diff options
| author | Paul Chaignon <paul.chaignon@gmail.com> | 2025-09-17 10:08:00 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-10-19 16:21:31 +0200 |
| commit | 6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ec (patch) | |
| tree | cb2ab9b28dab856ab89d1ed6485add1dca41e56a /net | |
| parent | e822f368f758a365e69d722be78bcda4cce8aee9 (diff) | |
| download | linux-6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ec.tar.gz linux-6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ec.tar.bz2 linux-6d8b1a21fd5c34622b0c3893c61e4a38d8ba53ec.zip | |
bpf: Explicitly check accesses to bpf_sock_addr
[ Upstream commit 6fabca2fc94d33cdf7ec102058983b086293395f ]
Syzkaller found a kernel warning on the following sock_addr program:
0: r0 = 0
1: r2 = *(u32 *)(r1 +60)
2: exit
which triggers:
verifier bug: error during ctx access conversion (0)
This is happening because offset 60 in bpf_sock_addr corresponds to an
implicit padding of 4 bytes, right after msg_src_ip4. Access to this
padding isn't rejected in sock_addr_is_valid_access and it thus later
fails to convert the access.
This patch fixes it by explicitly checking the various fields of
bpf_sock_addr in sock_addr_is_valid_access.
I checked the other ctx structures and is_valid_access functions and
didn't find any other similar cases. Other cases of (properly handled)
padding are covered in new tests in a subsequent patch.
Fixes: 1cedee13d25a ("bpf: Hooks for sys_sendmsg")
Reported-by: syzbot+136ca59d411f92e821b7@syzkaller.appspotmail.com
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Closes: https://syzkaller.appspot.com/bug?extid=136ca59d411f92e821b7
Link: https://lore.kernel.org/bpf/b58609d9490649e76e584b0361da0abd3c2c1779.1758094761.git.paul.chaignon@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/core/filter.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/net/core/filter.c b/net/core/filter.c index f346f19cf468..b95af925b9c2 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -8595,13 +8595,17 @@ static bool sock_addr_is_valid_access(int off, int size, return false; info->reg_type = PTR_TO_SOCKET; break; - default: - if (type == BPF_READ) { - if (size != size_default) - return false; - } else { + case bpf_ctx_range(struct bpf_sock_addr, user_family): + case bpf_ctx_range(struct bpf_sock_addr, family): + case bpf_ctx_range(struct bpf_sock_addr, type): + case bpf_ctx_range(struct bpf_sock_addr, protocol): + if (type != BPF_READ) return false; - } + if (size != size_default) + return false; + break; + default: + return false; } return true; |