Skip to content

bpf: Reject negative head_room in __bpf_skb_change_head #10079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Parent: bpf: Fix tr dereference
wants to merge 1 commit into
base: bpf_base
Choose a base branch
from
Open

bpf: Reject negative head_room in __bpf_skb_change_head #10079

wants to merge 1 commit into from
+2 −1

Conversation

@kernel-patches-daemon-bpf
Copy link

Pull request for series with
subject: bpf: Reject negative head_room in __bpf_skb_change_head
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1015005

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 881a9c9
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1015005
version: 1

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 7221b9c
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1015005
version: 1

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 7221b9c
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1015005
version: 1

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 7221b9c
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1015005
version: 1

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 8ce93aa
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1015005
version: 1

@borkmann
bpf: Reject negative head_room in __bpf_skb_change_head
44d9197 
Yinhao et al. recently reported:

  Our fuzzing tool was able to create a BPF program which triggered
  the below BUG condition inside pskb_expand_head.

  [   23.016047][T10006] kernel BUG at net/core/skbuff.c:2232!
  [...]
  [   23.017301][T10006] RIP: 0010:pskb_expand_head+0x1519/0x1530
  [...]
  [   23.021249][T10006] Call Trace:
  [   23.021387][T10006]  <TASK>
  [   23.021507][T10006]  ? __pfx_pskb_expand_head+0x10/0x10
  [   23.021725][T10006]  __bpf_skb_change_head+0x22a/0x520
  [   23.021939][T10006]  bpf_skb_change_head+0x34/0x1b0
  [   23.022143][T10006]  ___bpf_prog_run+0xf70/0xb670
  [   23.022342][T10006]  __bpf_prog_run32+0xed/0x140
  [...]

The problem is that in __bpf_skb_change_head() we need to reject a
negative head_room as otherwise this propagates all the way to the
pskb_expand_head() from skb_cow(). For example, if the BPF test infra
passes a skb with gso_skb:1 to the BPF helper with a negative head_room
of -22, then this gets passed into skb_cow(). __skb_cow() in this
example calculates a delta of -86 which gets aligned to -64, and then
triggers BUG_ON(nhead < 0). Thus, reject malformed negative input.

Fixes: 3a0af8f ("bpf: BPF for lightweight tunnel infrastructure")
Reported-by: Yinhao Hu <[email protected]>
Reported-by: Kaiyan Mei <[email protected]>
Reviewed-by: Dongliang Mu <[email protected]>
Signed-off-by: Daniel Borkmann <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bpf new V1-ci-pass V1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@borkmann