[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240614101801.9496-1-fw@strlen.de>
Date: Fri, 14 Jun 2024 12:17:33 +0200
From: Florian Westphal <fw@...len.de>
To: bpf@...r.kernel.org
Cc: martin.lau@...ux.dev,
daniel@...earbox.net,
netdev@...r.kernel.org,
Florian Westphal <fw@...len.de>,
syzbot+0c4150bff9fff3bf023c@...kaller.appspotmail.com,
Eric Dumazet <edumazet@...gle.com>
Subject: [PATCH bpf] bpf: avoid splat in pskb_pull_reason
syzkaller builds (CONFIG_DEBUG_NET=y) frequently trigger a debug
hint in pskb_may_pull.
We'd like to retain this debug check because it might hint at integer
overflows and other issues (kernel code should pull headers, not huge
value).
In bpf case, this splat isn't interesting at all: such (nonsensical) bpf
programs are typically generated by a fuzzer anyway.
Do what Eric suggested and suppress such warning.
For CONFIG_DEBUG_NET=n we don't need the extra check because
pskb_may_pull will do the right thing: return an error without the
WARN() backtrace.
Reported-by: syzbot+0c4150bff9fff3bf023c@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0c4150bff9fff3bf023c
Fixes: 219eee9c0d16 ("net: skbuff: add overflow debug check to pull/push helpers")
Link: https://lore.kernel.org/netdev/9f254c96-54f2-4457-b7ab-1d9f6187939c@gmail.com/
Suggested-by: Eric Dumazet <edumazet@...gle.com>
Signed-off-by: Florian Westphal <fw@...len.de>
---
net/core/filter.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index 2510464692af..9933851c685e 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1665,6 +1665,11 @@ static DEFINE_PER_CPU(struct bpf_scratchpad, bpf_sp);
static inline int __bpf_try_make_writable(struct sk_buff *skb,
unsigned int write_len)
{
+#ifdef CONFIG_DEBUG_NET
+ /* Avoid a splat in pskb_may_pull_reason() */
+ if (write_len > INT_MAX)
+ return -EINVAL;
+#endif
return skb_ensure_writable(skb, write_len);
}
--
2.44.2
Powered by blists - more mailing lists