[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1701252962-63418-1-git-send-email-alibuda@linux.alibaba.com>
Date: Wed, 29 Nov 2023 18:16:02 +0800
From: "D. Wythe" <alibuda@...ux.alibaba.com>
To: pablo@...filter.org,
kadlec@...filter.org,
fw@...len.de
Cc: bpf@...r.kernel.org,
linux-kernel@...r.kernel.org,
netdev@...r.kernel.org,
coreteam@...filter.org,
netfilter-devel@...r.kernel.org,
davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
ast@...nel.org
Subject: [PATCH net] net/netfilter: bpf: avoid leakage of skb
From: "D. Wythe" <alibuda@...ux.alibaba.com>
A malicious eBPF program can interrupt the subsequent processing of
a skb by returning an exceptional retval, and no one will be responsible
for releasing the very skb.
Moreover, normal programs can also have the demand to return NF_STOLEN,
usually, the hook needs to take responsibility for releasing this skb
itself, but currently, there is no such helper function to achieve that.
Ignoring NF_STOLEN will also lead to skb leakage.
Fixes: fd9c663b9ad6 ("bpf: minimal support for programs hooked into netfilter framework")
Signed-off-by: D. Wythe <alibuda@...ux.alibaba.com>
---
net/netfilter/nf_bpf_link.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
index e502ec0..03c47d6 100644
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@@ -12,12 +12,29 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb,
const struct nf_hook_state *s)
{
const struct bpf_prog *prog = bpf_prog;
+ unsigned int verdict;
struct bpf_nf_ctx ctx = {
.state = s,
.skb = skb,
};
- return bpf_prog_run(prog, &ctx);
+ verdict = bpf_prog_run(prog, &ctx);
+ switch (verdict) {
+ case NF_STOLEN:
+ consume_skb(skb);
+ fallthrough;
+ case NF_ACCEPT:
+ case NF_DROP:
+ case NF_QUEUE:
+ /* restrict the retval of the ebpf programs */
+ break;
+ default:
+ /* force it to be dropped */
+ verdict = NF_DROP_ERR(-EINVAL);
+ break;
+ }
+
+ return verdict;
}
struct bpf_nf_link {
--
1.8.3.1
Powered by blists - more mailing lists