Received: by 2002:a05:6359:6284:b0:131:369:b2a3 with SMTP id se4csp5305287rwb;
        Wed, 9 Aug 2023 01:51:04 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGGwkcNrDgXuQ+0QVteM6nhwLuvao5s3ZjCtKheVfhHm7zOavlJmlZNrrYbtha+0cNy2qly
X-Received: by 2002:a17:906:cc4d:b0:99c:10e8:52d7 with SMTP id mm13-20020a170906cc4d00b0099c10e852d7mr1506651ejb.31.1691571064216;
        Wed, 09 Aug 2023 01:51:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1691571064; cv=none;
        d=google.com; s=arc-20160816;
        b=hZoP5r4ahU2AEHl2ExvNSAl5U9D/vMb26Z5gWx6cb8fzTy3Cr6mUGtvAA9o8XL7OJm
         niJqwpLIIpWbjJmysdo3OGbTFw6JcCuRbTmDH7k7iS1fH6/S+RU/Hrv3FsiIwt8Xmpb0
         NhRMP7FVx2XQ9t53jlNTwFgtqfZ2U4vyqOaSOqlbL35FpPrYXtTabn3cKwclVFfo+tN6
         2OObWDH662NIZuq4FjFPZHwQqokXb5zAuojxDAXELm2polqdfbVIeFHQhC8BwAHZDUx+
         NFpPMcT51YGcQbitEZdRtzlPdzGnn2DX9+BlOhfE085RttU1hZROOBWhxnyDaXMh4oDg
         yEJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:message-id:content-transfer-encoding
         :mime-version:subject:date:from:dkim-signature;
        bh=5ijl35yrvHWnvdny00wRBt92qHHEETnO1JDAe0OV9Zc=;
        fh=dzOqAD5EbQ1QAgtra/6TdqOcLq2/NJHydeGKvw8PxTw=;
        b=TROo3FkxNSipbqm6WADnu91wP0rt38YG3LbLNVZBWgxFASlnNjxF67vX0umoD2uTKd
         7JO7p38TMB/C7mop8obv4DPbSfvxyHlzyj3w5DGeSSDtlnUM/kGQFofPWQC45tRBhZ69
         /nsjxz4ATXIt/Vx/4rHoK9w9/bO0nhNVav4xEYfFRTyarvRazO2x4GvE+1p43nMfOFlp
         8JHt8d1RERpMRUPAcH6ySKOTngXOxvtck5P+gqjaUniGZEu/y6mOoio1nHWO6Io6JCYc
         wzMAPDIGmy9Q9WKeSQ+H0cFjPab73oKbYf/s0YAtLtU48QKtwr939EU32TNSGJEFIj1Y
         jXBA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@isovalent.com header.s=google header.b=QvpE0x2v;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=isovalent.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id qu10-20020a170907110a00b00992d26308c0si8189573ejb.538.2023.08.09.01.50.38;
        Wed, 09 Aug 2023 01:51:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@isovalent.com header.s=google header.b=QvpE0x2v;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=isovalent.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231162AbjHIIeJ (ORCPT <rfc822;artur.folwarczny@gmail.com>
        + 99 others); Wed, 9 Aug 2023 04:34:09 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55530 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230486AbjHIIeI (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 9 Aug 2023 04:34:08 -0400
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 23804171E
        for <linux-kernel@vger.kernel.org>; Wed,  9 Aug 2023 01:34:07 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id ffacd0b85a97d-3175f17a7baso4921605f8f.0
        for <linux-kernel@vger.kernel.org>; Wed, 09 Aug 2023 01:34:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=isovalent.com; s=google; t=1691570045; x=1692174845;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:from:to:cc:subject:date:message-id:reply-to;
        bh=5ijl35yrvHWnvdny00wRBt92qHHEETnO1JDAe0OV9Zc=;
        b=QvpE0x2vl2KZ+J77E6ZL7iKIhDYwoMzehXAqmhr23czml3bymEGg9WyG1kMOT6amED
         0aYrBzccOgXGG7EGEbsPTxoH4n7yHDZJrysioSiQHyqU2UwcBFJ9XNLm3ZEn8xLIQU/D
         4/Chc7o7jZ2M2pBfOTzkEvLQgTB5vFoNc5CPPl4DIo5ztyPMVlK7lSIvw9wTjPkYTs7V
         DVN72sKlrNP1qG/CacssU7hOrOD6OB0O0YHAJwTGpy0s9Bt1YbzQNh0QdTdkJjGi5oAt
         JQJ+53nHnUDXX8XdCwDoIwnCGHiR88SCnWAjuZfz0HPmHU0v66Gy4aCT8tMoVAqw0BHQ
         C84g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1691570045; x=1692174845;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=5ijl35yrvHWnvdny00wRBt92qHHEETnO1JDAe0OV9Zc=;
        b=b1GwZwamMuFgQSjnaIjAJDU8+WjYLaQc4IkME6zUFP9X6/v6/PsgeZj+zBDNO0Ne79
         anagk3oQNPr/AI7SJ/zzjRoh/bUCZpkEWXG5CSX1zhtbkebZcH65JMC8It8SzDD+dCT3
         YF87lsZ71RW42D6Xpg+cP3Qd7d6iuB+vj8HWfSnVaV0Saa0t8LUMDjxj2WofEoUwprKw
         HRP7YnesI8g1MqoNZktVNXYfx6nofzexxStK7iSPKY/O2fVItg3QpSCQ1bXS7tT6nLla
         2IyojauhEu0mOvOa4GSx4Wfrt15WMJDcn7cNu2DhGWMG52I3ZksDgQixm5/nZUMgLLBn
         60zQ==
X-Gm-Message-State: AOJu0YzRiFUAi/i7bpm4kEETKiNHkgkdiBVk8+398uf9w5NKT2fj8P6E
        nKiw4sWNKPuEXEGD4ic6wwxuZvcEA2gUWS4BoR8uZg==
X-Received: by 2002:a5d:4c87:0:b0:30f:bb83:e6f4 with SMTP id z7-20020a5d4c87000000b0030fbb83e6f4mr1254847wrs.0.1691570045535;
        Wed, 09 Aug 2023 01:34:05 -0700 (PDT)
Received: from [192.168.1.193] (f.c.7.0.0.0.0.0.0.0.0.0.0.0.0.0.f.f.6.2.a.5.a.7.0.b.8.0.1.0.0.2.ip6.arpa. [2001:8b0:7a5a:26ff::7cf])
        by smtp.gmail.com with ESMTPSA id a14-20020a056000100e00b00317f29ad113sm6387613wrx.32.2023.08.09.01.34.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 09 Aug 2023 01:34:05 -0700 (PDT)
From:   Lorenz Bauer <lmb@isovalent.com>
Date:   Wed, 09 Aug 2023 09:33:53 +0100
Subject: [PATCH bpf-next] net: Fix slab-out-of-bounds in inet[6]_steal_sock
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20230809-bpf-next-v1-1-c1b80712e83b@isovalent.com>
X-B4-Tracking: v=1; b=H4sIAHBP02QC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE
 vPSU3UzU4B8JSMDI2MDCwML3aSCNN281IoS3UQTE6NEA0tTUzOjJCWg8oKi1LTMCrBR0UowVUq
 xtbUA4YTnsGQAAAA=
To:     "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Kuniyuki Iwashima <kuniyu@amazon.com>,
        Martin KaFai Lau <martin.lau@kernel.org>
Cc:     netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        bpf@vger.kernel.org, Kumar Kartikeya Dwivedi <memxor@gmail.com>,
        Lorenz Bauer <lmb@isovalent.com>
X-Mailer: b4 0.12.3
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,
        SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Kumar reported a KASAN splat in tcp_v6_rcv:

  bash-5.2# ./test_progs -t btf_skc_cls_ingress
  ...
  [   51.810085] BUG: KASAN: slab-out-of-bounds in tcp_v6_rcv+0x2d7d/0x3440
  [   51.810458] Read of size 2 at addr ffff8881053f038c by task test_progs/226

The problem is that inet[6]_steal_sock accesses sk->sk_protocol without
accounting for request sockets. I added the check to ensure that we only
every try to perform a reuseport lookup on a supported socket.

It turns out that this isn't necessary at all. struct sock_common contains
a skc_reuseport flag which indicates whether a socket is part of a
reuseport group. inet[6]_lookup_reuseport already check this flag,
so we can't execute an erroneous reuseport lookup by definition.

Remove the unnecessary assertions to fix the out of bounds access.

Fixes: 9c02bec95954 ("bpf, net: Support SO_REUSEPORT sockets with bpf_sk_assign")
Reported-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Lorenz Bauer <lmb@isovalent.com>
---
 include/net/inet6_hashtables.h | 10 ----------
 include/net/inet_hashtables.h  | 10 ----------
 2 files changed, 20 deletions(-)

diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h
index 284b5ce7205d..f9907ed36d54 100644
--- a/include/net/inet6_hashtables.h
+++ b/include/net/inet6_hashtables.h
@@ -119,16 +119,6 @@ struct sock *inet6_steal_sock(struct net *net, struct sk_buff *skb, int doff,
 	if (!prefetched)
 		return sk;
 
-	if (sk->sk_protocol == IPPROTO_TCP) {
-		if (sk->sk_state != TCP_LISTEN)
-			return sk;
-	} else if (sk->sk_protocol == IPPROTO_UDP) {
-		if (sk->sk_state != TCP_CLOSE)
-			return sk;
-	} else {
-		return sk;
-	}
-
 	reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff,
 					  saddr, sport, daddr, ntohs(dport),
 					  ehashfn);
diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
index 1177effabed3..57a46993383a 100644
--- a/include/net/inet_hashtables.h
+++ b/include/net/inet_hashtables.h
@@ -465,16 +465,6 @@ struct sock *inet_steal_sock(struct net *net, struct sk_buff *skb, int doff,
 	if (!prefetched)
 		return sk;
 
-	if (sk->sk_protocol == IPPROTO_TCP) {
-		if (sk->sk_state != TCP_LISTEN)
-			return sk;
-	} else if (sk->sk_protocol == IPPROTO_UDP) {
-		if (sk->sk_state != TCP_CLOSE)
-			return sk;
-	} else {
-		return sk;
-	}
-
 	reuse_sk = inet_lookup_reuseport(net, sk, skb, doff,
 					 saddr, sport, daddr, ntohs(dport),
 					 ehashfn);

---
base-commit: eb62e6aef940fcb1879100130068369d4638088f
change-id: 20230808-bpf-next-a442a095562b

Best regards,
-- 
Lorenz Bauer <lmb@isovalent.com>