From patchwork Mon May 4 17:21:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Fastabend X-Patchwork-Id: 1282903 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=lW6oLhb+; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 49G8m34YvRz9sRf for ; Tue, 5 May 2020 03:21:39 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729777AbgEDRVj (ORCPT ); Mon, 4 May 2020 13:21:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50862 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1729667AbgEDRVi (ORCPT ); Mon, 4 May 2020 13:21:38 -0400 Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE384C061A0E; Mon, 4 May 2020 10:21:38 -0700 (PDT) Received: by mail-io1-xd41.google.com with SMTP id f3so13167213ioj.1; Mon, 04 May 2020 10:21:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:cc:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=T0bFivZkGCPqQDuoXyfkeADSXLeemmjLzmCAHYc6sAw=; b=lW6oLhb+oEywGN3MgMXgDiA7i+xWpKjzHgPF2CXL2c3dxfNfxSfQ2ka9tqBLakp5BZ dJJAgUHytLIib5kf9wfq4VPnofV/5KO6zvOK8YzQncwOXgODTfrPLhZiOzkNKOIBN4En pwGOkx8a3o2tgkL/W8+xqNSgIhwruqVFePioyn+gjdVAaWwpB7aDgvXAXm//w42r0iWe IMNKLxi6tYiWZHj7JmupS9ew6sH3iF+e3fQtxQRW7KDiac4MaM/wLMGUMssoDYYrEO+a J/2ZtmpzLEI1WygjQiRuJU82GRcr8QFNQnTZ63mbl6qC2mXB68qPBIZs8sHklyUGxt0a wPtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=T0bFivZkGCPqQDuoXyfkeADSXLeemmjLzmCAHYc6sAw=; b=EIaQu+n9sYTsixfj1jexXD6QCHQKcoanngvqD/4MnuBr4Q9ZJkw9DNUlL+5+r40hJF RZjyCKuAhFwUsiBgeX+d46h6JAX6Km9ZoWV+N506+BEjPIejp4OJ6DwhOd0wYlodlefg oiV284vJzpIaeBwvASnC6DD9U9aA3JZNaJtNnGpoglOr2/s0lo8nJws4QVbuUuCP5gmT xzo5CuYzbc/qKSH5iCkvkGNvi09DYiI85ZvVNywxg0k/cI0iHEkrzT637qrOjaawUmSt kBIP41XLq/1Qji0W/xiYUIHIJBQuuwYlx64HkFOtwrbXGjpSMGwcFn837+JHVUMK07wX 9YEg== X-Gm-Message-State: AGi0PuZWkVWbpFrtzAcD2ATjWdOq8O3Yg65h2tkMomtw2vyBxCkW7o34 WBhNUGUqoWNEvZPVmZvABNgystYG19w= X-Google-Smtp-Source: APiQypL5eECy1DSxNzoKkk5/d16TitveVmE3ptOBJrD+G3me0Q9PJ8GgS95DXe5bqOjk+wDQkdp0DQ== X-Received: by 2002:a6b:14d0:: with SMTP id 199mr16521233iou.11.1588612898128; Mon, 04 May 2020 10:21:38 -0700 (PDT) Received: from [127.0.1.1] ([184.63.162.180]) by smtp.gmail.com with ESMTPSA id r2sm3609501ioo.51.2020.05.04.10.21.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 May 2020 10:21:37 -0700 (PDT) Subject: [PATCH 1/2] bpf: sockmap, msg_pop_data can incorrecty set an sge length From: John Fastabend To: jakub@cloudflare.com, daniel@iogearbox.net Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, john.fastabend@gmail.com, ast@kernel.org Date: Mon, 04 May 2020 10:21:23 -0700 Message-ID: <158861288359.14306.7654891716919968144.stgit@john-Precision-5820-Tower> In-Reply-To: <158861271707.14306.15853815339036099229.stgit@john-Precision-5820-Tower> References: <158861271707.14306.15853815339036099229.stgit@john-Precision-5820-Tower> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org When sk_msg_pop() is called where the pop operation is working on the end of a sge element and there is no additional trailing data and there _is_ data in front of pop, like the following case, |____________a_____________|__pop__| We have