[bpf,v2,0/4] bpf, sockmap: Fix infinite recursion in sock_map_close

Message ID	20230113-sockmap-fix-v2-0-1e0ee7ac2f90@cloudflare.com (mailing list archive)
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Jakub Sitnicki <jakub@cloudflare.com> Subject: [PATCH bpf v2 0/4] bpf, sockmap: Fix infinite recursion in sock_map_close Date: Sat, 21 Jan 2023 13:41:42 +0100 Message-Id: <20230113-sockmap-fix-v2-0-1e0ee7ac2f90@cloudflare.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: bpf@vger.kernel.org Cc: netdev@vger.kernel.org, John Fastabend <john.fastabend@gmail.com>, Eric Dumazet <edumazet@google.com>, Daniel Borkmann <daniel@iogearbox.net>, Alexei Starovoitov <ast@kernel.org>, Andrii Nakryiko <andrii@kernel.org>, kernel-team@cloudflare.com, syzbot+04c21ed96d861dccc5cd@syzkaller.appspotmail.com Precedence: bulk
Series	bpf, sockmap: Fix infinite recursion in sock_map_close \| expand [bpf,v2,0/4] bpf, sockmap: Fix infinite recursion in sock_map_close [bpf,v2,1/4] bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself [bpf,v2,2/4] bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener [bpf,v2,3/4] selftests/bpf: Pass BPF skeleton to sockmap_listen ops tests [bpf,v2,4/4] selftests/bpf: Cover listener cloning with progs attached to sockmap

Message ID

20230113-sockmap-fix-v2-0-1e0ee7ac2f90@cloudflare.com (mailing list archive)

Headers

From: Jakub Sitnicki <jakub@cloudflare.com>
Subject: [PATCH bpf v2 0/4] bpf, sockmap: Fix infinite recursion in
 sock_map_close
Date: Sat, 21 Jan 2023 13:41:42 +0100
Message-Id: <20230113-sockmap-fix-v2-0-1e0ee7ac2f90@cloudflare.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: bpf@vger.kernel.org
Cc: netdev@vger.kernel.org, John Fastabend <john.fastabend@gmail.com>,
        Eric Dumazet <edumazet@google.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Alexei Starovoitov <ast@kernel.org>,
        Andrii Nakryiko <andrii@kernel.org>,
        kernel-team@cloudflare.com,
        syzbot+04c21ed96d861dccc5cd@syzkaller.appspotmail.com
Precedence: bulk

Series

bpf, sockmap: Fix infinite recursion in sock_map_close | expand

Message

Jakub Sitnicki Jan. 21, 2023, 12:41 p.m. UTC

This patch set addresses the syzbot report in [1].

Patch #1 has been suggested by Eric [2]. I extended it to cover the rest of
sock_map proto callbacks. Otherwise we would still overflow the stack.

Patch #2 contains the actual fix and bug analysis.
Patches #3 & #4 add coverage to selftests to trigger the bug.

[1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/
[2] https://lore.kernel.org/all/CANn89iK2UN1FmdUcH12fv_xiZkv2G+Nskvmq7fG6aA_6VKRf6g@mail.gmail.com/

---
v1 -> v2:
v1: https://lore.kernel.org/r/20230113-sockmap-fix-v1-0-d3cad092ee10@cloudflare.com
[v1 didn't hit bpf@ ML by mistake]

 * pull in Eric's patch to protect against recursion loop bugs (Eric)
 * add a macro helper to check if pointer is inside a memory range (Eric)

---
Jakub Sitnicki (4):
      bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself
      bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener
      selftests/bpf: Pass BPF skeleton to sockmap_listen ops tests
      selftests/bpf: Cover listener cloning with progs attached to sockmap

 include/linux/util_macros.h                        | 12 ++++
 net/core/sock_map.c                                | 61 ++++++++--------
 net/ipv4/tcp_bpf.c                                 |  4 +-
 .../selftests/bpf/prog_tests/sockmap_listen.c      | 81 +++++++++++++++++-----
 4 files changed, 111 insertions(+), 47 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org Jan. 25, 2023, 6 a.m. UTC | #1

Hello:

This series was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Sat, 21 Jan 2023 13:41:42 +0100 you wrote:
> This patch set addresses the syzbot report in [1].
> 
> Patch #1 has been suggested by Eric [2]. I extended it to cover the rest of
> sock_map proto callbacks. Otherwise we would still overflow the stack.
> 
> Patch #2 contains the actual fix and bug analysis.
> Patches #3 & #4 add coverage to selftests to trigger the bug.
> 
> [...]

Here is the summary with links:
  - [bpf,v2,1/4] bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself
    https://git.kernel.org/bpf/bpf/c/5b4a79ba65a1
  - [bpf,v2,2/4] bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener
    https://git.kernel.org/bpf/bpf/c/ddce1e091757
  - [bpf,v2,3/4] selftests/bpf: Pass BPF skeleton to sockmap_listen ops tests
    https://git.kernel.org/bpf/bpf/c/b4ea530d024c
  - [bpf,v2,4/4] selftests/bpf: Cover listener cloning with progs attached to sockmap
    https://git.kernel.org/bpf/bpf/c/c88ea16a8f89

You are awesome, thank you!