From patchwork Wed Jan 16 01:19:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Willem de Bruijn X-Patchwork-Id: 1025584 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="fHtcpw5s"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43fTrf0Gsfz9s2P for ; Wed, 16 Jan 2019 12:19:30 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727190AbfAPBT1 (ORCPT ); Tue, 15 Jan 2019 20:19:27 -0500 Received: from mail-qt1-f196.google.com ([209.85.160.196]:42302 "EHLO mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727134AbfAPBT1 (ORCPT ); Tue, 15 Jan 2019 20:19:27 -0500 Received: by mail-qt1-f196.google.com with SMTP id d19so5303915qtq.9 for ; Tue, 15 Jan 2019 17:19:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=oR11Y//PY2YpROce9KiZzgVATAIgcAy9Hldg4Rvhz88=; b=fHtcpw5s4DEHcZ5QvO9nYr/Xe+3RpP4GvKLNuu23TIDBokLPJQapvytyN/UCnDM8lg xZcdvNsfBZtFJZRTTvxvxNwr0v4bvJoHQKAUjcTefHSA6tZ8yM2nY0AYQGCWwA02XgxE ilDabjjpc+/GVzY4rIEyGLD6X0OPHJ7dloHr2nMRIROnVtB2mToKP41KrCKArUSvD2Hw jztd1WABV/BPAaTpgyXUDus9cdZwVu6ExGDzmV/5WRXCokh9FBMXHNNZmD9zeTBQdPgo a9VVRVIZLpehyytYmb1ajTYDjmM3PCIQKiQs0C3JyxPMgYHe1Ah7WAtmUnzVJ0dHvb5+ SFBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=oR11Y//PY2YpROce9KiZzgVATAIgcAy9Hldg4Rvhz88=; b=Adiw2f9ugDhg248kzHr6ek0PiRAtQJHOjJjbCfJfQ/OkgipEiZnDbNCG1YevKVECnC YPWL6811tqCXEIUiWjncspzqAueqQ1aZBGttGPXQIf6ZVaXOmmNVDYEjsgCarLiuzLn3 ZC9mvnwU0tJaAyn+5TxN/hh9551sfp9FViOxcFTB+fIeaS6GY6kV0Z8ZOArTJe+t4YpE wWUY+sWBiA1qWUw4x0WbQJs4kdAYozXkxzuWlj2b7yrR1Y/+LzlMvLRPrSdtYGJnXNT5 RXJ7i81waGdrIpc1nm8in+wIErtacBjhdtd08jCQR/byIvYUd0Ux4uuH9ReN2sN/67rj /vwQ== X-Gm-Message-State: AJcUukfokG79QgBwI2qhV1h3xGMlFQlIsV8DwKcPteMN2nAv5PRZrVLM fanKASdMHUUtgLT9iBmlLifqaHnC X-Google-Smtp-Source: ALg8bN6RMBJyEdbzCnUssX/qE65G2xP75kUM2B9S9Jxq2hGI9ihAkv3uqcqB1EGwpBfqqTwTdGdCEg== X-Received: by 2002:a0c:ef03:: with SMTP id t3mr5130037qvr.148.1547601565702; Tue, 15 Jan 2019 17:19:25 -0800 (PST) Received: from willemb1.nyc.corp.google.com ([2620:0:1003:315:3fa1:a34c:1128:1d39]) by smtp.gmail.com with ESMTPSA id c49sm63103704qtc.94.2019.01.15.17.19.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 Jan 2019 17:19:24 -0800 (PST) From: Willem de Bruijn To: netdev@vger.kernel.org Cc: ast@kernel.org, daniel@iogearbox.net, kafai@fb.com, tgraf@suug.ch, Willem de Bruijn , syzbot Subject: [PATCH net] bpf: in __bpf_redirect_no_mac pull mac only if present Date: Tue, 15 Jan 2019 20:19:22 -0500 Message-Id: <20190116011922.4420-1-willemdebruijn.kernel@gmail.com> X-Mailer: git-send-email 2.20.1.97.g81188d93c3-goog MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Willem de Bruijn Syzkaller was able to construct a packet of negative length by redirecting from bpf_prog_test_run_skb with BPF_PROG_TYPE_LWT_XMIT: BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline] BUG: KASAN: slab-out-of-bounds in skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline] BUG: KASAN: slab-out-of-bounds in __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395 Read of size 4294967282 at addr ffff8801d798009c by task syz-executor2/12942 kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:345 [inline] skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline] __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395 __pskb_copy include/linux/skbuff.h:1053 [inline] pskb_copy include/linux/skbuff.h:2904 [inline] skb_realloc_headroom+0xe7/0x120 net/core/skbuff.c:1539 ipip6_tunnel_xmit