diff mbox series

[net,1/2] bpf, sockmap: Do not ignore orig_len parameter

Message ID 20220302161723.3910001-1-eric.dumazet@gmail.com (mailing list archive)
State Accepted
Commit 60ce37b03917e593d8e5d8bcc7ec820773daf81d
Delegated to: Netdev Maintainers
Headers show
Series [net,1/2] bpf, sockmap: Do not ignore orig_len parameter | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 2 this patch: 2
netdev/cc_maintainers warning 1 maintainers not CCed: lmb@cloudflare.com
netdev/build_clang success Errors and warnings before: 18 this patch: 18
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 7 this patch: 7
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Eric Dumazet March 2, 2022, 4:17 p.m. UTC 
From: Eric Dumazet <edumazet@google.com>

Currently, sk_psock_verdict_recv() returns skb->len

This is problematic because tcp_read_sock() might have
passed orig_len < skb->len, due to the presence of TCP urgent data.

This causes an infinite loop from tcp_read_sock()

Followup patch will make tcp_read_sock() more robust vs bad actors.

Fixes: ef5659280eb1 ("bpf, sockmap: Allow skipping sk_skb parser program")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
Tested-by: Jakub Sitnicki <jakub@cloudflare.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
---
 net/core/skmsg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

patchwork-bot+netdevbpf@kernel.org March 3, 2022, 7 a.m. UTC | #1 
Hello:

This series was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Wed,  2 Mar 2022 08:17:22 -0800 you wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> Currently, sk_psock_verdict_recv() returns skb->len
> 
> This is problematic because tcp_read_sock() might have
> passed orig_len < skb->len, due to the presence of TCP urgent data.
> 
> [...]

Here is the summary with links:
  - [net,1/2] bpf, sockmap: Do not ignore orig_len parameter
    https://git.kernel.org/netdev/net/c/60ce37b03917
  - [net,2/2] tcp: make tcp_read_sock() more robust
    https://git.kernel.org/netdev/net/c/e3d5ea2c011e

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index 8eb671c827f90f1f3d2514163fc82998c9906cb6..929a2b096b04e01b85bff0a69209413abe86102d 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -1153,7 +1153,7 @@  static int sk_psock_verdict_recv(read_descriptor_t *desc, struct sk_buff *skb,
 	struct sk_psock *psock;
 	struct bpf_prog *prog;
 	int ret = __SK_DROP;
-	int len = skb->len;
+	int len = orig_len;
 
 	/* clone here so sk_eat_skb() in tcp_read_sock does not drop our data */
 	skb = skb_clone(skb, GFP_ATOMIC);