lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANn89iK9VrbRJsF2KoLfArv5Eu5d7Hyq-pSO4hmWuS_PNsM8dQ@mail.gmail.com>
Date: Thu, 30 Nov 2023 17:04:50 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: John Fastabend <john.fastabend@...il.com>
Cc: Daniel Borkmann <daniel@...earbox.net>, davem@...emloft.net, kuba@...nel.org, 
	pabeni@...hat.com, ast@...nel.org, andrii@...nel.org, martin.lau@...ux.dev, 
	netdev@...r.kernel.org, bpf@...r.kernel.org, jakub@...udflare.com
Subject: Re: pull-request: bpf 2023-11-30

On Thu, Nov 30, 2023 at 4:54 PM John Fastabend <john.fastabend@...il.com> wrote:
>
> Daniel Borkmann wrote:
> > On 11/30/23 3:53 PM, Eric Dumazet wrote:
> > > On Thu, Nov 30, 2023 at 12:49 AM Daniel Borkmann <daniel@...earbox.net> wrote:
> > >>
> > >> Hi David, hi Jakub, hi Paolo, hi Eric,
> > >>
> > >> The following pull-request contains BPF updates for your *net* tree.
> > >>
> > >> We've added 5 non-merge commits during the last 7 day(s) which contain
> > >> a total of 10 files changed, 66 insertions(+), 15 deletions(-).
> > >>
> > >> The main changes are:
> > >>
> > >> 1) Fix AF_UNIX splat from use after free in BPF sockmap, from John Fastabend.
> > >
> > > syzbot is not happy with this patch.
> > >
> > > Would the following fix make sense?
> > >
> > > diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
> > > index 7ea7c3a0d0d06224f49ad5f073bf772b9528a30a..58e89361059fbf9d5942c6dd268dd80ac4b57098
> > > 100644
> > > --- a/net/unix/unix_bpf.c
> > > +++ b/net/unix/unix_bpf.c
> > > @@ -168,7 +168,8 @@ int unix_stream_bpf_update_proto(struct sock *sk,
> > > struct sk_psock *psock, bool r
> > >          }
> > >
> > >          sk_pair = unix_peer(sk);
> > > -       sock_hold(sk_pair);
> > > +       if (sk_pair)
> > > +               sock_hold(sk_pair);
> > >          psock->sk_pair = sk_pair;
> > >          unix_stream_bpf_check_needs_rebuild(psock->sk_proto);
> > >          sock_replace_proto(sk, &unix_stream_bpf_prot);
> > >
> >
> > Oh well :/ Above looks reasonable to me, thanks, but I'll defer to John & Jakub (both Cc'ed)
> > for a final look.
> >
> > Thanks,
> > Daniel
>
> Is that sk in LISTEN state by any chance? I can't think why we even allow such a
> thing for af_unix sockets.  Another possible fix would be to block adding these
> to sockmap at all.
>
> But, above should be fine as well so I would just go with that. Eric or Daniel
> would you like to submit a patch or I can if needed.

Here is the repro:

# See https://goo.gl/kgGztJ for information about syzkaller reproducers.
#{"procs":1,"slowdown":1,"sandbox":"","sandbox_arg":0,"close_fds":false}
r0 = socket(0x1, 0x1, 0x0)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000200)=@...e={0xf, 0x4, 0x4, 0x12}, 0x48)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000140)={r1, &(0x7f0000000000),
&(0x7f0000000100)=@...6=r0}, 0x20)

I will release the syzbot report, and send the patch, thanks.

Powered by blists - more mailing lists