From nobody Fri Sep 12 01:01:00 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8C8CC0015E for ; Wed, 9 Aug 2023 08:34:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231346AbjHIIeK (ORCPT ); Wed, 9 Aug 2023 04:34:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55530 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230486AbjHIIeI (ORCPT ); Wed, 9 Aug 2023 04:34:08 -0400 Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 23804171E for ; Wed, 9 Aug 2023 01:34:07 -0700 (PDT) Received: by mail-wr1-x430.google.com with SMTP id ffacd0b85a97d-3175f17a7baso4921605f8f.0 for ; Wed, 09 Aug 2023 01:34:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isovalent.com; s=google; t=1691570045; x=1692174845; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=5ijl35yrvHWnvdny00wRBt92qHHEETnO1JDAe0OV9Zc=; b=QvpE0x2vl2KZ+J77E6ZL7iKIhDYwoMzehXAqmhr23czml3bymEGg9WyG1kMOT6amED 0aYrBzccOgXGG7EGEbsPTxoH4n7yHDZJrysioSiQHyqU2UwcBFJ9XNLm3ZEn8xLIQU/D 4/Chc7o7jZ2M2pBfOTzkEvLQgTB5vFoNc5CPPl4DIo5ztyPMVlK7lSIvw9wTjPkYTs7V DVN72sKlrNP1qG/CacssU7hOrOD6OB0O0YHAJwTGpy0s9Bt1YbzQNh0QdTdkJjGi5oAt JQJ+53nHnUDXX8XdCwDoIwnCGHiR88SCnWAjuZfz0HPmHU0v66Gy4aCT8tMoVAqw0BHQ C84g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691570045; x=1692174845; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5ijl35yrvHWnvdny00wRBt92qHHEETnO1JDAe0OV9Zc=; b=b1GwZwamMuFgQSjnaIjAJDU8+WjYLaQc4IkME6zUFP9X6/v6/PsgeZj+zBDNO0Ne79 anagk3oQNPr/AI7SJ/zzjRoh/bUCZpkEWXG5CSX1zhtbkebZcH65JMC8It8SzDD+dCT3 YF87lsZ71RW42D6Xpg+cP3Qd7d6iuB+vj8HWfSnVaV0Saa0t8LUMDjxj2WofEoUwprKw HRP7YnesI8g1MqoNZktVNXYfx6nofzexxStK7iSPKY/O2fVItg3QpSCQ1bXS7tT6nLla 2IyojauhEu0mOvOa4GSx4Wfrt15WMJDcn7cNu2DhGWMG52I3ZksDgQixm5/nZUMgLLBn 60zQ== X-Gm-Message-State: AOJu0YzRiFUAi/i7bpm4kEETKiNHkgkdiBVk8+398uf9w5NKT2fj8P6E nKiw4sWNKPuEXEGD4ic6wwxuZvcEA2gUWS4BoR8uZg== X-Google-Smtp-Source: AGHT+IEX8b+FaTW/xo6PDQ7HnhpJyaPs9/eQmthsjoiDN0/xgiRvlbSwvTVE5u3wGRnD5Ywx1k9iPQ== X-Received: by 2002:a5d:4c87:0:b0:30f:bb83:e6f4 with SMTP id z7-20020a5d4c87000000b0030fbb83e6f4mr1254847wrs.0.1691570045535; Wed, 09 Aug 2023 01:34:05 -0700 (PDT) Received: from [192.168.1.193] (f.c.7.0.0.0.0.0.0.0.0.0.0.0.0.0.f.f.6.2.a.5.a.7.0.b.8.0.1.0.0.2.ip6.arpa. [2001:8b0:7a5a:26ff::7cf]) by smtp.gmail.com with ESMTPSA id a14-20020a056000100e00b00317f29ad113sm6387613wrx.32.2023.08.09.01.34.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Aug 2023 01:34:05 -0700 (PDT) From: Lorenz Bauer Date: Wed, 09 Aug 2023 09:33:53 +0100 Subject: [PATCH bpf-next] net: Fix slab-out-of-bounds in inet[6]_steal_sock MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20230809-bpf-next-v1-1-c1b80712e83b@isovalent.com> X-B4-Tracking: v=1; b=H4sIAHBP02QC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE vPSU3UzU4B8JSMDI2MDCwML3aSCNN281IoS3UQTE6NEA0tTUzOjJCWg8oKi1LTMCrBR0UowVUq xtbUA4YTnsGQAAAA= To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Daniel Borkmann , Kuniyuki Iwashima , Martin KaFai Lau Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, Kumar Kartikeya Dwivedi , Lorenz Bauer X-Mailer: b4 0.12.3 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Kumar reported a KASAN splat in tcp_v6_rcv: bash-5.2# ./test_progs -t btf_skc_cls_ingress ... [ 51.810085] BUG: KASAN: slab-out-of-bounds in tcp_v6_rcv+0x2d7d/0x3440 [ 51.810458] Read of size 2 at addr ffff8881053f038c by task test_progs= /226 The problem is that inet[6]_steal_sock accesses sk->sk_protocol without accounting for request sockets. I added the check to ensure that we only every try to perform a reuseport lookup on a supported socket. It turns out that this isn't necessary at all. struct sock_common contains a skc_reuseport flag which indicates whether a socket is part of a reuseport group. inet[6]_lookup_reuseport already check this flag, so we can't execute an erroneous reuseport lookup by definition. Remove the unnecessary assertions to fix the out of bounds access. Fixes: 9c02bec95954 ("bpf, net: Support SO_REUSEPORT sockets with bpf_sk_as= sign") Reported-by: Kumar Kartikeya Dwivedi Signed-off-by: Lorenz Bauer Tested-by: Kumar Kartikeya Dwivedi --- include/net/inet6_hashtables.h | 10 ---------- include/net/inet_hashtables.h | 10 ---------- 2 files changed, 20 deletions(-) diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h index 284b5ce7205d..f9907ed36d54 100644 --- a/include/net/inet6_hashtables.h +++ b/include/net/inet6_hashtables.h @@ -119,16 +119,6 @@ struct sock *inet6_steal_sock(struct net *net, struct = sk_buff *skb, int doff, if (!prefetched) return sk; =20 - if (sk->sk_protocol =3D=3D IPPROTO_TCP) { - if (sk->sk_state !=3D TCP_LISTEN) - return sk; - } else if (sk->sk_protocol =3D=3D IPPROTO_UDP) { - if (sk->sk_state !=3D TCP_CLOSE) - return sk; - } else { - return sk; - } - reuse_sk =3D inet6_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, ntohs(dport), ehashfn); diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h index 1177effabed3..57a46993383a 100644 --- a/include/net/inet_hashtables.h +++ b/include/net/inet_hashtables.h @@ -465,16 +465,6 @@ struct sock *inet_steal_sock(struct net *net, struct s= k_buff *skb, int doff, if (!prefetched) return sk; =20 - if (sk->sk_protocol =3D=3D IPPROTO_TCP) { - if (sk->sk_state !=3D TCP_LISTEN) - return sk; - } else if (sk->sk_protocol =3D=3D IPPROTO_UDP) { - if (sk->sk_state !=3D TCP_CLOSE) - return sk; - } else { - return sk; - } - reuse_sk =3D inet_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, ntohs(dport), ehashfn); --- base-commit: eb62e6aef940fcb1879100130068369d4638088f change-id: 20230808-bpf-next-a442a095562b Best regards, --=20 Lorenz Bauer