Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3925181imm; Mon, 8 Oct 2018 11:47:13 -0700 (PDT) X-Google-Smtp-Source: ACcGV605ouQE5sP7ysNKzFgFlblr0nBPk7wmlUSh32zxlQBH8Ael0gwvlsvCtqQhGp6QwsULXi/o X-Received: by 2002:a62:8490:: with SMTP id k138-v6mr26324041pfd.177.1539024433287; Mon, 08 Oct 2018 11:47:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539024433; cv=none; d=google.com; s=arc-20160816; b=gsPD3NIRzqnom0lgXsZ1JMQVd0cgwUozmJWezlCvfdeM5tZ6dCKS+JQI787nFgKJEf V5RmtVDLsmM4wtua2plDQvNp1bLNRoKAr/3omUqvcBzDBNzaMJ7hMJiF/yZg8YsiS+yn YHfvvqFK6Vw12wKaqKOX1yZ7BmFMxcQ53KW9XRjQixnL4srxKLxp8KAZGMqvWAjbNkTB ivgPqLtZqQlUYlk15IryjegTsjAFgrV2sh6qYt2b6YEvGMrR7NBe/JMowkdtJgpsAHMn gufKQLb557IN9s0NVrlIJdQ+CCp5Qdhvp0k8lHrmHrZCFSAvJ2wAljmHoU71WbgWt2z3 1r3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=qsY3FfNxMaxWzAL8RN1dVfdS3p2qRiK2mzEQNeV52LY=; b=Mz3P+o2113dmKj8iShvTcAmY7PE3aqAdSGQaYXkOQMcJJtS4kQYHydEHBS0n228ENB 7bNh7HPl+HO6FWIf3bo2HLdM3hAsUD/L/QXZCOtkIZMJTmrGfWw0osZurm2tKWgS9Pb9 lBBfmWTVajzDpNfXD0EceravDtNcNimoJ3gZIdY0hLufSWe0YBFkYAUcfdxdpAoJsvUY osBGe0EZVtNyBV2X8IJfwxsUOk7hEt66ggYFxtFNNgGxhdg8SNLmEbNbyxM+4Uk/oGRw fJX78e8dBhR+kLwN1L+XXRGCzzOvXzVtbOiNs5U8fPbu+7lWAy7ECJD67d2f+YcfxghQ KuBg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=r8MFazlX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r68-v6si20012334pfk.151.2018.10.08.11.46.58; Mon, 08 Oct 2018 11:47:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=r8MFazlX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730904AbeJIB7t (ORCPT + 99 others); Mon, 8 Oct 2018 21:59:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:48132 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728570AbeJIB7s (ORCPT ); Mon, 8 Oct 2018 21:59:48 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6CAAC204FD; Mon, 8 Oct 2018 18:46:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539024402; bh=0MDOfcpDuLPTOs+Gz6QH6M6PoAG6sktp0eRLNYjIGUY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=r8MFazlXaZGL1nhIOluvrls5EIUTSzBTp+0fhyWA/Xmh0DjViLl6NjHJYSyyjhXM4 repcpqwCNibEGbFl/vpHybaUlbJDHDY5F0+7/D0zT0Mh3prv1fc7EtjGuy2zHWeO5H Miz+YbSL8eFrD49CB2fEnY9AT7EcREP9cn/tpG10= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Borkmann , John Fastabend , Alexei Starovoitov , Sasha Levin Subject: [PATCH 4.18 028/168] bpf: fix msg->data/data_end after sg shift repair in bpf_msg_pull_data Date: Mon, 8 Oct 2018 20:30:08 +0200 Message-Id: <20181008175621.114168057@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175620.043587728@linuxfoundation.org> References: <20181008175620.043587728@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Daniel Borkmann [ Upstream commit 0e06b227c5221dd51b5569de93f3b9f532be4a32 ] In the current code, msg->data is set as sg_virt(&sg[i]) + start - offset and msg->data_end relative to it as msg->data + bytes. Using iterator i to point to the updated starting scatterlist element holds true for some cases, however not for all where we'd end up pointing out of bounds. It is /correct/ for these ones: 1) When first finding the starting scatterlist element (sge) where we find that the page is already privately owned by the msg and where the requested bytes and headroom fit into the sge's length. However, it's /incorrect/ for the following ones: 2) After we made the requested area private and updated the newly allocated page into first_sg slot of the scatterlist ring; when we find that no shift repair of the ring is needed where we bail out updating msg->data and msg->data_end. At that point i will point to last_sg, which in this case is the next elem of first_sg in the ring. The sge at that point might as well be invalid (e.g. i == msg->sg_end), which we use for setting the range of sg_virt(&sg[i]). The correct one would have been first_sg. 3) Similar as in 2) but when we find that a shift repair of the ring is needed. In this case we fix up all sges and stop once we've reached the end. In this case i will point to will point to the new msg->sg_end, and the sge at that point will be invalid. Again here the requested range sits in first_sg. Fixes: 015632bb30da ("bpf: sk_msg program helper bpf_sk_msg_pull_data") Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/core/filter.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2300,6 +2300,7 @@ BPF_CALL_4(bpf_msg_pull_data, if (unlikely(start >= offset + len)) return -EINVAL; + first_sg = i; /* The start may point into the sg element so we need to also * account for the headroom. */ @@ -2307,8 +2308,6 @@ BPF_CALL_4(bpf_msg_pull_data, if (!msg->sg_copy[i] && bytes_sg_total <= len) goto out; - first_sg = i; - /* At this point we need to linearize multiple scatterlist * elements or a single shared page. Either way we need to * copy into a linear buffer exclusively owned by BPF. Then @@ -2390,7 +2389,7 @@ BPF_CALL_4(bpf_msg_pull_data, if (msg->sg_end < 0) msg->sg_end += MAX_SKB_FRAGS; out: - msg->data = sg_virt(&sg[i]) + start - offset; + msg->data = sg_virt(&sg[first_sg]) + start - offset; msg->data_end = msg->data + bytes; return 0;