bpf: Explicitly check accesses to bpf_sock_addr #5964
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author
|
Upstream branch: f36caa7 |
Author
|
Upstream branch: f36caa7 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1002970=>bpf
branch
from
f744821 to
20b1046
Compare
Author
|
Upstream branch: f36caa7 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1002970=>bpf
branch
from
20b1046 to
025f27c
Compare
Syzkaller found a kernel warning on the following sock_addr program:
0: r0 = 0
1: r2 = *(u32 *)(r1 +60)
2: exit
which triggers:
verifier bug: error during ctx access conversion (0)
This is happening because offset 60 in bpf_sock_addr corresponds to an
implicit padding of 4 bytes, right after msg_src_ip4. Access to this
padding isn't rejected in sock_addr_is_valid_access and it thus later
fails to convert the access.
This patch fixes it by explicitly checking the various fields of
bpf_sock_addr in sock_addr_is_valid_access.
I checked the other ctx structures and is_valid_access functions and
didn't find any other similar cases. Other cases of (properly handled)
padding are covered in new tests in a subsequent patch.
Fixes: 1cedee1 ("bpf: Hooks for sys_sendmsg")
Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=136ca59d411f92e821b7
Signed-off-by: Paul Chaignon <[email protected]>
Acked-by: Eduard Zingerman <[email protected]>
Author
|
Upstream branch: f36caa7 |
Move the sizeof_field and offsetofend macros from individual test files to the common bpf_misc.h to avoid duplication. Signed-off-by: Paul Chaignon <[email protected]> Acked-by: Eduard Zingerman <[email protected]>
This patch adds tests covering the various paddings in ctx structures. In case of sk_lookup BPF programs, the behavior is a bit different because accesses to the padding are explicitly allowed. Other cases result in a clear reject from the verifier. Signed-off-by: Paul Chaignon <[email protected]> Acked-by: Eduard Zingerman <[email protected]>
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1002970=>bpf
branch
from
025f27c to
a315028
Compare
Author
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=1002970 expired. Closing PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: Explicitly check accesses to bpf_sock_addr
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1002970