Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6268281imu; Mon, 21 Jan 2019 06:07:43 -0800 (PST) X-Google-Smtp-Source: ALg8bN4JRUy/EKFI8tGHfjZMfQkD8TuWZ5TqdOTK1qjVG9HxwZkZ8PY/RU3EL0/rFgq0wYZkM3jj X-Received: by 2002:a62:9913:: with SMTP id d19mr29739078pfe.107.1548079663284; Mon, 21 Jan 2019 06:07:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548079663; cv=none; d=google.com; s=arc-20160816; b=nudcxRVOiLtB0fbt2Qj3jChy2c4bomkYbRCF8upXye9OsExESm3tbe9k5yJJ5hwgAE DTnWL6S/u5pRR+PlnyqTkyyGGP6MaKzn6LiuhjVH6ByN/63jOrb95ddgwA9pc3O658yc ltI6K6ab8F/D1mGXpUHmibeKd/n/Sy9Q1Qq4wpo3CuwttN6Ic/lXHzFhJvRZ87c6RsuJ 9QyZaRToHnOZaj4SGOVmNwAnEPO0dRphMv3yqUrqTmMbmlwpDMVTDxQUV9jgker1J1V8 hQzGEPRbRrQJD+77M+kePsOU9dhEGrLY7qwpe8b1yEa1pRVSn7EUmmR1bWZ3pQsACfSY 5V5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=gLpwRdaDYdw4I8ScVdyvb/PZwO9JvWFxzgt99Ep+0wk=; b=c3QnGcp3re5cu1Hs58Kps9XLISUenZVkYUMNjO721ADX5bs+zAVSRCM1PJlbnlDM4J 2op8VV6LHFIsrCjxPhGtMjck1iGfkeqR3baQhz2jqSEiV+ic7hwAuPYBjWpdQycjgmXg pnCj+9K/JCExXnivjVLEWZP+FvRmBlJppbeV8l2UU6fVH10mPN/KAiCmocjP06o3pORl qgc52aPc07pYcIotVLb66fATEqcvYJHNOO//5fPB0fVLqpIJO/gXPmUXcj4i1mQKOfAV eUAFIW19OykVL+EPEjAb9rohKmfbpHX78HBUH0aytPn5oYCagjIbV8e8djU8VUuqRY8W z3CA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oYh6dSDM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e3si12980732pfe.203.2019.01.21.06.07.28; Mon, 21 Jan 2019 06:07:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oYh6dSDM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732062AbfAUOFh (ORCPT + 99 others); Mon, 21 Jan 2019 09:05:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:48014 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732559AbfAUOBE (ORCPT ); Mon, 21 Jan 2019 09:01:04 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 632D321019; Mon, 21 Jan 2019 14:01:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548079263; bh=BCrYWYGS0O5QFvsav80F3A3CU2BHizguBa/w0EybphY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oYh6dSDMAi4M+t1FP722W9K416t2fCbbx9V5SBO28WU7KUcmrarLa68VNbtV3j9yp raAiN2qpR6/n368zTfS9+uNQI/62VUin2rlVa7bhG4dspx2cpsGIpYUNloUcG/t+fW vnSRTdpeIW0qshDXZ4TKy8lnSSMYM8RjjpwajVlw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Willem de Bruijn , Martin KaFai Lau , Daniel Borkmann Subject: [PATCH 4.19 64/99] bpf: in __bpf_redirect_no_mac pull mac only if present Date: Mon, 21 Jan 2019 14:48:56 +0100 Message-Id: <20190121134916.400696189@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190121134913.924726465@linuxfoundation.org> References: <20190121134913.924726465@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Willem de Bruijn commit e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488 upstream. Syzkaller was able to construct a packet of negative length by redirecting from bpf_prog_test_run_skb with BPF_PROG_TYPE_LWT_XMIT: BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline] BUG: KASAN: slab-out-of-bounds in skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline] BUG: KASAN: slab-out-of-bounds in __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395 Read of size 4294967282 at addr ffff8801d798009c by task syz-executor2/12942 kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:345 [inline] skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline] __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395 __pskb_copy include/linux/skbuff.h:1053 [inline] pskb_copy include/linux/skbuff.h:2904 [inline] skb_realloc_headroom+0xe7/0x120 net/core/skbuff.c:1539 ipip6_tunnel_xmit net/ipv6/sit.c:965 [inline] sit_tunnel_xmit+0xe1b/0x30d0 net/ipv6/sit.c:1029 __netdev_start_xmit include/linux/netdevice.h:4325 [inline] netdev_start_xmit include/linux/netdevice.h:4334 [inline] xmit_one net/core/dev.c:3219 [inline] dev_hard_start_xmit+0x295/0xc90 net/core/dev.c:3235 __dev_queue_xmit+0x2f0d/0x3950 net/core/dev.c:3805 dev_queue_xmit+0x17/0x20 net/core/dev.c:3838 __bpf_tx_skb net/core/filter.c:2016 [inline] __bpf_redirect_common net/core/filter.c:2054 [inline] __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2061 ____bpf_clone_redirect net/core/filter.c:2094 [inline] bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2066 bpf_prog_41f2bcae09cd4ac3+0xb25/0x1000 The generated test constructs a packet with mac header, network header, skb->data pointing to network header and skb->len 0. Redirecting to a sit0 through __bpf_redirect_no_mac pulls the mac length, even though skb->data already is at skb->network_header. bpf_prog_test_run_skb has already pulled it as LWT_XMIT !is_l2. Update the offset calculation to pull only if skb->data differs from skb->network_header, which is not true in this case. The test itself can be run only from commit 1cf1cae963c2 ("bpf: introduce BPF_PROG_TEST_RUN command"), but the same type of packets with skb at network header could already be built from lwt xmit hooks, so this fix is more relevant to that commit. Also set the mac header on redirect from LWT_XMIT, as even after this change to __bpf_redirect_no_mac that field is expected to be set, but is not yet in ip_finish_output2. Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") Reported-by: syzbot Signed-off-by: Willem de Bruijn Acked-by: Martin KaFai Lau Signed-off-by: Daniel Borkmann Signed-off-by: Greg Kroah-Hartman --- net/core/filter.c | 21 +++++++++++---------- net/core/lwt_bpf.c | 1 + 2 files changed, 12 insertions(+), 10 deletions(-) --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2018,18 +2018,19 @@ static inline int __bpf_tx_skb(struct ne static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev, u32 flags) { - /* skb->mac_len is not set on normal egress */ - unsigned int mlen = skb->network_header - skb->mac_header; + unsigned int mlen = skb_network_offset(skb); - __skb_pull(skb, mlen); + if (mlen) { + __skb_pull(skb, mlen); - /* At ingress, the mac header has already been pulled once. - * At egress, skb_pospull_rcsum has to be done in case that - * the skb is originated from ingress (i.e. a forwarded skb) - * to ensure that rcsum starts at net header. - */ - if (!skb_at_tc_ingress(skb)) - skb_postpull_rcsum(skb, skb_mac_header(skb), mlen); + /* At ingress, the mac header has already been pulled once. + * At egress, skb_pospull_rcsum has to be done in case that + * the skb is originated from ingress (i.e. a forwarded skb) + * to ensure that rcsum starts at net header. + */ + if (!skb_at_tc_ingress(skb)) + skb_postpull_rcsum(skb, skb_mac_header(skb), mlen); + } skb_pop_mac_header(skb); skb_reset_mac_len(skb); return flags & BPF_F_INGRESS ? --- a/net/core/lwt_bpf.c +++ b/net/core/lwt_bpf.c @@ -63,6 +63,7 @@ static int run_lwt_bpf(struct sk_buff *s lwt->name ? : ""); ret = BPF_OK; } else { + skb_reset_mac_header(skb); ret = skb_do_redirect(skb); if (ret == 0) ret = BPF_REDIRECT;