From patchwork Fri Jun 14 10:17:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 13698611 X-Patchwork-Delegate: bpf@iogearbox.net Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 362B113BAC8; Fri, 14 Jun 2024 10:41:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718361717; cv=none; b=dEe3YeQ+RGeN0KtiAeaMumctKcXFoeKpEeh3homhBBV8CiCGWAvrDbKFKMQyYEe1iKajmmLDlMx7MsWwtD+t17uWT2POB0VyTe2w1YAlYFWppXdNFWZpWEQgPS4DvkRJN01xuZkNJu2Km7V37GjF6YT+Qvzlyl7BllyCK8l0Px4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718361717; c=relaxed/simple; bh=ObrLnWLylDgIi0cwLW/8c/nXDOdv5xtSmYQL4VlAcEs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=n5hXF2TllpWl3Y+azL6OD+YYuNDvLZwaBCb6UmAw4XkkEsj3p41M2+8de13wNhGtJOr46cfPVJ3/UFvMFyOSpK7m8op80PzGC7cfhFIYxsMOEZYVBLja1RBhTJR/2nWU78E/BfKT2zuDS4R6osslt53xUGb6CtQkVhGGG1QMjH8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=breakpoint.cc Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1sI4NQ-0006Nk-RT; Fri, 14 Jun 2024 12:41:48 +0200 From: Florian Westphal To: bpf@vger.kernel.org Cc: martin.lau@linux.dev, daniel@iogearbox.net, netdev@vger.kernel.org, Florian Westphal , syzbot+0c4150bff9fff3bf023c@syzkaller.appspotmail.com, Eric Dumazet Subject: [PATCH bpf] bpf: avoid splat in pskb_pull_reason Date: Fri, 14 Jun 2024 12:17:33 +0200 Message-ID: <20240614101801.9496-1-fw@strlen.de> X-Mailer: git-send-email 2.44.2 In-Reply-To: <9f254c96-54f2-4457-b7ab-1d9f6187939c@gmail.com> References: <9f254c96-54f2-4457-b7ab-1d9f6187939c@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net syzkaller builds (CONFIG_DEBUG_NET=y) frequently trigger a debug hint in pskb_may_pull. We'd like to retain this debug check because it might hint at integer overflows and other issues (kernel code should pull headers, not huge value). In bpf case, this splat isn't interesting at all: such (nonsensical) bpf programs are typically generated by a fuzzer anyway. Do what Eric suggested and suppress such warning. For CONFIG_DEBUG_NET=n we don't need the extra check because pskb_may_pull will do the right thing: return an error without the WARN() backtrace. Reported-by: syzbot+0c4150bff9fff3bf023c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0c4150bff9fff3bf023c Fixes: 219eee9c0d16 ("net: skbuff: add overflow debug check to pull/push helpers") Link: https://lore.kernel.org/netdev/9f254c96-54f2-4457-b7ab-1d9f6187939c@gmail.com/ Suggested-by: Eric Dumazet Signed-off-by: Florian Westphal Reviewed-by: Eric Dumazet --- net/core/filter.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index 2510464692af..9933851c685e 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -1665,6 +1665,11 @@ static DEFINE_PER_CPU(struct bpf_scratchpad, bpf_sp); static inline int __bpf_try_make_writable(struct sk_buff *skb, unsigned int write_len) { +#ifdef CONFIG_DEBUG_NET + /* Avoid a splat in pskb_may_pull_reason() */ + if (write_len > INT_MAX) + return -EINVAL; +#endif return skb_ensure_writable(skb, write_len); }