out of order operations where we incorrectly set the pop variable so that instead of zero'ing pop we incorrectly leave it untouched, effectively. This can cause later logic to shift the buffers around believing it should pop extra space. The result is we have 'popped' more data then we expected potentially breaking program logic. It took us a while to hit this case because typically we pop headers which seem to rarely be at the end of a scatterlist elements but we can't rely on this. Fixes: 7246d8ed4dcce ("bpf: helper to pop data from messages") Signed-off-by: John Fastabend Acked-by: Martin KaFai Lau --- net/core/filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/filter.c b/net/core/filter.c index 7d6ceaa..5cc9276 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2590,8 +2590,8 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start, } pop = 0; } else if (pop >= sge->length - a) { - sge->length = a; pop -= (sge->length - a); + sge->length = a; } } From patchwork Mon May 4 17:21:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Fastabend X-Patchwork-Id: 1282905 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=E5kN3Aou; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 49G8mR3dGFz9sRf for ; Tue, 5 May 2020 03:21:59 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730088AbgEDRV7 (ORCPT ); Mon, 4 May 2020 13:21:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1729667AbgEDRV6 (ORCPT ); Mon, 4 May 2020 13:21:58 -0400 Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 57E22C061A0E; Mon, 4 May 2020 10:21:58 -0700 (PDT) Received: by mail-io1-xd41.google.com with SMTP id f3so13168348ioj.1; Mon, 04 May 2020 10:21:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:cc:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=s/H9+2DJZoBNBbRFmfHv1JX5iVHZU3xc8Givz1NWCPU=; b=E5kN3Aouuzz6ulHi3FVwopK+DauXrise2ohFdQ0u2lAZrS2V0jjNG5YMww57si50th B5Oe8/joWpPj0IMG6DyCWCYkVIwM56+unzIGTkG0cZEKehyGcyGdYBfPygSeoS4Sq+ZY icazg9J+y9GeXtVDtHRHmarxlHMQg5OsfYR1XvhB7NKog4ngVBys/JZ6hU1i6/wBVcPD rb6DQm5uimRVjL9z4sGniBqnv1if0J7p/PfwGBJNkLJNd9hc0qGecxf98gp19T4jSMd8 2UjwDB7mpFCg6D7wI9JD8y5Jg4ubFonnOspiiEO0ZjMkG5xCGDgeAg1oq7caM2dTgHbW ryyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=s/H9+2DJZoBNBbRFmfHv1JX5iVHZU3xc8Givz1NWCPU=; b=gVYqfj3PcnHaOc++KeS37ykZ4XcBV4Mt9ZQdQaLanj4tK6VroivG3+6wT+kmNmibht 6e8Fls8WSPkDfg86pwyGJSx1o9iZ/LkZ4zKfqq+CXR+iuyUGBc9/mXL+y/DazYziYBXJ oNYbCsKkdNVsKlwATbL28hfuWqghAhPs7GNCK4WzPcZFtFCz0l8N2oXkV5630HWoVLtS N/bJ8o0VdboQFASkB6mRcdm3s6AEY4kdY4G1+YionHtM80CvnTaSOm4ZSQ5xukXGE+Ye nkO0nrTYBwn2IzYoiF0r+TWI1HoMaZupHksq1qDHaKDJPMJOiTYFh+Ua/RCcMc1LfEv4 Qk5A== X-Gm-Message-State: AGi0PuZfPtlzT6nUszR7CmqeSCN0hrgaLkAVYV242uXu2EBlquXxzLf9 y30Gr5B13kV37UhOusg7XrE= X-Google-Smtp-Source: APiQypJii9n8J23C89FtzeKbngzeIo8Z029y5Ew0NBgQnqG+cIsZq1Pfk9HD37KoyWi6SS+Cyh1DYQ== X-Received: by 2002:a02:cd01:: with SMTP id g1mr16640069jaq.131.1588612917731; Mon, 04 May 2020 10:21:57 -0700 (PDT) Received: from [127.0.1.1] ([184.63.162.180]) by smtp.gmail.com with ESMTPSA id v17sm5450699ill.5.2020.05.04.10.21.51 