lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <82c77e30-6e9d-44c3-bdcd-7da17654fa81@linux.dev>
Date: Mon, 8 Jul 2024 17:03:58 -0700
From: Martin KaFai Lau <martin.lau@...ux.dev>
To: Sebastian Andrzej Siewior <bigeasy@...utronix.de>
Cc: syzbot <syzbot+608a2acde8c5a101d07d@...kaller.appspotmail.com>,
 netdev@...r.kernel.org, bpf@...r.kernel.org, andrii@...nel.org,
 ast@...nel.org, daniel@...earbox.net, davem@...emloft.net,
 dsahern@...nel.org, eddyz87@...il.com, edumazet@...gle.com,
 haoluo@...gle.com, john.fastabend@...il.com, jolsa@...nel.org,
 kpsingh@...nel.org, kuba@...nel.org, pabeni@...hat.com, sdf@...ichev.me,
 sdf@...gle.com, song@...nel.org, syzkaller-bugs@...glegroups.com,
 yonghong.song@...ux.dev, Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH bpf-next] seg6: Ensure that seg6_bpf_srh_states can only
 be accessed from input_action_end_bpf()

On 7/5/24 3:41 AM, Sebastian Andrzej Siewior wrote:
> Initially I assumed that the per-CPU variable is `seg6_bpf_srh_states'
> is first initialized in input_action_end_bpf() and then accessed during
> the bpf_prog_run_save_cb() invocation by the eBPF via the BPF callbacks.
> syzbot demonstrated that is possible to invoke the BPF callbacks (and
> access `seg6_bpf_srh_states') without entering input_action_end_bpf()
> first.
> 
> The valid path via input_action_end_bpf() is invoked within NAPI
> context which means it has bpf_net_context set. This can be used to
> identify the "valid" calling path.
> 
> Set in input_action_end_bpf() the BPF_RI_F_SEG6_STATE bit to signal the
> valid calling path and clear it at the end. Check for the context and
> the bit in bpf_lwt_seg6.*() and abort if missing.
> 
> Reported-by: syzbot+608a2acde8c5a101d07d@...kaller.appspotmail.com
> Fixes: d1542d4ae4dfd ("seg6: Use nested-BH locking for seg6_bpf_srh_states.")
> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@...utronix.de>
> ---
>   include/linux/filter.h | 24 ++++++++++++++++++++++++
>   net/core/filter.c      |  6 ++++++
>   net/ipv6/seg6_local.c  |  3 +++
>   3 files changed, 33 insertions(+)
> 
> diff --git a/include/linux/filter.h b/include/linux/filter.h
> index 0bbd2585e6def..cadddb25ff4db 100644
> --- a/include/linux/filter.h
> +++ b/include/linux/filter.h
> @@ -739,6 +739,7 @@ struct bpf_nh_params {
>   #define BPF_RI_F_CPU_MAP_INIT	BIT(2)
>   #define BPF_RI_F_DEV_MAP_INIT	BIT(3)
>   #define BPF_RI_F_XSK_MAP_INIT	BIT(4)
> +#define BPF_RI_F_SEG6_STATE	BIT(5)
>   
>   struct bpf_redirect_info {
>   	u64 tgt_index;
> @@ -856,6 +857,29 @@ static inline void bpf_net_ctx_get_all_used_flush_lists(struct list_head **lh_ma
>   		*lh_xsk = lh;
>   }
>   
> +static inline bool bpf_net_ctx_seg6_state_avail(void)
> +{
> +	struct bpf_net_context *bpf_net_ctx = bpf_net_ctx_get();
> +
> +	if (!bpf_net_ctx)
> +		return false;
> +	return bpf_net_ctx->ri.kern_flags & BPF_RI_F_SEG6_STATE;
> +}
> +
> +static inline void bpf_net_ctx_seg6_state_set(void)
> +{
> +	struct bpf_net_context *bpf_net_ctx = bpf_net_ctx_get();
> +
> +	bpf_net_ctx->ri.kern_flags |= BPF_RI_F_SEG6_STATE;
> +}
> +
> +static inline void bpf_net_ctx_seg6_state_clr(void)
> +{
> +	struct bpf_net_context *bpf_net_ctx = bpf_net_ctx_get();
> +
> +	bpf_net_ctx->ri.kern_flags &= ~BPF_RI_F_SEG6_STATE;
> +}
> +
>   /* Compute the linear packet data range [data, data_end) which
>    * will be accessed by various program types (cls_bpf, act_bpf,
>    * lwt, ...). Subsystems allowing direct data access must (!)
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 403d23faf22e1..ea5bc4a4a6a23 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -6459,6 +6459,8 @@ BPF_CALL_4(bpf_lwt_seg6_store_bytes, struct sk_buff *, skb, u32, offset,
>   	void *srh_tlvs, *srh_end, *ptr;
>   	int srhoff = 0;
>   
> +	if (!bpf_net_ctx_seg6_state_avail())
> +		return -EINVAL;

The syzbot stack shows that the seg6local bpf_prog can be run by test_run like: 
bpf_prog_test_run_skb() => bpf_test_run(). "return -EINVAL;" will reject and 
break the existing bpf prog doing test with test_run.

bpf_test_run() has already done the local_bh_disable() and bpf_net_ctx_set(). 
How about doing the local_[un]lock_nested_bh(&seg6_bpf_srh_states.bh_lock) in 
bpf_test_run() when the prog->type == BPF_PROG_TYPE_LWT_SEG6LOCAL?

pw-bot: cr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