diff mbox series

[bpf,v2,1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add

Message ID 20231201180139.328529-2-john.fastabend@gmail.com (mailing list archive)
State Accepted
Commit 8d6650646ce49e9a5b8c5c23eb94f74b1749f70f
Delegated to: BPF
Headers show
Series bpf fix for unconnect af_unix socket | expand

Checks

Context Check Description
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for bpf, async
netdev/ynl success SINGLE THREAD; Generated files up to date; no warnings/errors;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 3641 this patch: 3641
netdev/cc_maintainers fail 1 blamed authors not CCed: daniel@iogearbox.net; 3 maintainers not CCed: kuba@kernel.org pabeni@redhat.com daniel@iogearbox.net
netdev/build_clang success Errors and warnings before: 1294 this patch: 1294
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 3881 this patch: 3881
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 19 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-PR fail PR summary
bpf/vmtest-bpf-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-VM_Test-0 success Logs for Lint
bpf/vmtest-bpf-VM_Test-3 success Logs for Validate matrix.py
bpf/vmtest-bpf-VM_Test-2 success Logs for Unittests
bpf/vmtest-bpf-VM_Test-5 success Logs for aarch64-gcc / build-release
bpf/vmtest-bpf-VM_Test-4 success Logs for aarch64-gcc / build / build for aarch64 with gcc
bpf/vmtest-bpf-VM_Test-10 success Logs for aarch64-gcc / veristat
bpf/vmtest-bpf-VM_Test-12 success Logs for s390x-gcc / build-release
bpf/vmtest-bpf-VM_Test-9 success Logs for aarch64-gcc / test (test_verifier, false, 360) / test_verifier on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-6 success Logs for aarch64-gcc / test (test_maps, false, 360) / test_maps on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-7 success Logs for aarch64-gcc / test (test_progs, false, 360) / test_progs on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-8 success Logs for aarch64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-11 success Logs for s390x-gcc / build / build for s390x with gcc
bpf/vmtest-bpf-VM_Test-17 success Logs for s390x-gcc / veristat
bpf/vmtest-bpf-VM_Test-18 success Logs for set-matrix
bpf/vmtest-bpf-VM_Test-19 success Logs for x86_64-gcc / build / build for x86_64 with gcc
bpf/vmtest-bpf-VM_Test-21 success Logs for x86_64-gcc / test (test_maps, false, 360) / test_maps on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-20 success Logs for x86_64-gcc / build-release
bpf/vmtest-bpf-VM_Test-23 success Logs for x86_64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-24 success Logs for x86_64-gcc / test (test_progs_no_alu32_parallel, true, 30) / test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-22 success Logs for x86_64-gcc / test (test_progs, false, 360) / test_progs on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-25 success Logs for x86_64-gcc / test (test_progs_parallel, true, 30) / test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-27 success Logs for x86_64-gcc / veristat / veristat on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-26 success Logs for x86_64-gcc / test (test_verifier, false, 360) / test_verifier on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-28 success Logs for x86_64-llvm-17 / build / build for x86_64 with llvm-17
bpf/vmtest-bpf-VM_Test-29 success Logs for x86_64-llvm-17 / build-release / build for x86_64 with llvm-17 and -O2 optimization
bpf/vmtest-bpf-VM_Test-30 success Logs for x86_64-llvm-17 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-17
bpf/vmtest-bpf-VM_Test-31 success Logs for x86_64-llvm-17 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-17
bpf/vmtest-bpf-VM_Test-32 success Logs for x86_64-llvm-17 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-17
bpf/vmtest-bpf-VM_Test-33 success Logs for x86_64-llvm-17 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-17
bpf/vmtest-bpf-VM_Test-34 success Logs for x86_64-llvm-17 / veristat
bpf/vmtest-bpf-VM_Test-36 success Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18 and -O2 optimization
bpf/vmtest-bpf-VM_Test-35 success Logs for x86_64-llvm-18 / build / build for x86_64 with llvm-18
bpf/vmtest-bpf-VM_Test-37 success Logs for x86_64-llvm-18 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-18
bpf/vmtest-bpf-VM_Test-38 fail Logs for x86_64-llvm-18 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-18
bpf/vmtest-bpf-VM_Test-40 fail Logs for x86_64-llvm-18 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-18
bpf/vmtest-bpf-VM_Test-39 fail Logs for x86_64-llvm-18 / test (test_progs_cpuv4, false, 360) / test_progs_cpuv4 on x86_64 with llvm-18
bpf/vmtest-bpf-VM_Test-41 success Logs for x86_64-llvm-18 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-18
bpf/vmtest-bpf-VM_Test-42 success Logs for x86_64-llvm-18 / veristat
bpf/vmtest-bpf-VM_Test-16 success Logs for s390x-gcc / test (test_verifier, false, 360) / test_verifier on s390x with gcc
bpf/vmtest-bpf-VM_Test-15 success Logs for s390x-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-VM_Test-13 success Logs for s390x-gcc / test (test_maps, false, 360) / test_maps on s390x with gcc
bpf/vmtest-bpf-VM_Test-14 success Logs for s390x-gcc / test (test_progs, false, 360) / test_progs on s390x with gcc

