 
> Fixes: 9c02bec95954 ("bpf, net: Support SO_REUSEPORT sockets with bpf_sk_assign")
> Reported-by: Kumar Kartikeya Dwivedi <memxor@...il.com>
> Signed-off-by: Lorenz Bauer <lmb@...valent.com>
> ---
>   include/net/inet6_hashtables.h | 10 ----------
>   include/net/inet_hashtables.h  | 10 ----------
>   2 files changed, 20 deletions(-)
> 
> diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h
> index 284b5ce7205d..f9907ed36d54 100644
> --- a/include/net/inet6_hashtables.h
> +++ b/include/net/inet6_hashtables.h
> @@ -119,16 +119,6 @@ struct sock *inet6_steal_sock(struct net *net, struct sk_buff *skb, int doff,
>   	if (!prefetched)
>   		return sk;
>   
> -	if (sk->sk_protocol == IPPROTO_TCP) {
> -		if (sk->sk_state != TCP_LISTEN)
> -			return sk;
> -	} else if (sk->sk_protocol == IPPROTO_UDP) {
> -		if (sk->sk_state != TCP_CLOSE)
> -			return sk;
> -	} else {
> -		return sk;
> -	}
> -
>   	reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff,
>   					  saddr, sport, daddr, ntohs(dport),
>   					  ehashfn);
> diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
> index 1177effabed3..57a46993383a 100644
> --- a/include/net/inet_hashtables.h
> +++ b/include/net/inet_hashtables.h
> @@ -465,16 +465,6 @@ struct sock *inet_steal_sock(struct net *net, struct sk_buff *skb, int doff,
>   	if (!prefetched)
>   		return sk;
>   
> -	if (sk->sk_protocol == IPPROTO_TCP) {
> -		if (sk->sk_state != TCP_LISTEN)
> -			return sk;
> -	} else if (sk->sk_protocol == IPPROTO_UDP) {
> -		if (sk->sk_state != TCP_CLOSE)
> -			return sk;
> -	} else {
> -		return sk;
> -	}
> -
>   	reuse_sk = inet_lookup_reuseport(net, sk, skb, doff,
>   					 saddr, sport, daddr, ntohs(dport),
>   					 ehashfn);
> 
> ---
> base-commit: eb62e6aef940fcb1879100130068369d4638088f
> change-id: 20230808-bpf-next-a442a095562b
> 
> Best regards,


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