Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp274572pxu; Thu, 7 Jan 2021 04:52:03 -0800 (PST) X-Google-Smtp-Source: ABdhPJzUVYfhW53182WxngFhj6Zpe+Pt/1PW6iikIeaXpwd9AXCHGfNUrNXpu+J1sk/4rxv0sbfT X-Received: by 2002:a17:906:1c92:: with SMTP id g18mr6283861ejh.522.1610023923766; Thu, 07 Jan 2021 04:52:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610023923; cv=none; d=google.com; s=arc-20160816; b=W7yfeYRd2zm2wq4qenzWfKK+QlrGN4QnANvQXHKicYRbKQNKJCRjOLn63xCf/Zag9r 30DTJL24kt7GPDVZLh2lToTdkrOC//+8dnHebevr6kwTnFmnQZRnPOCo6Ycu85xy41A8 uQnZdU8yAtuXFKr+JaPm9xNaBxNaBgwXrBQryS49BjW8Nh75I42/4PFAkfRILaXEbuEW sKNmMJ6fStiT/hg/7H4xrxchD0+tHucE+XUZblY2sgP7ZVLWPukygnNsLSeoS4NxRPrY vmLis3GHN3WWuFfGswhCkkoaM8FbZa23S58htLYf1egroiPwnuMkL8mzZnm6G6NXuSLk 5WRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=3HtQyyV69dkBN9AH6I8ftTXt3+ze5prPt+h7q5I3BtE=; b=N+T2HOK2rfn8vb8YnNAKZcQwoxOF7DO0TbM8rU83zLfTUZIh61vUo9Y3SeHBALyflH CVJNu/cp5fry77/gf9HjHCSzA7eW6dRto0v81nzWBBQ5K5bsqS09TIA2O8JpyelMnJrI ldKd3E9qHrVWfpUBwmsUTU3hmXNsXeiAYZ1zm+HlQ0PBxeivhyDHfUzFb15XfZyt10RK JVp5iXjqP+lVK+AtGdx+oyhkAzIKaM7I0EBbji2pSY97eEN5eNj+DzeDcMAXNz7eYqHE AfGNZIwVt9pBVrnQopMMxc/B8BSES9h3/kxsZP6E4JNuoDWShE/4vzw4sooQaDR4YaCq tjAQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d21si2102457eja.412.2021.01.07.04.51.39; Thu, 07 Jan 2021 04:52:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727850AbhAGMum (ORCPT + 99 others); Thu, 7 Jan 2021 07:50:42 -0500 Received: from www62.your-server.de ([213.133.104.62]:53320 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727327AbhAGMum (ORCPT ); Thu, 7 Jan 2021 07:50:42 -0500 Received: from sslproxy06.your-server.de ([78.46.172.3]) by www62.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1kxUjX-00039w-Ce; Thu, 07 Jan 2021 13:49:43 +0100 Received: from [85.7.101.30] (helo=pc-9.home) by sslproxy06.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kxUjX-000SrG-1I; Thu, 07 Jan 2021 13:49:43 +0100 Subject: Re: [PATCH net v2] net: fix use-after-free when UDP GRO with shared fraglist To: Dongseok Yi , "'David S. Miller'" , 'Willem de Bruijn' Cc: 'Jakub Kicinski' , 'Miaohe Lin' , 'Paolo Abeni' , 'Florian Westphal' , 'Al Viro' , 'Guillaume Nault' , 'Yunsheng Lin' , 'Steffen Klassert' , 'Yadu Kishore' , 'Marco Elver' , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, namkyu78.kim@samsung.com References: <1609750005-115609-1-git-send-email-dseok.yi@samsung.com> <1609979953-181868-1-git-send-email-dseok.yi@samsung.com> <83a2b288-c0b2-ed98-9479-61e1cbe25519@iogearbox.net> <028b01d6e4e9$ddd5fd70$9981f850$@samsung.com> From: Daniel Borkmann Message-ID: Date: Thu, 7 Jan 2021 13:49:26 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <028b01d6e4e9$ddd5fd70$9981f850$@samsung.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.102.4/26041/Wed Jan 6 13:36:32 2021) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/7/21 12:40 PM, Dongseok Yi wrote: > On 2021-01-07 20:05, Daniel Borkmann wrote: >> On 1/7/21 1:39 AM, Dongseok Yi wrote: >>> skbs in fraglist could be shared by a BPF filter loaded at TC. It >>> triggers skb_ensure_writable -> pskb_expand_head -> >>> skb_clone_fraglist -> skb_get on each skb in the fraglist. >>> >>> While tcpdump, sk_receive_queue of PF_PACKET has the original fraglist. >>> But the same fraglist is queued to PF_INET (or PF_INET6) as the fraglist >>> chain made by skb_segment_list. >>> >>> If the new skb (not fraglist) is queued to one of the sk_receive_queue, >>> multiple ptypes can see this. The skb could be released by ptypes and >>> it causes use-after-free. >>> >>> [ 4443.426215] ------------[ cut here ]------------ >>> [ 4443.426222] refcount_t: underflow; use-after-free. >>> [ 