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 May 2020 10:21:56 -0700 (PDT) Subject: [PATCH 2/2] bpf: sockmap, bpf_tcp_ingress needs to subtract bytes from sg.size From: John Fastabend To: jakub@cloudflare.com, daniel@iogearbox.net Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, john.fastabend@gmail.com, ast@kernel.org Date: Mon, 04 May 2020 10:21:44 -0700 Message-ID: <158861290407.14306.5327773422227552482.stgit@john-Precision-5820-Tower> In-Reply-To: <158861271707.14306.15853815339036099229.stgit@john-Precision-5820-Tower> References: <158861271707.14306.15853815339036099229.stgit@john-Precision-5820-Tower> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org In bpf_tcp_ingress we used apply_bytes to subtract bytes from sg.size which is used to track total bytes in a message. But this is not correct because apply_bytes is itself modified in the main loop doing the mem_charge. Then at the end of this we have sg.size incorrectly set and out of sync with actual sk values. Then we can get a splat if we try to cork the data later and again try to redirect the msg to ingress. To fix instead of trying to track msg.size do the easy thing and include it as part of the sk_msg_xfer logic so that when the msg is moved the sg.size is always correct. To reproduce the below users will need ingress + cork and hit an error path that will then try to 'free' the skmsg. [ 173.699981] BUG: KASAN: null-ptr-deref in sk_msg_free_elem+0xdd/0x120 [ 173.699987] Read of size 8 at addr 0000000000000008 by task test_sockmap/5317 [ 173.700000] CPU: 2 PID: 5317 Comm: test_sockmap Tainted: G I 5.7.0-rc1+ #43 [ 173.700005] Hardware name: Dell Inc. Precision 5820 Tower/002KVM, BIOS 1.9.2 01/24/2019 [ 173.700009] Call Trace: [ 173.700021] dump_stack+0x8e/0xcb [ 173.700029] ? sk_msg_free_elem+0xdd/0x120 [ 173.700034] ? sk_msg_free_elem+0xdd/0x120 [ 173.700042] __kasan_report+0x102/0x15f [ 173.700052] ? sk_msg_free_elem+0xdd/0x120 [ 173.700060] kasan_report+0x32/0x50 [ 173.700070] sk_msg_free_elem+0xdd/0x120 [ 173.700080] __sk_msg_free+0x87/0x150 [ 173.700094] tcp_bpf_send_verdict+0x179/0x4f0 [ 173.700109] tcp_bpf_sendpage+0x3ce/0x5d0 Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend Acked-by: Martin KaFai Lau --- include/linux/skmsg.h | 1 + net/ipv4/tcp_bpf.c | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h index 8a709f6..ad31c9f 100644 --- a/include/linux/skmsg.h +++ b/include/linux/skmsg.h @@ -187,6 +187,7 @@ static inline void sk_msg_xfer(struct sk_msg *dst, struct sk_msg *src, dst->sg.data[which] = src->sg.data[which]; dst->sg.data[which].length = size; dst->sg.size += size; + src->sg.size -= size; src->sg.data[which].length -= size; src->sg.data[which].offset += size; } diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c index ff96466..629aaa9a 100644 --- a/net/ipv4/tcp_bpf.c +++ b/net/ipv4/tcp_bpf.c @@ -125,7 +125,6 @@ static int bpf_tcp_ingress(struct sock *sk, struct sk_psock *psock, if (!ret) { msg->sg.start = i; - msg->sg.size -= apply_bytes; sk_psock_queue_msg(psock, tmp); sk_psock_data_ready(sk, psock); } else {