| Message ID | tencent_884D1773977426D9D3600371696883B6A405@qq.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | [net] bpf: test_run: fix WARNING in format_decode | expand |
On 11/21/23 7:50 PM, Edward Adam Davis wrote: > Confirm that skb->len is not 0 to ensure that skb length is valid. > > Fixes: 114039b34201 ("bpf: Move skb->len == 0 checks into __bpf_redirect") > Reported-by: syzbot+e2c932aec5c8a6e1d31c@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis <eadavis@qq.com> Stan, Could you take a look at this patch? > --- > net/bpf/test_run.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c > index c9fdcc5cdce1..78258a822a5c 100644 > --- a/net/bpf/test_run.c > +++ b/net/bpf/test_run.c > @@ -845,6 +845,9 @@ static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb) > { > struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb; > > + if (!skb->len) > + return -EINVAL; > + > if (!__skb) > return 0; >
On 11/22/23 6:28 AM, Yonghong Song wrote: > On 11/21/23 7:50 PM, Edward Adam Davis wrote: >> Confirm that skb->len is not 0 to ensure that skb length is valid. >> >> Fixes: 114039b34201 ("bpf: Move skb->len == 0 checks into __bpf_redirect") >> Reported-by: syzbot+e2c932aec5c8a6e1d31c@syzkaller.appspotmail.com >> Signed-off-by: Edward Adam Davis <eadavis@qq.com> > > Stan, Could you take a look at this patch? I think this only papers over the bug.. also BPF selftests seem to break with this change. Looking again at the syzkaller trace : [...] Please remove unsupported %\0 in format string WARNING: CPU: 0 PID: 5068 at lib/vsprintf.c:2675 format_decode+0xa03/0xba0 lib/vsprintf.c:2675 [...] We need to fix bpf_bprintf_prepare() instead to reject invalid fmts such as %0 and similar. >> net/bpf/test_run.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c >> index c9fdcc5cdce1..78258a822a5c 100644 >> --- a/net/bpf/test_run.c >> +++ b/net/bpf/test_run.c >> @@ -845,6 +845,9 @@ static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb) >> { >> struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb; >> + if (!skb->len) >> + return -EINVAL; >> + >> if (!__skb) >> return 0;
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c index c9fdcc5cdce1..78258a822a5c 100644 --- a/net/bpf/test_run.c +++ b/net/bpf/test_run.c @@ -845,6 +845,9 @@ static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb) { struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb; + if (!skb->len) + return -EINVAL; + if (!__skb) return 0;
Confirm that skb->len is not 0 to ensure that skb length is valid. Fixes: 114039b34201 ("bpf: Move skb->len == 0 checks into __bpf_redirect") Reported-by: syzbot+e2c932aec5c8a6e1d31c@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- net/bpf/test_run.c | 3 +++ 1 file changed, 3 insertions(+)