Commit Message

John Fastabend Dec. 1, 2023, 6:01 p.m. UTC 
I added logic to track the sock pair for stream_unix sockets so that we
ensure lifetime of the sock matches the time a sockmap could reference
the sock (see fixes tag). I forgot though that we allow af_unix unconnected
sockets into a sock{map|hash} map.

This is problematic because previous fixed expected sk_pair() to exist
and did not NULL check it. Because unconnected sockets have a NULL
sk_pair this resulted in the NULL ptr dereference found by syzkaller.

BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
Call Trace:
 <TASK>
 ...
 sock_hold include/net/sock.h:777 [inline]
 unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
 sock_map_init_proto net/core/sock_map.c:190 [inline]
 sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
 sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
 sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
 bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167

We considered just checking for the null ptr and skipping taking a ref
on the NULL peer sock. But, if the socket is then connected() after
being added to the sockmap we can cause the original issue again. So
instead this patch blocks adding af_unix sockets that are not in the
ESTABLISHED state.

Reported-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+e8030702aefd3444fb9e@syzkaller.appspotmail.com
Fixes: 8866730aed51 ("bpf, sockmap: af_unix stream sockets need to hold ref for pair sock")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
 include/net/sock.h  | 5 +++++
 net/core/sock_map.c | 2 ++
 2 files changed, 7 insertions(+)

Comments

Kuniyuki Iwashima Dec. 1, 2023, 9:14 p.m. UTC | #1 
From: John Fastabend <john.fastabend@gmail.com>
Date: Fri,  1 Dec 2023 10:01:38 -0800
> I added logic to track the sock pair for stream_unix sockets so that we
> ensure lifetime of the sock matches the time a sockmap could reference
> the sock (see fixes tag). I forgot though that we allow af_unix unconnected
> sockets into a sock{map|hash} map.
> 
> This is problematic because previous fixed expected sk_pair() to exist
> and did not NULL check it. Because unconnected sockets have a NULL
> sk_pair this resulted in the NULL ptr dereference found by syzkaller.
> 
> BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
> Call Trace:
>  <TASK>
>  ...
>  sock_hold include/net/sock.h:777 [inline]
>  unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
>  sock_map_init_proto net/core/sock_map.c:190 [inline]
>  sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
>  sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
>  sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
>  bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
> 
> We considered just checking for the null ptr and skipping taking a ref
> on the NULL peer sock. But, if the socket is then connected() after
> being added to the sockmap we can cause the original issue again. So
> instead this patch blocks adding af_unix sockets that are not in the
> ESTABLISHED state.

I'm not sure if someone has the unconnected stream socket use case
though, can't we call additional sock_hold() in connect() by checking
sk_prot under sk_callback_lock ?
John Fastabend Dec. 4, 2023, 9:40 p.m. UTC | #2 
Kuniyuki Iwashima wrote:
> From: John Fastabend <john.fastabend@gmail.com>
> Date: Fri,  1 Dec 2023 10:01:38 -0800
> > I added logic to track the sock pair for stream_unix sockets so that we
> > ensure lifetime of the sock matches the time a sockmap could reference
> > the sock (see fixes tag). I forgot though that we allow af_unix unconnected
> > sockets into a sock{map|hash} map.
> > 
> > This is problematic because previous fixed expected sk_pair() to exist
> > and did not NULL check it. Because unconnected sockets have a NULL
> > sk_pair this resulted in the NULL ptr dereference found by syzkaller.
> > 
> > BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> > Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
> > Call Trace:
> >  <TASK>
> >  ...
> >  sock_hold include/net/sock.h:777 [inline]
> >  unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> >  sock_map_init_proto net/core/sock_map.c:190 [inline]
> >  sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
> >  sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
> >  sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
> >  bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
> > 
> > We considered just checking for the null ptr and skipping taking a ref
> > on the NULL peer sock. But, if the socket is then connected() after
> > being added to the sockmap we can cause the original issue again. So
> > instead this patch blocks adding af_unix sockets that are not in the
> > ESTABLISHED state.
> 
> I'm not sure if someone has the unconnected stream socket use case
> though, can't we call additional sock_hold() in connect() by checking
> sk_prot under sk_callback_lock ?

