lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 9 Aug 2023 10:12:29 -0700
From: Martin KaFai Lau <martin.lau@...ux.dev>
To: Kuniyuki Iwashima <kuniyu@...zon.com>, lmb@...valent.com
Cc: bpf@...r.kernel.org, daniel@...earbox.net, davem@...emloft.net,
 edumazet@...gle.com, kuba@...nel.org, linux-kernel@...r.kernel.org,
 martin.lau@...nel.org, memxor@...il.com, netdev@...r.kernel.org,
 pabeni@...hat.com
Subject: Re: [PATCH bpf-next] net: Fix slab-out-of-bounds in
 inet[6]_steal_sock

On 8/9/23 8:55 AM, Kuniyuki Iwashima wrote:
> From: Lorenz Bauer <lmb@...valent.com>
> Date: Wed, 9 Aug 2023 16:08:31 +0100
>> On Wed, Aug 9, 2023 at 3:39 PM Martin KaFai Lau <martin.lau@...ux.dev> wrote:
>>>
>>> On 8/9/23 1:33 AM, Lorenz Bauer wrote:
>>>> Kumar reported a KASAN splat in tcp_v6_rcv:
>>>>
>>>>     bash-5.2# ./test_progs -t btf_skc_cls_ingress
>>>>     ...
>>>>     [   51.810085] BUG: KASAN: slab-out-of-bounds in tcp_v6_rcv+0x2d7d/0x3440
>>>>     [   51.810458] Read of size 2 at addr ffff8881053f038c by task test_progs/226
>>>>
>>>> The problem is that inet[6]_steal_sock accesses sk->sk_protocol without
>>>> accounting for request sockets. I added the check to ensure that we only
>>>> every try to perform a reuseport lookup on a supported socket.
>>>>
>>>> It turns out that this isn't necessary at all. struct sock_common contains
>>>> a skc_reuseport flag which indicates whether a socket is part of a
>>>
>>> Does it go back to the earlier discussion
>>> (https://lore.kernel.org/bpf/7188429a-c380-14c8-57bb-9d05d3ba4e5e@linux.dev/)
>>> that the sk->sk_reuseport is 1 from sk_clone for TCP_ESTABLISHED? It works
>>> because there is sk->sk_reuseport"_cb" check going deeper into
>>> reuseport_select_sock() but there is an extra inet6_ehashfn for all TCP_ESTABLISHED.
>>
>> Sigh, I'd forgotten about this...
>>
>> For the TPROXY TCP replacement use case we sk_assign the SYN to the
>> listener, which creates the reqsk. We can let follow up packets pass
>> without sk_assign since they will match the reqsk and convert to a
>> fullsock via the usual route. At least that is what the test does. I'm
>> not even sure what it means to redirect a random packet into an
>> established TCP socket TBH. It'd probably be dropped?

It could act like an earlier early-demux for established sk? If the bpf prog has 
already looked up an established sk for other needs (eg. reading the sk local 
storage), it may as well bpf_sk_assign it to the skb. I don't have a use case 
for that but I also don't see why it won't work also.

>>
>> For UDP, I'm not sure whether we even get into this situation? Doesn't
>> seem like UDP sockets are cloned from each other, so we also shouldn't
>> end up with a reuseport flag set erroneously.
>>
>> Things we could do if necessary:
>> 1. Reset the flag in inet_csk_clone_lock like we do for SOCK_RCU_FREE
> 
> I think we can't do this as sk_reuseport is inherited to twsk and used
> in inet_bind_conflict().
> 
> 
>> 2. Duplicate the cb check into inet[6]_steal_sock
> 
> or 3. Add sk_fullsock() test ?

yeah, probably adding sk_fullsock() is needed, may be something like(?):

	if (!prefetched || !sk_fullsock(sk))
                 return sk;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