Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp24904imw;
        Tue, 12 Jul 2022 13:55:12 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1ux3nB/l9u9R+VKZ0PL2OuYVVIvkTnZigZURrN9MW/czs0jY+CfnnJlp1P4qBKM+PpvefjC
X-Received: by 2002:a63:24e:0:b0:412:5277:7a2a with SMTP id 75-20020a63024e000000b0041252777a2amr92285pgc.165.1657659312595;
        Tue, 12 Jul 2022 13:55:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1657659312; cv=none;
        d=google.com; s=arc-20160816;
        b=VvxFCF8hzlG6UtdsRSkwboBiU41XseNuhPQiX/iVYW03JyEJXIKv0ksVpkRs+lHg3f
         j8ChcC+VvoM8bb3Y9pbQ9oTZvk2jH9omdr4zS64lAQWEoQoM2oIFXBiLAquldFev3kaS
         j7P7YX0kVz2IaI22UifI1N5PxN8MxHQxvoxhs77lY36PC06hjAz6rzk8umHfaaUP0tw9
         1LMa1YITU1Xb5f/HuKdLc2hw37XpbJJjStczKWepIT2ofyCQZ2Fc7KjdpbFKH7ZLlR43
         KIcTuNJ+4UP2ifEpYkcfzrHyIOs35QHtExTbrVfLT0svWUZMYK77zpFu5s19pfs7ZKaS
         FnFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject;
        bh=0AFW3PXxv6X/BgYK/Gv7vGnJn0Bg31qmSNE9CEVZUxc=;
        b=R3zgavRjGpefmHjmIjmwU5+M0l3otvfRz5+6b/M53uPBXs2Rs4WioVCfuNbQ05thUh
         eE7YH+vRg6nPNF+i7o2xDBE6BVdgC12ME+B7SoN37gwa4jwbAYBgo16kgK1ZsF0qBaYp
         Fvc/aVHQ9mGfD+qKg71N+qAQtyEQzthEfwzzi0rhTEC4kr4/aVZvUEheE67gaOBlx+JZ
         sNpT7Da2AycSbEj0ZosYG9YsxCOWQQ73JEUUo8YM2AiXXsbJcQvrSm93WOotIx4gJRBK
         J/tj1zKcpZYFhhtzz4ueoDyhhQFcFPbZB5InPdy/+DL5YAApC3+3ctcwTwEfyTmdw7hG
         kA1w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id x4-20020a1709028ec400b0016a17da4ad3si8879538plo.339.2022.07.12.13.54.58;
        Tue, 12 Jul 2022 13:55:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232913AbiGLUM2 (ORCPT <rfc822;alexzyp@gmail.com> + 99 others);
        Tue, 12 Jul 2022 16:12:28 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51868 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231157AbiGLUM0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Jul 2022 16:12:26 -0400
Received: from www62.your-server.de (www62.your-server.de [213.133.104.62])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD6D1BEB46;
        Tue, 12 Jul 2022 13:12:25 -0700 (PDT)
Received: from sslproxy06.your-server.de ([78.46.172.3])
        by www62.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
        (Exim 4.92.3)
        (envelope-from <daniel@iogearbox.net>)
        id 1oBMEz-0002bi-O3; Tue, 12 Jul 2022 22:12:17 +0200
Received: from [85.1.206.226] (helo=linux.home)
        by sslproxy06.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
        (Exim 4.92)
        (envelope-from <daniel@iogearbox.net>)
        id 1oBMEz-000SVy-9w; Tue, 12 Jul 2022 22:12:17 +0200
Subject: Re: [PATCH bpf-next] bpf: Don't redirect packets with invalid pkt_len
To:     sdf@google.com, Zhengchao Shao <shaozhengchao@huawei.com>
Cc:     bpf@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, davem@davemloft.net,
        edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
        hawk@kernel.org, ast@kernel.org, andrii@kernel.org,
        martin.lau@linux.dev, song@kernel.org, yhs@fb.com,
        john.fastabend@gmail.com, kpsingh@kernel.org,
        weiyongjun1@huawei.com, yuehaibing@huawei.com
References: <20220712120158.56325-1-shaozhengchao@huawei.com>
 <Ys2oPzt7Yn1oMou8@google.com>
From:   Daniel Borkmann <daniel@iogearbox.net>
Message-ID: <f0bf3e9a-15e6-f5c8-1b2a-7866acfcb71b@iogearbox.net>
Date:   Tue, 12 Jul 2022 22:12:16 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <Ys2oPzt7Yn1oMou8@google.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Authenticated-Sender: daniel@iogearbox.net
X-Virus-Scanned: Clear (ClamAV 0.103.6/26599/Tue Jul 12 10:00:48 2022)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NICE_REPLY_A,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 7/12/22 6:58 PM, sdf@google.com wrote:
> On 07/12, Zhengchao Shao wrote:
>> Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any
>> skbs, that is, the flow->head is null.
>> The root cause, as the [2] says, is because that bpf_prog_test_run_skb()
>> run a bpf prog which redirects empty skbs.
>> So we should determine whether the length of the packet modified by bpf
>> prog or others like bpf_prog_test is valid before forwarding it directly.
> 
>> LINK: [1] https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16ec96c5
>> LINK: [2] https://www.spinics.net/lists/netdev/msg777503.html
> 
>> Reported-by: syzbot+7a12909485b94426aceb@syzkaller.appspotmail.com
>> Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
>> ---
>>   net/core/filter.c | 9 ++++++++-
>>   1 file changed, 8 insertions(+), 1 deletion(-)
> 
>> diff --git a/net/core/filter.c b/net/core/filter.c
>> index 4ef77ec5255e..27801b314960 100644
>> --- a/net/core/filter.c
>> +++ b/net/core/filter.c
>> @@ -2122,6 +2122,11 @@ static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev,
>>   {
>>       unsigned int mlen = skb_network_offset(skb);
> 
>> +    if (unlikely(skb->len == 0)) {
>> +        kfree_skb(skb);
>> +        return -EINVAL;
>> +    }
>> +
>>       if (mlen) {
>>           __skb_pull(skb, mlen);
> 
>> @@ -2143,7 +2148,9 @@ static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev,
>>                    u32 flags)
>>   {
>>       /* Verify that a link layer header is carried */
>> -    if (unlikely(skb->mac_header >= skb->network_header)) {
>> +    if (unlikely(skb->mac_header >= skb->network_header) ||
>> +        (min_t(u32, skb_mac_header_len(skb), skb->len) <
>> +         (u32)dev->min_header_len)) {
> 
> Why check skb->len != 0 above but skb->len < dev->min_header_len here?
> I guess it doesn't make sense in __bpf_redirect_no_mac because we know
> that mac is empty, but why do we care in __bpf_redirect_common?
> Why not put this check in the common __bpf_redirect?
> 
> Also, it's still not clear to me whether we should bake it into the core
> stack vs having some special checks from test_prog_run only. I'm
> assuming the issue is that we can construct illegal skbs with that
> test_prog_run interface, so maybe start by fixing that?

Agree, ideally we can prevent it right at the source rather than adding
more tests into the fast-path.

> Did you have a chance to look at the reproducer more closely? What
> exactly is it doing?
> 
>>           kfree_skb(skb);
>>           return -ERANGE;
>>       }
>> -- 
>> 2.17.1
>