Could be done I guess yes. I'm not sure the utility of it though. I
thought above patch was the simplest solution and didn't require touching
main af_unix code. I don't actually use the sockmap with af_unix
sockets anywhere so maybe someone who is using this can comment if
unconnected is needed?

From rcu and locking side looks like holding sk_callback_lock would
be sufficient. I was thinking it would require a rcu grace period
or something but seems not.

I guess I could improve original patch if folks want.

.John
Kuniyuki Iwashima Dec. 4, 2023, 10:37 p.m. UTC | #3 
+cc Cong and Jiang, as potential users of AF_UNIX sockmap w/ unconnected
SOCK_STREAM sockets

https://lore.kernel.org/netdev/20231201180139.328529-1-john.fastabend@gmail.com/

From: John Fastabend <john.fastabend@gmail.com>
Date: Mon, 04 Dec 2023 13:40:40 -0800
> Kuniyuki Iwashima wrote:
> > From: John Fastabend <john.fastabend@gmail.com>
> > Date: Fri,  1 Dec 2023 10:01:38 -0800
> > > I added logic to track the sock pair for stream_unix sockets so that we
> > > ensure lifetime of the sock matches the time a sockmap could reference
> > > the sock (see fixes tag). I forgot though that we allow af_unix unconnected
> > > sockets into a sock{map|hash} map.
> > > 
> > > This is problematic because previous fixed expected sk_pair() to exist
> > > and did not NULL check it. Because unconnected sockets have a NULL
> > > sk_pair this resulted in the NULL ptr dereference found by syzkaller.
> > > 
> > > BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> > > Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
> > > Call Trace:
> > >  <TASK>
> > >  ...
> > >  sock_hold include/net/sock.h:777 [inline]
> > >  unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> > >  sock_map_init_proto net/core/sock_map.c:190 [inline]
> > >  sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
> > >  sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
> > >  sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
> > >  bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
> > > 
> > > We considered just checking for the null ptr and skipping taking a ref
> > > on the NULL peer sock. But, if the socket is then connected() after
> > > being added to the sockmap we can cause the original issue again. So
> > > instead this patch blocks adding af_unix sockets that are not in the
> > > ESTABLISHED state.
> > 
> > I'm not sure if someone has the unconnected stream socket use case
> > though, can't we call additional sock_hold() in connect() by checking
> > sk_prot under sk_callback_lock ?
> 
> Could be done I guess yes. I'm not sure the utility of it though. I
> thought above patch was the simplest solution and didn't require touching
> main af_unix code. I don't actually use the sockmap with af_unix
> sockets anywhere so maybe someone who is using this can comment if
> unconnected is needed?
> 
> From rcu and locking side looks like holding sk_callback_lock would
> be sufficient. I was thinking it would require a rcu grace period
> or something but seems not.
> 
> I guess I could improve original patch if folks want.
> 
> .John
Jakub Sitnicki Dec. 6, 2023, 9:47 a.m. UTC | #4 
On Mon, Dec 04, 2023 at 01:40 PM -08, John Fastabend wrote:
> Kuniyuki Iwashima wrote:
>> From: John Fastabend <john.fastabend@gmail.com>
>> Date: Fri,  1 Dec 2023 10:01:38 -0800
>> > I added logic to track the sock pair for stream_unix sockets so that we
>> > ensure lifetime of the sock matches the time a sockmap could reference
>> > the sock (see fixes tag). I forgot though that we allow af_unix unconnected
>> > sockets into a sock{map|hash} map.
>> > 
>> > This is problematic because previous fixed expected sk_pair() to exist
>> > and did not NULL check it. Because unconnected sockets have a NULL
>> > sk_pair this resulted in the NULL ptr dereference found by syzkaller.
>> > 
>> > BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430
>> > net/unix/unix_bpf.c:171
>> > Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
>> > Call Trace:
>> >  <TASK>
>> >  ...
>> >  sock_hold include/net/sock.h:777 [inline]
>> >  unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
>> >  sock_map_init_proto net/core/sock_map.c:190 [inline]
>> >  sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
>> >  sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
>> >  sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
>> >  bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
>> > 
>> > We considered just checking for the null ptr and skipping taking a ref
>> > on the NULL peer sock. But, if the socket is then connected() after
>> > being added to the sockmap we can cause the original issue again. So
>> > instead this patch blocks adding af_unix sockets that are not in the
>> > ESTABLISHED state.
>> 
>> I'm not sure if someone has the unconnected stream socket use case
>> though, can't we call additional sock_hold() in connect() by checking
>> sk_prot under sk_callback_lock ?
>
> Could be done I guess yes. I'm not sure the utility of it though. I
> thought above patch was the simplest solution and didn't require touching
> main af_unix code. I don't actually use the sockmap with af_unix
> sockets anywhere so maybe someone who is using this can comment if
> unconnected is needed?
>
> From rcu and locking side looks like holding sk_callback_lock would
> be sufficient. I was thinking it would require a rcu grace period
> or something but seems not.

