iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eyal Birger 2b9a13d98d bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook 
[ Upstream commit b02d196c44ead1a5949729be9ff08fe781c3e48a ]

xmit_check_hhlen() observes the dst for getting the device hard header
length to make sure a modified packet can fit. When a helper which changes
the dst - such as bpf_skb_set_tunnel_key() - is called as part of the
xmit program the accessed dst is no longer valid.

This leads to the following splat:

 BUG: kernel NULL pointer dereference, address: 00000000000000de
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0
 Oops: 0000 [#1] PREEMPT SMP PTI
 CPU: 0 PID: 798 Comm: ping Not tainted 5.18.0-rc2+ #103
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
 RIP: 0010:bpf_xmit+0xfb/0x17f
 Code: c6 c0 4d cd 8e 48 c7 c7 7d 33 f0 8e e8 42 09 fb ff 48 8b 45 58 48 8b 95 c8 00 00 00 48 2b 95 c0 00 00 00 48 83 e0 fe 48 8b 00 <0f> b7 80 de 00 00 00 39 c2 73 22 29 d0 b9 20 0a 00 00 31 d2 48 89
 RSP: 0018:ffffb148c0bc7b98 EFLAGS: 00010282
 RAX: 0000000000000000 RBX: 0000000000240008 RCX: 0000000000000000
 RDX: 0000000000000010 RSI: 00000000ffffffea RDI: 00000000ffffffff
 RBP: ffff922a828a4e00 R08: ffffffff8f1350e8 R09: 00000000ffffdfff
 R10: ffffffff8f055100 R11: ffffffff8f105100 R12: 0000000000000000
 R13: ffff922a828a4e00 R14: 0000000000000040 R15: 0000000000000000
 FS:  00007f414e8f0080(0000) GS:ffff922afdc00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00000000000000de CR3: 0000000002d80006 CR4: 0000000000370ef0
 Call Trace:
  <TASK>
  lwtunnel_xmit.cold+0x71/0xc8
  ip_finish_output2+0x279/0x520
  ? __ip_finish_output.part.0+0x21/0x130

Fix by fetching the device hard header length before running the BPF code.

Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure")
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20220420165219.1755407-1-eyal.birger@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-05-09 09:03:24 +02:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:47:31 +02:00
9p
xen/9p: use alloc/free_pages_exact()
2022-03-11 11:22:39 +01:00
802
net/802/garp: fix memleak in garp_request_join()
2021-07-31 08:19:38 +02:00
8021q
net: vlan: fix underflow for the real_dev refcnt
2021-12-01 09:23:34 +01:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 14:47:41 +02:00
atm
atm: fix a memory leak of vcc->user_back
2020-10-01 13:17:58 +02:00
ax25
ax25: Fix UAF bugs in ax25 timers
2022-04-20 09:19:40 +02:00
batman-adv
ipv6: make mc_forwarding atomic
2022-04-15 14:18:32 +02:00
bluetooth
Bluetooth: Fix use after free in hci_send_acl
2022-04-15 14:18:34 +02:00
bpf
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:53:33 +02:00
bridge
net: bridge: fix stale eth hdr pointer in br_dev_xmit
2022-02-16 12:52:50 +01:00
caif
net-caif: avoid user-triggerable WARN_ON(1)
2021-09-22 12:26:40 +02:00
can
can: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM
2021-12-08 09:01:08 +01:00
ceph
libceph: clear con->out_msg on Policy::stateful_server faults
2020-11-05 11:43:34 +01:00
core
bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook
2022-05-09 09:03:24 +02:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:07:51 +01:00
dccp
tcp: fix race condition when creating child sockets from syncookies
2022-04-27 13:50:45 +02:00
decnet
net: decnet: Fix sleeping inside in af_decnet
2021-07-28 13:30:56 +02:00
dns_resolver
KEYS: Don't write out to userspace while holding key semaphore
2020-04-23 10:36:45 +02:00
dsa
net: dsa: Add missing of_node_put() in dsa_port_parse_of
2022-03-23 09:12:07 +01:00
ethernet
net: add annotations on hh->hh_len lockless accesses
2020-01-09 10:20:06 +01:00
hsr
hsr: use netdev_err() instead of WARN_ONCE()
2021-05-14 09:44:10 +02:00
ieee802154
net: ieee802154: Return meaningful error codes from the netlink helpers
2022-02-08 18:24:31 +01:00
ife
net: Fix Kconfig indentation
2019-09-26 08:56:17 +02:00
ipv4
tcp: Fix potential use-after-free due to double kfree()
2022-04-27 13:50:46 +02:00
ipv6
tcp: fix race condition when creating child sockets from syncookies
2022-04-27 13:50:45 +02:00
iucv
net/af_iucv: remove WARN_ONCE on malformed RX packets
2021-03-07 12:20:42 +01:00
kcm
kcm: disable preemption in kcm_parse_func_strparser()
2019-09-27 10:27:14 +02:00
key
af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
2022-04-15 14:17:56 +02:00
l2tp
net/l2tp: Fix reference count leak in l2tp_udp_recv_core
2021-09-22 12:26:41 +02:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:50:47 +02:00
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:25:28 +01:00
llc
llc: only change llc->dev when bind() succeeds
2022-03-28 08:46:48 +02:00
mac80211
mac80211: fix potential double free on mesh join
2022-03-28 08:46:48 +02:00
mac802154
net: mac802154: Fix general protection fault
2021-04-14 08:24:18 +02:00
mpls
net: mpls: Fix notifications when deleting a device
2021-12-08 09:01:12 +01:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:37:45 +01:00
netfilter
ipvs: correctly print the memory size of ip_vs_conn_tab
2022-05-09 09:03:24 +02:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-15 14:18:35 +02:00
netlink
netlink: reset network and mac headers in netlink_dump()
2022-04-27 13:50:47 +02:00
netrom
netrom: Decrease sock refcount when sock timers expire
2021-07-28 13:30:56 +02:00
nfc
nfc: nci: add flush_workqueue to prevent uaf
2022-04-20 09:19:35 +02:00
nsh
openvswitch
openvswitch: fix OOB access in reserve_sfa_size()
2022-04-27 13:50:49 +02:00
packet
net/packet: fix packet_sock xmit return value checking
2022-04-27 13:50:47 +02:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:23:33 +01:00
psample
net: psample: fix skb_over_panic
2019-12-04 22:30:54 +01:00
qrtr
net: qrtr: fix another OOB Read in qrtr_endpoint_post
2021-09-03 10:08:12 +02:00
rds
rds: memory leak in __rds_conn_create()
2021-12-22 09:29:37 +01:00
rfkill
rfkill: Fix use-after-free in rfkill_resume()
2020-11-24 13:29:05 +01:00
rose
rose: Fix Null pointer dereference in rose_send_frame()
2020-12-08 10:40:23 +01:00
rxrpc
rxrpc: Restore removed timer deletion
2022-04-27 13:50:46 +02:00
sched
net/sched: cls_u32: fix possible leak in u32_init_knode()
2022-04-27 13:50:47 +02:00
sctp
sctp: Initialize daddr on peeled off socket
2022-04-20 09:19:35 +02:00
smc
net/smc: Fix sock leak when release after smc_shutdown()
2022-04-27 13:50:46 +02:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-17 09:48:48 +01:00
sunrpc
SUNRPC: Handle low memory situations in call_status()
2022-04-15 14:18:38 +02:00
switchdev
net: switchdev: do not propagate bridge updates across bridges
2021-10-27 09:54:24 +02:00
tipc
tipc: fix the timer expires after interval 100ms
2022-04-15 14:18:17 +02:00
tls
net/tls: fix slab-out-of-bounds bug in decrypt_internal
2022-04-15 14:18:37 +02:00
unix
af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress
2022-01-27 09:19:53 +01:00
vmw_vsock
vsock: remove vsock from connected table when connect is interrupted by a signal
2022-02-23 11:59:57 +01:00
wimax
wireless
cfg80211: hold bss_lock while updating nontrans_list
2022-04-20 09:19:35 +02:00
x25
net/x25: Fix null-ptr-deref caused by x25_disconnect
2022-04-15 14:18:21 +02:00
xdp
Revert "xsk: Do not sleep in poll() when need_wakeup set"
2021-12-22 09:29:40 +01:00
xfrm
xfrm: fix tunnel model fragmentation behavior
2022-04-15 14:17:56 +02:00
compat.c
net: Return the correct errno code
2021-06-18 09:59:00 +02:00
Kconfig
net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build
2020-04-01 11:02:18 +02:00
Makefile
socket.c
net: don't unconditionally copy_from_user a struct ifreq for socket ioctls
2021-09-03 10:08:16 +02:00
sysctl_net.c