net/ipv6/sit.c:965 [inline] sit_tunnel_xmit+0xe1b/0x30d0 net/ipv6/sit.c:1029 __netdev_start_xmit include/linux/netdevice.h:4325 [inline] netdev_start_xmit include/linux/netdevice.h:4334 [inline] xmit_one net/core/dev.c:3219 [inline] dev_hard_start_xmit+0x295/0xc90 net/core/dev.c:3235 __dev_queue_xmit+0x2f0d/0x3950 net/core/dev.c:3805 dev_queue_xmit+0x17/0x20 net/core/dev.c:3838 __bpf_tx_skb net/core/filter.c:2016 [inline] __bpf_redirect_common net/core/filter.c:2054 [inline] __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2061 ____bpf_clone_redirect net/core/filter.c:2094 [inline] bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2066 bpf_prog_41f2bcae09cd4ac3+0xb25/0x1000 The generated test constructs a packet with mac header, network header, skb->data pointing to network header and skb->len 0. Redirecting to a sit0 through __bpf_redirect_no_mac pulls the mac length, even though skb->data already is at skb->network_header. bpf_prog_test_run_skb has already pulled it as LWT_XMIT !is_l2. Update the offset calculation to pull only if skb->data differs from skb->network_header, which is not true in this case. The test itself can be run only from commit 1cf1cae963c2 ("bpf: introduce BPF_PROG_TEST_RUN command"), but the same type of packets with skb at network header could already be built from lwt xmit hooks, so this fix is more relevant to that commit. Also set the mac header on redirect from LWT_XMIT, as even after this change to __bpf_redirect_no_mac that field is expected to be set, but is not yet in ip_finish_output2. Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") Reported-by: syzbot Signed-off-by: Willem de Bruijn Acked-by: Martin KaFai Lau --- net/core/filter.c | 21 +++++++++++---------- net/core/lwt_bpf.c | 1 + 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index 2b3b436ef5457..3a3f6473f24d6 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2020,18 +2020,19 @@ static inline int __bpf_tx_skb(struct net_device *dev, struct sk_buff *skb) static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev, u32 flags) { - /* skb->mac_len is not set on normal egress */ - unsigned int mlen = skb->network_header - skb->mac_header; + unsigned int mlen = skb_network_offset(skb); - __skb_pull(skb, mlen); + if (mlen) { + __skb_pull(skb, mlen); - /* At ingress, the mac header has already been pulled once. - * At egress, skb_pospull_rcsum has to be done in case that - * the skb is originated from ingress (i.e. a forwarded skb) - * to ensure that rcsum starts at net header. - */ - if (!skb_at_tc_ingress(skb)) - skb_postpull_rcsum(skb, skb_mac_header(skb), mlen); + /* At ingress, the mac header has already been pulled once. + * At egress, skb_pospull_rcsum has to be done in case that + * the skb is originated from ingress (i.e. a forwarded skb) + * to ensure that rcsum starts at net header. + */ + if (!skb_at_tc_ingress(skb)) + skb_postpull_rcsum(skb, skb_mac_header(skb), mlen); + } skb_pop_mac_header(skb); skb_reset_mac_len(skb); return flags & BPF_F_INGRESS ? diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c index 3e85437f71060..a648568c5e8fe 100644 --- a/net/core/lwt_bpf.c +++ b/net/core/lwt_bpf.c @@ -63,6 +63,7 @@ static int run_lwt_bpf(struct sk_buff *skb, struct bpf_lwt_prog *lwt, lwt->name ? : ""); ret = BPF_OK; } else { + skb_reset_mac_header(skb); ret = skb_do_redirect(skb); if (ret == 0) ret = BPF_REDIRECT;