| Message ID | 20220617071855.2482-1-zhudi2@huawei.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | BPF |
| Headers | show |
| Series | bpf: Don't redirect packets with pkt_len 0 | expand |
On Fri, Jun 17, 2022 at 9:19 AM Di Zhu <zhudi2@huawei.com> wrote: > > Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any > skbs, that is, the flow->head is null. > The root cause, as the [2] says, is because that bpf_prog_test_run_skb() > run a bpf prog which redirects empty skbs. > So we should determine whether the length of the packet modified by bpf > prog or others like bpf_prog_test is 0 before forwarding it directly. > > LINK: [1] https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16ec96c5 > LINK: [2] https://www.spinics.net/lists/netdev/msg777503.html > > Reported-by: syzbot+7a12909485b94426aceb@syzkaller.appspotmail.com > Signed-off-by: Di Zhu <zhudi2@huawei.com> > --- > net/core/filter.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/core/filter.c b/net/core/filter.c > index 5af58eb48587..c7fbfa90898a 100644 > --- a/net/core/filter.c > +++ b/net/core/filter.c > @@ -2156,6 +2156,9 @@ static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev, > static int __bpf_redirect(struct sk_buff *skb, struct net_device *dev, > u32 flags) > { > + if (unlikely(skb->len == 0)) > + return -EINVAL; > + You focus again on fq_codel, but we have a more generic issue at hand. I said that most drivers will assume packets are Ethernet ones, having at least an Ethernet header in them. Also returning -EINVAL will leak the skb :/ I think a better fix would be to make sure the skb carries an expected packet length, and this probably differs in __bpf_redirect_common() and __bpf_redirect_no_mac() ? Current test in __bpf_redirect_common() seems not good enough. + /* Verify that a link layer header is carried */ + if (unlikely(skb->mac_header >= skb->network_header)) { + kfree_skb(skb); + return -ERANGE; + } + It should check that the link layer header size is >= dev->min_header_len > if (dev_is_mac_header_xmit(dev)) > return __bpf_redirect_common(skb, dev, flags); > else > -- > 2.27.0 >
diff --git a/net/core/filter.c b/net/core/filter.c index 5af58eb48587..c7fbfa90898a 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2156,6 +2156,9 @@ static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev, static int __bpf_redirect(struct sk_buff *skb, struct net_device *dev, u32 flags) { + if (unlikely(skb->len == 0)) + return -EINVAL; + if (dev_is_mac_header_xmit(dev)) return __bpf_redirect_common(skb, dev, flags); else
Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any skbs, that is, the flow->head is null. The root cause, as the [2] says, is because that bpf_prog_test_run_skb() run a bpf prog which redirects empty skbs. So we should determine whether the length of the packet modified by bpf prog or others like bpf_prog_test is 0 before forwarding it directly. LINK: [1] https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16ec96c5 LINK: [2] https://www.spinics.net/lists/netdev/msg777503.html Reported-by: syzbot+7a12909485b94426aceb@syzkaller.appspotmail.com Signed-off-by: Di Zhu <zhudi2@huawei.com> --- net/core/filter.c | 3 +++ 1 file changed, 3 insertions(+)