From patchwork Fri Dec  1 03:23:15 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Fastabend <john.fastabend@gmail.com>
X-Patchwork-Id: 13475306
X-Patchwork-Delegate: bpf@iogearbox.net
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Ex3+ZZ7O"
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com
 [IPv6:2607:f8b0:4864:20::433])
	by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6CE74103;
	Thu, 30 Nov 2023 19:23:28 -0800 (PST)
Received: by mail-pf1-x433.google.com with SMTP id
 d2e1a72fcca58-6cde14ff73bso1408275b3a.0;
        Thu, 30 Nov 2023 19:23:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1701401008; x=1702005808;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=iRVjatiApQRrpcxKKckhnUIWHuxs82y/kVuHlgmpuCA=;
        b=Ex3+ZZ7OOjEgS/IKZdeh1yPdxFiEW3DqMHaELkOD44jkxN9vk1qMokI1vcjqqWucJs
         Vq/+aNLnbWupHkUpFv5XVW1uUgssq7Plqr1PV9CdgpG4ryuoozeXDNmlx/LG8SfJ+9sy
         M9PxCzsFXQi/q6Brvvb9ZBPlttZk2z2Ntms8CdrY/xmKgnHmw3DOYR2Y3PQ6+FfSGrFW
         DdEQwIiY7SUjlAu6HAOF8jgAQ8U/gJqYNOCjw/4UZ1452TPKKHOHcOyniK8xklF8mkh8
         Kt8V0IhPOEEXuYGMGwpjSm9BwtYePI66nIdjUkBwdMcRWXJvsRrfBxhHMzif4EngXjJu
         kOTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1701401008; x=1702005808;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=iRVjatiApQRrpcxKKckhnUIWHuxs82y/kVuHlgmpuCA=;
        b=TPMs0YQP9zDUdZtRbdOatHcbkM+vGURIU5LwmMkxEkeSzaYIcIySGKsPMz88zjwm0A
         tWo8y8PYivcVSsXf8jF06r/5ZRoF64hzxy2hb57qv/GrxFjXOMIV7mftVTtT6A0xCZSA
         n0C9B4uNqIEI8QVAOntkmY6jjFZ52COFwsKOjsx5jkUl0UN7CfwIHJ/65dUU4uUVnnbr
         xv4qUC6IeFbP2LUEoz5glfFQYjSiBC/Jy2NY8yXlpEYN1a8pFE9ZduMasntkFlEDsSci
         R2NchFk9l1ktgHP4853XfoX1ackDgiUEnWkjxKEo6viEJ5ATSB/iAcMTvqdiWuw65hIF
         4OTw==
X-Gm-Message-State: AOJu0Yx8bXTlUzc2ReL1kRbpzeENysbVkMcwIivx5UHK3Ja9SvRpIn+d
	+v6NVzSxwFcO/MFQgFyXLrOeemtnWUYozg==
X-Google-Smtp-Source: 
 AGHT+IETSBZrFPk6hR3wxWpWnawIVoSqDrTqhPvgIRL93OzJC+CNJqvOXN6yOZDCGf8LamBH41z06g==
X-Received: by 2002:a05:6a00:1803:b0:6cd:d312:b767 with SMTP id
 y3-20020a056a00180300b006cdd312b767mr10233791pfa.6.1701401007819;
        Thu, 30 Nov 2023 19:23:27 -0800 (PST)
Received: from john.lan ([2605:59c8:148:ba10:1053:7b0:e3cc:7b48])
        by smtp.gmail.com with ESMTPSA id
 a13-20020a65640d000000b005c60cdb08f0sm1768136pgv.0.2023.11.30.19.23.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 30 Nov 2023 19:23:27 -0800 (PST)
From: John Fastabend <john.fastabend@gmail.com>
To: kuniyu@amazon.com,
	edumazet@google.com,
	jakub@cloudflare.com
Cc: john.fastabend@gmail.com,
	bpf@vger.kernel.org,
	netdev@vger.kernel.org
Subject: [PATCH bpf 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto
 add
Date: Thu, 30 Nov 2023 19:23:15 -0800
Message-Id: <20231201032316.183845-2-john.fastabend@gmail.com>
X-Mailer: git-send-email 2.33.0
In-Reply-To: <20231201032316.183845-1-john.fastabend@gmail.com>
References: <20231201032316.183845-1-john.fastabend@gmail.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net

I added logic to track the sock pair for stream_unix sockets so that we
ensure lifetime of the sock matches the time a sockmap could reference
the sock (see fixes tag). I forgot though that we allow af_unix unconnected
sockets into a sock{map|hash} map.