4443.426291] WARNING: CPU: 7 PID: 28161 at lib/refcount.c:190 >>> refcount_dec_and_test_checked+0xa4/0xc8 >>> [ 4443.426726] pstate: 60400005 (nZCv daif +PAN -UAO) >>> [ 4443.426732] pc : refcount_dec_and_test_checked+0xa4/0xc8 >>> [ 4443.426737] lr : refcount_dec_and_test_checked+0xa0/0xc8 >>> [ 4443.426808] Call trace: >>> [ 4443.426813] refcount_dec_and_test_checked+0xa4/0xc8 >>> [ 4443.426823] skb_release_data+0x144/0x264 >>> [ 4443.426828] kfree_skb+0x58/0xc4 >>> [ 4443.426832] skb_queue_purge+0x64/0x9c >>> [ 4443.426844] packet_set_ring+0x5f0/0x820 >>> [ 4443.426849] packet_setsockopt+0x5a4/0xcd0 >>> [ 4443.426853] __sys_setsockopt+0x188/0x278 >>> [ 4443.426858] __arm64_sys_setsockopt+0x28/0x38 >>> [ 4443.426869] el0_svc_common+0xf0/0x1d0 >>> [ 4443.426873] el0_svc_handler+0x74/0x98 >>> [ 4443.426880] el0_svc+0x8/0xc >>> >>> Fixes: 3a1296a38d0c (net: Support GRO/GSO fraglist chaining.) >>> Signed-off-by: Dongseok Yi >>> Acked-by: Willem de Bruijn >>> --- >>> net/core/skbuff.c | 20 +++++++++++++++++++- >>> 1 file changed, 19 insertions(+), 1 deletion(-) >>> >>> v2: Expand the commit message to clarify a BPF filter loaded >>> >>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c >>> index f62cae3..1dcbda8 100644 >>> --- a/net/core/skbuff.c >>> +++ b/net/core/skbuff.c >>> @@ -3655,7 +3655,8 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, >>> unsigned int delta_truesize = 0; >>> unsigned int delta_len = 0; >>> struct sk_buff *tail = NULL; >>> - struct sk_buff *nskb; >>> + struct sk_buff *nskb, *tmp; >>> + int err; >>> >>> skb_push(skb, -skb_network_offset(skb) + offset); >>> >>> @@ -3665,11 +3666,28 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, >>> nskb = list_skb; >>> list_skb = list_skb->next; >>> >>> + err = 0; >>> + if (skb_shared(nskb)) { >>> + tmp = skb_clone(nskb, GFP_ATOMIC); >>> + if (tmp) { >>> + kfree_skb(nskb); >> >> Should use consume_skb() to not trigger skb:kfree_skb tracepoint when looking >> for drops in the stack. > > I will use to consume_skb() on the next version. > >>> + nskb = tmp; >>> + err = skb_unclone(nskb, GFP_ATOMIC); >> >> Could you elaborate why you also need to unclone? This looks odd here. tc layer >> (independent of BPF) from ingress & egress side generally assumes unshared skb, >> so above clone + dropping ref of nskb looks okay to make the main skb struct private >> for mangling attributes (e.g. mark) & should suffice. What is the exact purpose of >> the additional skb_unclone() in this context? > > Willem de Bruijn said: > udp_rcv_segment later converts the udp-gro-list skb to a list of > regular packets to pass these one-by-one to udp_queue_rcv_one_skb. > Now all the frags are fully fledged packets, with headers pushed > before the payload. Yes. > PF_PACKET handles untouched fraglist. To modify the payload only > for udp_rcv_segment, skb_unclone is necessary. I don't parse this last sentence here, please elaborate in more detail on why it is necessary. For example, if tc layer would modify mark on the skb, then __copy_skb_header() in skb_segment_list() will propagate it. If tc layer would modify payload, the skb_ensure_writable() will take care of that internally and if needed pull in parts from fraglist into linear section to make it private. The purpose of the skb_clone() above iff shared is to make the struct itself private (to safely modify its struct members). What am I missing? >>> + } else { >>> + err = -ENOMEM; >>> + } >>> + } >>> + >>> if (!tail) >>> skb->next = nskb; >>> else >>> tail->next = nskb; >>> >>> + if (unlikely(err)) { >>> + nskb->next = list_skb; >>> + goto err_linearize; >>> + } >>> + >>> tail = nskb; >>> >>> delta_len += nskb->len; >>> > >