I'd revist the option of grabbing an skpair ref in unix_stream_sendmsg.
Cong Wang Dec. 8, 2023, 4:19 a.m. UTC | #5 
On Mon, Dec 04, 2023 at 01:40:40PM -0800, John Fastabend wrote:
> Kuniyuki Iwashima wrote:
> > From: John Fastabend <john.fastabend@gmail.com>
> > Date: Fri,  1 Dec 2023 10:01:38 -0800
> > > I added logic to track the sock pair for stream_unix sockets so that we
> > > ensure lifetime of the sock matches the time a sockmap could reference
> > > the sock (see fixes tag). I forgot though that we allow af_unix unconnected
> > > sockets into a sock{map|hash} map.
> > > 
> > > This is problematic because previous fixed expected sk_pair() to exist
> > > and did not NULL check it. Because unconnected sockets have a NULL
> > > sk_pair this resulted in the NULL ptr dereference found by syzkaller.
> > > 
> > > BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> > > Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
> > > Call Trace:
> > >  <TASK>
> > >  ...
> > >  sock_hold include/net/sock.h:777 [inline]
> > >  unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> > >  sock_map_init_proto net/core/sock_map.c:190 [inline]
> > >  sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
> > >  sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
> > >  sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
> > >  bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
> > > 
> > > We considered just checking for the null ptr and skipping taking a ref
> > > on the NULL peer sock. But, if the socket is then connected() after
> > > being added to the sockmap we can cause the original issue again. So
> > > instead this patch blocks adding af_unix sockets that are not in the
> > > ESTABLISHED state.
> > 
> > I'm not sure if someone has the unconnected stream socket use case
> > though, can't we call additional sock_hold() in connect() by checking
> > sk_prot under sk_callback_lock ?
> 
> Could be done I guess yes. I'm not sure the utility of it though. I
> thought above patch was the simplest solution and didn't require touching
> main af_unix code. I don't actually use the sockmap with af_unix
> sockets anywhere so maybe someone who is using this can comment if
> unconnected is needed?
> 

Our use case is also connected unix stream socket, as demonstrated in
the selftest unix_redir_to_connected().

Thanks.
Daniel Borkmann Dec. 11, 2023, 2:56 p.m. UTC | #6 
On 12/8/23 5:19 AM, Cong Wang wrote:
> On Mon, Dec 04, 2023 at 01:40:40PM -0800, John Fastabend wrote:
>> Kuniyuki Iwashima wrote:
>>> From: John Fastabend <john.fastabend@gmail.com>
>>> Date: Fri,  1 Dec 2023 10:01:38 -0800
>>>> I added logic to track the sock pair for stream_unix sockets so that we
>>>> ensure lifetime of the sock matches the time a sockmap could reference
>>>> the sock (see fixes tag). I forgot though that we allow af_unix unconnected
>>>> sockets into a sock{map|hash} map.
>>>>
>>>> This is problematic because previous fixed expected sk_pair() to exist
>>>> and did not NULL check it. Because unconnected sockets have a NULL
>>>> sk_pair this resulted in the NULL ptr dereference found by syzkaller.
>>>>
>>>> BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
>>>> Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
>>>> Call Trace:
>>>>   <TASK>
>>>>   ...
>>>>   sock_hold include/net/sock.h:777 [inline]
>>>>   unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
>>>>   sock_map_init_proto net/core/sock_map.c:190 [inline]
>>>>   sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
>>>>   sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
>>>>   sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
>>>>   bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
>>>>
>>>> We considered just checking for the null ptr and skipping taking a ref
>>>> on the NULL peer sock. But, if the socket is then connected() after
>>>> being added to the sockmap we can cause the original issue again. So
>>>> instead this patch blocks adding af_unix sockets that are not in the
>>>> ESTABLISHED state.
>>>
>>> I'm not sure if someone has the unconnected stream socket use case
>>> though, can't we call additional sock_hold() in connect() by checking
>>> sk_prot under sk_callback_lock ?
>>
>> Could be done I guess yes. I'm not sure the utility of it though. I
>> thought above patch was the simplest solution and didn't require touching
>> main af_unix code. I don't actually use the sockmap with af_unix
>> sockets anywhere so maybe someone who is using this can comment if
>> unconnected is needed?
> 
> Our use case is also connected unix stream socket, as demonstrated in
> the selftest unix_redir_to_connected().