This is problematic because previous fixed expected sk_pair() to exist
and did not NULL check it. Because unconnected sockets have a NULL
sk_pair this resulted in the NULL ptr dereference found by syzkaller.

BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
Call Trace:
 <TASK>
 ...
 sock_hold include/net/sock.h:777 [inline]
 unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
 sock_map_init_proto net/core/sock_map.c:190 [inline]
 sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
 sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
 sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
 bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167

We considered just checking for the null ptr and skipping taking a ref
on the NULL peer sock. But, if the socket is then connected() after
being added to the sockmap we can cause the original issue again. So
instead this patch blocks adding af_unix sockets that are not in the
ESTABLISHED state.

Reported-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+e8030702aefd3444fb9e@syzkaller.appspotmail.com
Fixes: 8866730aed51 ("bpf, sockmap: af_unix stream sockets need to hold ref for pair sock")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
 include/net/sock.h  | 5 +++++
 net/core/sock_map.c | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/include/net/sock.h b/include/net/sock.h
index 1d6931caf0c3..ea1155d68f0b 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2799,6 +2799,11 @@ static inline bool sk_is_tcp(const struct sock *sk)
 	return sk->sk_type == SOCK_STREAM && sk->sk_protocol == IPPROTO_TCP;
 }
 
+static inline bool sk_is_unix(const struct sock *sk)
+{
+	return sk->sk_family == AF_UNIX && sk->sk_type == SOCK_STREAM;
+}
+
 /**
  * sk_eat_skb - Release a skb if it is no longer needed
  * @sk: socket to eat this skb from
diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 4292c2ed1828..448aea066942 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -536,6 +536,8 @@ static bool sock_map_sk_state_allowed(const struct sock *sk)
 {
 	if (sk_is_tcp(sk))
 		return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_LISTEN);
+	if (sk_is_unix(sk))
+		return (1 << sk->sk_state) & TCPF_ESTABLISHED;
 	return true;
 }
 

From patchwork Fri Dec  1 03:23:16 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Fastabend <john.fastabend@gmail.com>
X-Patchwork-Id: 13475307
X-Patchwork-Delegate: bpf@iogearbox.net
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="TXQKeXZw"
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com
 [IPv6:2607:f8b0:4864:20::22c])
	by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A1ADD12F;
	Thu, 30 Nov 2023 19:23:30 -0800 (PST)
Received: by mail-oi1-x22c.google.com with SMTP id
 5614622812f47-3b845ba9ba9so54540b6e.3;
        Thu, 30 Nov 2023 19:23:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1701401010; x=1702005810;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=j1KKlbmNkIVtNCz66L83HhJjP14s5KgSvPUbznWB9zU=;
        b=TXQKeXZwtUYwDt2voxFtPLNZrHQmKWv1ZP+yaaeUNnEgcWKdxwEaqgq+DWrq8bpELf
         FNmmiOATEqJd/2JhN37Z5BVSDtCpwuNA8SDRMnYydlyPhqsfloiWjasgwpxzMm+y338Y
         m2qBm9GQ+74c68sv04L8jsRVuic5j40s+hGn416TLb71tqR0A1C1EZJgS9+HV6eeTn9w
         8i4HVte3LTZ/rXppbp3KKSVp8JNN63RXmeESmA1nzQjKO87xCX4aXShLwlGp3Kmcvt0s
         xptQaWQlcitGOqh//UTkXi5iWaWpIriHrJkQPCW3QOJPrzduR8jU5d51OmWwv5TJZ7js
         U9hA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1701401010; x=1702005810;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=j1KKlbmNkIVtNCz66L83HhJjP14s5KgSvPUbznWB9zU=;
        b=T+xM3jjcYIy5xiABNgmGW0A7eEBdqph++LCTUW0guYuHLTfp/mMH+9htv3b5Byzh5M
         nuNujNe0xJprFAbb55Ptj8m398IHC/TVtppxFh5tfrIySNnewBnd5n7AzJRUTR7SeeFL
         EeqRlrc+rwkofnt8c0NHWypYuK72R2XDziWoZ4ASh0c5qJ2UBhxhjTl3dPnPhkrq5fHN
         LOINKjLQMBcZN3Aj5XfhOAn98kiRuHfQ9tB4d1KBoaFOmIPdasYBs18OT5zRf3gsUadG
         k4h5fxYgWsC6PfMpNYsDxBhHitkzvkXk4wNG54ZVLdL3DJQgE8L0M97rKB6gF8gptdcZ
         QoxA==
X-Gm-Message-State: AOJu0YxHuUJGUJDuixNKik6HLtZhjQq9SfGl/JjVV+TeZx8Z7FMH/rF3
	8N5sROr4qKDvVYnPxyehbRUMYMYlyDXI4w==
X-Google-Smtp-Source: 
 AGHT+IHB+hIZdR+CAmBMF6QJH7q+WA6JlZaX/UGBw/jxt811v4MWZVS0oTC0oKXX3qqksfVc5S70hA==
X-Received: by 2002:a05:6808:1b14:b0:3ad:c497:1336 with SMTP id
 bx20-20020a0568081b1400b003adc4971336mr1900545oib.16.1701401009938;
        Thu, 30 Nov 2023 19:23:29 -0800 (PST)
Received: from john.lan ([2605:59c8:148:ba10:1053:7b0:e3cc:7b48])
        by smtp.gmail.com with ESMTPSA id
 a13-20020a65640d000000b005c60cdb08f0sm1768136pgv.0.2023.11.30.19.23.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 30 Nov 2023 19:23:28 -0800 (PST)
From: John Fastabend <john.fastabend@gmail.com>
To: kuniyu@amazon.com,
	edumazet@google.com,
	jakub@cloudflare.com
Cc: john.fastabend@gmail.com,
	bpf@vger.kernel.org,
	netdev@vger.kernel.org
Subject: [PATCH bpf 2/2] bpf: sockmap, test for unconnected af_unix sock
Date: Thu, 30 Nov 2023 19:23:16 -0800
Message-Id: <20231201032316.183845-3-john.fastabend@gmail.com>
X-Mailer: git-send-email 2.33.0
In-Reply-To: <20231201032316.183845-1-john.fastabend@gmail.com>
References: <20231201032316.183845-1-john.fastabend@gmail.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: bpf@iogearbox.net

