lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250311141238.19862-7-justin.iurman@uliege.be>
Date: Tue, 11 Mar 2025 15:12:37 +0100
From: Justin Iurman <justin.iurman@...ege.be>
To: netdev@...r.kernel.org
Cc: davem@...emloft.net,
	dsahern@...nel.org,
	edumazet@...gle.com,
	kuba@...nel.org,
	pabeni@...hat.com,
	horms@...nel.org,
	justin.iurman@...ege.be,
	bpf@...r.kernel.org,
	Guillaume Nault <gnault@...hat.com>,
	Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
	Menglong Dong <menglong8.dong@...il.com>,
	Peter Oskolkov <posk@...gle.com>,
	Ido Schimmel <idosch@...dia.com>
Subject: [PATCH net 6/7] net: core: bpf: fix lwtunnel_input/xmit loop

Fix the lwtunnel_input() reentry loop and the lwtunnel_xmit() loop when
the destination is the same after transformation. For xmit, we refuse
BPF_LWT_REROUTE when dst_entry remains unchanged, since it's considered
a buggy configuration and there is no other easy way to prevent the
issue.

Fixes: 3bd0b15281af ("bpf: add handling of BPF_LWT_REROUTE to lwt_bpf.c")
Cc: bpf@...r.kernel.org
Cc: Guillaume Nault <gnault@...hat.com>
Cc: Sebastian Andrzej Siewior <bigeasy@...utronix.de>
Cc: Menglong Dong <menglong8.dong@...il.com>
Cc: Peter Oskolkov <posk@...gle.com>
Cc: Ido Schimmel <idosch@...dia.com>
Signed-off-by: Justin Iurman <justin.iurman@...ege.be>
---
 net/core/lwt_bpf.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c
index ae74634310a3..5ed849a0b23d 100644
--- a/net/core/lwt_bpf.c
+++ b/net/core/lwt_bpf.c
@@ -88,6 +88,7 @@ static int run_lwt_bpf(struct sk_buff *skb, struct bpf_lwt_prog *lwt,
 
 static int bpf_lwt_input_reroute(struct sk_buff *skb)
 {
+	struct lwtunnel_state *lwtst = skb_dst(skb)->lwtstate;
 	enum skb_drop_reason reason;
 	int err = -EINVAL;
 
@@ -110,6 +111,13 @@ static int bpf_lwt_input_reroute(struct sk_buff *skb)
 
 	if (err)
 		goto err;
+
+	/* avoid lwtunnel_input() reentry loop when destination is the same
+	 * after transformation
+	 */
+	if (lwtst == skb_dst(skb)->lwtstate)
+		return lwtst->orig_input(skb);
+
 	return dst_input(skb);
 
 err:
@@ -180,6 +188,7 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb)
 	struct net_device *l3mdev = l3mdev_master_dev_rcu(skb_dst(skb)->dev);
 	int oif = l3mdev ? l3mdev->ifindex : 0;
 	struct dst_entry *dst = NULL;
+	struct dst_entry *orig_dst;
 	int err = -EAFNOSUPPORT;
 	struct sock *sk;
 	struct net *net;
@@ -201,6 +210,8 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb)
 		net = dev_net(skb_dst(skb)->dev);
 	}
 
+	orig_dst = skb_dst(skb);
+
 	if (ipv4) {
 		struct iphdr *iph = ip_hdr(skb);
 		struct flowi4 fl4 = {};
@@ -254,6 +265,16 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb)
 	if (unlikely(err))
 		goto err;
 
+	/* avoid lwtunnel_xmit() reentry loop when destination is the same
+	 * after transformation (i.e., disallow BPF_LWT_REROUTE when dst_entry
+	 * remains the same).
+	 */
+	if (orig_dst->lwtstate == dst->lwtstate) {
+		dst_release(dst);
+		err = -EINVAL;
+		goto err;
+	}
+
 	skb_dst_drop(skb);
 	skb_dst_set(skb, dst);
 
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