Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp4628418rdh;
        Wed, 29 Nov 2023 06:42:40 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGQwSITu/TY/gNTn7Ygedc/McfMJXfKSShgzKSYasZNxbMIcpL6DAeqCNsdzbs3YhniMcA6
X-Received: by 2002:a17:90b:3cb:b0:285:6211:6e1b with SMTP id go11-20020a17090b03cb00b0028562116e1bmr18857102pjb.28.1701268960632;
        Wed, 29 Nov 2023 06:42:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701268960; cv=none;
        d=google.com; s=arc-20160816;
        b=qKNZNIAcm9d4ftqw9vD0q0Ec2tGjXeAxrxkMMFhcHj/JypF1bZUOWUuj8J5nLPz0w4
         SKC3yAZ1a+aL6k4TQoRK05oRKOT0yBGuby/iM1403dt8Scpk2BaomcWk8HXinkVQTw0T
         xYAPpAiF5L1I9BrrtD941jsaCqzQFtrvWgCQsH7v3hzmV3t0nRH5nA3Da1nhU3Wv99po
         i/Xi9A3sTnLmwZWMLmC6IlefIeY7ecIvPbp6lMFjhVC2j0TbzDQ3NpcUhJurMnRI7/WD
         u8ZLOSeviKUxE9/+F374gaBz2wz/jhKEAtxTrfO8OQXnjcWo2Wr366/ej73dGKLLGeww
         m6OA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id;
        bh=QOW0ABeizSIwp/Di0Jgj/29W6Z9d22QNgmEBLsTZk+Q=;
        fh=K+YJW+n5sEW7522VOsPmu39bzfZFRXf7euV66+tgX58=;
        b=dbJdbmX45INz4fKVkJmdiIPwNCsCgFPeh8hbTYpcsOkd7zpXy7OZYawU1itILbk0Ag
         u8Yf+EqNTUe51D/o4+6ybvsC8gpJlSWNdUV30o4TONs1K4vvVh/JVTMVKlowWJ70G/yo
         v/7ASe10RmiqmEmrHsZpcBZ0ta2MS/E9wgcJRhX5vP40rljooq6ztVK8QnAH7RiAGQPG
         RhkZk5yJc7jh7AnS7nqhXKmeZWCfxJgbBNTIpGsdNvOJNLqH6Px0dW9XoKO4ZhjECe67
         ExxM4rOIbyPp1hELmAkhtlTvMyDjqwt1Hxlmk/0m8hzwpWnsrroTf9bQzR0UJR1IqcPn
         aGpA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from fry.vger.email (fry.vger.email. [23.128.96.38])
        by mx.google.com with ESMTPS id f6-20020a17090ab94600b0027d113631f0si1410398pjw.24.2023.11.29.06.42.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 29 Nov 2023 06:42:40 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by fry.vger.email (Postfix) with ESMTP id 2AEB9804567B;
	Wed, 29 Nov 2023 06:42:38 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230518AbjK2OmX (ORCPT <rfc822;aaronngray.lists@gmail.com>
        + 99 others); Wed, 29 Nov 2023 09:42:23 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39920 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231133AbjK2OmW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Nov 2023 09:42:22 -0500
Received: from out30-112.freemail.mail.aliyun.com (out30-112.freemail.mail.aliyun.com [115.124.30.112])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A0EA130;
        Wed, 29 Nov 2023 06:42:27 -0800 (PST)
X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R191e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018046060;MF=alibuda@linux.alibaba.com;NM=1;PH=DS;RN=13;SR=0;TI=SMTPD_---0VxOO2AH_1701268943;
Received: from 30.39.190.97(mailfrom:alibuda@linux.alibaba.com fp:SMTPD_---0VxOO2AH_1701268943)
          by smtp.aliyun-inc.com;
          Wed, 29 Nov 2023 22:42:24 +0800
Message-ID: <aa83bf32-789f-fec2-ea42-74b0ae05426e@linux.alibaba.com>
Date:   Wed, 29 Nov 2023 22:42:23 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0)
 Gecko/20100101 Thunderbird/102.15.1
Subject: Re: [PATCH net] net/netfilter: bpf: avoid leakage of skb
Content-Language: en-US
To:     Florian Westphal <fw@strlen.de>
Cc:     pablo@netfilter.org, kadlec@netfilter.org, bpf@vger.kernel.org,
        linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        coreteam@netfilter.org, netfilter-devel@vger.kernel.org,
        davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
        pabeni@redhat.com, ast@kernel.org
References: <1701252962-63418-1-git-send-email-alibuda@linux.alibaba.com>
 <20231129131846.GC27744@breakpoint.cc>
From:   "D. Wythe" <alibuda@linux.alibaba.com>
In-Reply-To: <20231129131846.GC27744@breakpoint.cc>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.9 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Wed, 29 Nov 2023 06:42:38 -0800 (PST)



On 11/29/23 9:18 PM, Florian Westphal wrote:
> D. Wythe <alibuda@linux.alibaba.com> wrote:
>> From: "D. Wythe" <alibuda@linux.alibaba.com>
>>
>> A malicious eBPF program can interrupt the subsequent processing of
>> a skb by returning an exceptional retval, and no one will be responsible
>> for releasing the very skb.
> How?  The bpf verifier is supposed to reject nf bpf programs that
> return a value other than accept or drop.
>
> If this is a real bug, please also figure out why
> 006c0e44ed92 ("selftests/bpf: add missing netfilter return value and ctx access tests")
> failed to catch it.

Hi Florian,

You are right, i make a mistake.. , it's not a bug..

And my origin intention was to allow ebpf progs to return NF_STOLEN, we 
are trying to modify some netfilter modules via ebpf,
and some scenarios require the use of NF_STOLEN, but from your 
description, it seems that at least currently,
you do not want to return NF_STOLEN, until there is a helper for 
sonsume_skb(), right ?

Again, very sorry to bother you.

Best wishes,
D. Wythe.

>> Moreover, normal programs can also have the demand to return NF_STOLEN,
> No, this should be disallowed already.
>
>>   net/netfilter/nf_bpf_link.c | 19 ++++++++++++++++++-
>>   1 file changed, 18 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
>> index e502ec0..03c47d6 100644
>> --- a/net/netfilter/nf_bpf_link.c
>> +++ b/net/netfilter/nf_bpf_link.c
>> @@ -12,12 +12,29 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb,
>>   				    const struct nf_hook_state *s)
>>   {
>>   	const struct bpf_prog *prog = bpf_prog;
>> +	unsigned int verdict;
>>   	struct bpf_nf_ctx ctx = {
>>   		.state = s,
>>   		.skb = skb,
>>   	};
>>   
>> -	return bpf_prog_run(prog, &ctx);
>> +	verdict = bpf_prog_run(prog, &ctx);
>> +	switch (verdict) {
>> +	case NF_STOLEN:
>> +		consume_skb(skb);
>> +		fallthrough;
> This can't be right.  STOLEN really means STOLEN (free'd,
> redirected, etc, "skb" MUST be "leaked".
>
> Which is also why the bpf program is not allowed to return it.