Add test to sockmap_basic to ensure af_unix sockets that are not connected
can not be added to the map. Ensure we keep DGRAM sockets working however
as these will not be connected typically.

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
 .../selftests/bpf/prog_tests/sockmap_basic.c  | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
index f75f84d0b3d7..ad96f4422def 100644
--- a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
+++ b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
@@ -524,6 +524,37 @@ static void test_sockmap_skb_verdict_peek(void)
 	test_sockmap_pass_prog__destroy(pass);
 }
 
+static void test_sockmap_unconnected_unix(void)
+{
+	int err, map, stream = 0, dgram = 0, zero = 0;
+	struct test_sockmap_pass_prog *skel;
+
+	skel = test_sockmap_pass_prog__open_and_load();
+	if (!ASSERT_OK_PTR(skel, "open_and_load"))
+		return;
+
+	map = bpf_map__fd(skel->maps.sock_map_rx);
+
+	stream = xsocket(AF_UNIX, SOCK_STREAM, 0);
+	if (!ASSERT_GT(stream, -1, "socket(AF_UNIX, SOCK_STREAM)"))
+		return;
+
+	dgram = xsocket(AF_UNIX, SOCK_DGRAM, 0);
+	if (!ASSERT_GT(dgram, -1, "socket(AF_UNIX, SOCK_DGRAM)")) {
+		close(stream);
+		return;
+	}
+
+	err = bpf_map_update_elem(map, &zero, &stream, BPF_ANY);
+	ASSERT_ERR(err, "bpf_map_update_elem(stream)");
+
+	err = bpf_map_update_elem(map, &zero, &dgram, BPF_ANY);
+	ASSERT_OK(err, "bpf_map_update_elem(dgram)");
+
+	close(stream);
+	close(dgram);
+}
+
 void test_sockmap_basic(void)
 {
 	if (test__start_subtest("sockmap create_update_free"))
@@ -566,4 +597,7 @@ void test_sockmap_basic(void)
 		test_sockmap_skb_verdict_fionread(false);
 	if (test__start_subtest("sockmap skb_verdict msg_f_peek"))
 		test_sockmap_skb_verdict_peek();
+
+	if (test__start_subtest("sockmap unconnected af_unix"))
+		test_sockmap_unconnected_unix();
 }