Great, is everyone good to move this fix forward then? Would be great if
this receives at least one ack if the latter is indeed the case.

Thanks,
Daniel
Amery Hung Dec. 13, 2023, 11:23 p.m. UTC | #7 
On Mon, Dec 11, 2023 at 6:56 AM Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> On 12/8/23 5:19 AM, Cong Wang wrote:
> > On Mon, Dec 04, 2023 at 01:40:40PM -0800, John Fastabend wrote:
> >> Kuniyuki Iwashima wrote:
> >>> From: John Fastabend <john.fastabend@gmail.com>
> >>> Date: Fri,  1 Dec 2023 10:01:38 -0800
> >>>> I added logic to track the sock pair for stream_unix sockets so that we
> >>>> ensure lifetime of the sock matches the time a sockmap could reference
> >>>> the sock (see fixes tag). I forgot though that we allow af_unix unconnected
> >>>> sockets into a sock{map|hash} map.
> >>>>
> >>>> This is problematic because previous fixed expected sk_pair() to exist
> >>>> and did not NULL check it. Because unconnected sockets have a NULL
> >>>> sk_pair this resulted in the NULL ptr dereference found by syzkaller.
> >>>>
> >>>> BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> >>>> Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
> >>>> Call Trace:
> >>>>   <TASK>
> >>>>   ...
> >>>>   sock_hold include/net/sock.h:777 [inline]
> >>>>   unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> >>>>   sock_map_init_proto net/core/sock_map.c:190 [inline]
> >>>>   sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
> >>>>   sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
> >>>>   sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
> >>>>   bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
> >>>>
> >>>> We considered just checking for the null ptr and skipping taking a ref
> >>>> on the NULL peer sock. But, if the socket is then connected() after
> >>>> being added to the sockmap we can cause the original issue again. So
> >>>> instead this patch blocks adding af_unix sockets that are not in the
> >>>> ESTABLISHED state.
> >>>
> >>> I'm not sure if someone has the unconnected stream socket use case
> >>> though, can't we call additional sock_hold() in connect() by checking
> >>> sk_prot under sk_callback_lock ?
> >>
> >> Could be done I guess yes. I'm not sure the utility of it though. I
> >> thought above patch was the simplest solution and didn't require touching
> >> main af_unix code. I don't actually use the sockmap with af_unix
> >> sockets anywhere so maybe someone who is using this can comment if
> >> unconnected is needed?
> >
> > Our use case is also connected unix stream socket, as demonstrated in
> > the selftest unix_redir_to_connected().
>
> Great, is everyone good to move this fix forward then? Would be great if
> this receives at least one ack if the latter is indeed the case.
>
> Thanks,
> Daniel

I just want to ack that we are not inserting unconnected UDS to sockmap.
diff mbox series

Patch

diff --git a/include/net/sock.h b/include/net/sock.h
index 1d6931caf0c3..0201136b0b9c 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2799,6 +2799,11 @@  static inline bool sk_is_tcp(const struct sock *sk)
 	return sk->sk_type == SOCK_STREAM && sk->sk_protocol == IPPROTO_TCP;
 }
 
+static inline bool sk_is_stream_unix(const struct sock *sk)
+{
+	return sk->sk_family == AF_UNIX && sk->sk_type == SOCK_STREAM;
+}
+
 /**
  * sk_eat_skb - Release a skb if it is no longer needed
  * @sk: socket to eat this skb from
diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 4292c2ed1828..27d733c0f65e 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -536,6 +536,8 @@  static bool sock_map_sk_state_allowed(const struct sock *sk)
 {
 	if (sk_is_tcp(sk))
 		return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_LISTEN);
+	if (sk_is_stream_unix(sk))
+		return (1 << sk->sk_state) & TCPF_ESTABLISHED;
 	return true;
 }