[13/13] bpf: Fix use of sk->sk_reuseport from sk_assign

Message ID	20200831040333.6058-14-khalid.elmously@canonical.com
State	New
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Khalid Elmously <khalid.elmously@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [PATCH 13/13] bpf: Fix use of sk->sk_reuseport from sk_assign Date: Mon, 31 Aug 2020 00:03:33 -0400 Message-Id: <20200831040333.6058-14-khalid.elmously@canonical.com> In-Reply-To: <20200831040333.6058-1-khalid.elmously@canonical.com> References: <20200831040333.6058-1-khalid.elmously@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	Requested eBPF improvements \| expand [SRU,00/13,GCP-5.4] Requested eBPF improvements [01/13] bpf: Enable retrieval of socket cookie for bind/post-bind hook [02/13] bpf: Enable perf event rb output for bpf cgroup progs [03/13] bpf: Add netns cookie and enable it for bpf cgroup hooks [04/13] bpf, net: Fix build issue when net ns not configured [05/13] bpf: Allow to retrieve cgroup v1 classid from v2 hooks [06/13] bpf: Enable retrival of pid/tgid/comm from bpf cgroup hooks [07/13] bpf: Add get{peer, sock}name attach types for sock_addr [08/13] bpf, sk_msg: Add some generic helpers that may be useful from sk_msg [09/13] bpf: Add BPF_FUNC_jiffies64 [10/13] bpf: Add socket assign support [11/13] net: Track socket refcounts in skb_steal_sock() [12/13] bpf: Don't refcount LISTEN sockets in sk_assign() [13/13] bpf: Fix use of sk->sk_reuseport from sk_assign

Message ID

20200831040333.6058-14-khalid.elmously@canonical.com

State

New

Headers

From: Khalid Elmously <khalid.elmously@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 13/13] bpf: Fix use of sk->sk_reuseport from sk_assign
Date: Mon, 31 Aug 2020 00:03:33 -0400
Message-Id: <20200831040333.6058-14-khalid.elmously@canonical.com>
In-Reply-To: <20200831040333.6058-1-khalid.elmously@canonical.com>
References: <20200831040333.6058-1-khalid.elmously@canonical.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

Requested eBPF improvements | expand

Commit Message

Khalid Elmously Aug. 31, 2020, 4:03 a.m. UTC

From: Joe Stringer <joe@wand.net.nz>

[ upstream commit 8e368dc72e86ad1e1a612416f32d5ad22dca88bc ]

In testing, we found that for request sockets the sk->sk_reuseport field
may yet be uninitialized, which caused bpf_sk_assign() to randomly
succeed or return -ESOCKTNOSUPPORT when handling the forward ACK in a
three-way handshake.

Fix it by only applying the reuseport check for full sockets.

Fixes: cf7fbe660f2d ("bpf: Add socket assign support")
Signed-off-by: Joe Stringer <joe@wand.net.nz>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Link: https://lore.kernel.org/bpf/20200408033540.10339-1-joe@wand.net.nz
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
---
 net/core/filter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Kleber Sacilotto de Souza Sept. 3, 2020, 10:58 a.m. UTC | #1

On 31.08.20 06:03, Khalid Elmously wrote:
> From: Joe Stringer <joe@wand.net.nz>

This patch is missing:

BugLink: https://bugs.launchpad.net/bugs/1887740

> 
> [ upstream commit 8e368dc72e86ad1e1a612416f32d5ad22dca88bc ]
> 
> In testing, we found that for request sockets the sk->sk_reuseport field
> may yet be uninitialized, which caused bpf_sk_assign() to randomly
> succeed or return -ESOCKTNOSUPPORT when handling the forward ACK in a
> three-way handshake.
> 
> Fix it by only applying the reuseport check for full sockets.
> 
> Fixes: cf7fbe660f2d ("bpf: Add socket assign support")
> Signed-off-by: Joe Stringer <joe@wand.net.nz>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> Acked-by: Martin KaFai Lau <kafai@fb.com>
> Link: https://lore.kernel.org/bpf/20200408033540.10339-1-joe@wand.net.nz
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
> ---
>  net/core/filter.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/core/filter.c b/net/core/filter.c
> index baaeab75327c..a895e272d75e 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -5992,7 +5992,7 @@ BPF_CALL_3(bpf_sk_assign, struct sk_buff *, skb, struct sock *, sk, u64, flags)
>  		return -EOPNOTSUPP;
>  	if (unlikely(dev_net(skb->dev) != sock_net(sk)))
>  		return -ENETUNREACH;
> -	if (unlikely(sk->sk_reuseport))
> +	if (unlikely(sk_fullsock(sk) && sk->sk_reuseport))
>  		return -ESOCKTNOSUPPORT;
>  	if (sk_is_refcounted(sk) &&
>  	    unlikely(!refcount_inc_not_zero(&sk->sk_refcnt)))
>

diff --git a/net/core/filter.c b/net/core/filter.c
index baaeab75327c..a895e272d75e 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -5992,7 +5992,7 @@  BPF_CALL_3(bpf_sk_assign, struct sk_buff *, skb, struct sock *, sk, u64, flags)
 		return -EOPNOTSUPP;
 	if (unlikely(dev_net(skb->dev) != sock_net(sk)))
 		return -ENETUNREACH;
-	if (unlikely(sk->sk_reuseport))
+	if (unlikely(sk_fullsock(sk) && sk->sk_reuseport))
 		return -ESOCKTNOSUPPORT;
 	if (sk_is_refcounted(sk) &&
 	    unlikely(!refcount_inc_not_zero(&sk->sk_refcnt)))

[13/13] bpf: Fix use of sk->sk_reuseport from sk_assign

Commit Message

Comments

Patch