From patchwork Fri Dec 1 18:01:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Fastabend X-Patchwork-Id: 13476238 X-Patchwork-Delegate: bpf@iogearbox.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="m822Kl/o" Received: from mail-oo1-xc35.google.com (mail-oo1-xc35.google.com [IPv6:2607:f8b0:4864:20::c35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5B3AAD3; Fri, 1 Dec 2023 10:01:54 -0800 (PST) Received: by mail-oo1-xc35.google.com with SMTP id 006d021491bc7-58db7d8f2ebso1373712eaf.0; Fri, 01 Dec 2023 10:01:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701453713; x=1702058513; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ehrEtxFf+SemmI6CFRUloMvjNjYMgW8x66/cVUtvsUA=; b=m822Kl/o+KhpmdDz0lsP7rPEeikYImBxbIyOzFtoa88D5mvhh/9KLFB9HpVzwXew66 xts3OWVbahGBanf4wUUa1x/i4nkPLF9oEstUYXQlGqZssnlIRXJh9OLECcnlgo5kkonh KFNZ6cpkWZjJuZmfQj5hEx5+5gxO0wRvmIc9IRZdTfk8lL4Y1rGQ7r/SHdNWH+Qug740 dYO9OYkiCIl5nU+F3vBBlFPHHiugRXugelgwwlmsvLP+1ptsMqL2ccAluRAkHXsdVtBE Y5eV2PQUvLMYI25jwdeJlP8HwEof6/hLk6e4SaTdmwFTsnjeqR79H4aaP5TZUQl0URiH GkoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701453713; x=1702058513; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ehrEtxFf+SemmI6CFRUloMvjNjYMgW8x66/cVUtvsUA=; b=p0bFn+/LW2OBuF6CArFQhXi820iwJWlmsZcJKyJHUVXRlI29IWpTKIBJ/nTek4CXoh XnNp1JhY0SVUrH4nxftW/DibO4maRVyrQ2mni+TkcSMtObs+5Hr95uI3dT5xAm/1Gzfe v4SL+xdM702KvfNsmgyoo70zbUYGXk6UUW5bThTgBX7lXtU2X/hCdwHUCJlICmVWHak8 mSlHcvcx0Nw+sVgi3d6iIf0bDpIRzM9q4V++jSjsP4/h9s7x+bdIr9DnPFxhoy0kiHqz t04fgxc0HWAgMKFSbTkwTchS82dMYueDGX0/a+p8gNwRW91VRNB2JMPJhx7HtDxpQnwt 10Gg== X-Gm-Message-State: AOJu0YxozOQUPtYOP8DDpLULeEEqVclKszgRvCXNJ/4wFOZFxHrWQ7QI cp9ikm+xl9U1d4X8fw/5i/o= X-Google-Smtp-Source: AGHT+IECggYx5hZTqD3RUJqgG+ghQ6Dp7yCbaY4NCd27j9JSL86uGgSPc00c3VHtJIaf7Iq6RUdjmQ== X-Received: by 2002:a05:6358:2917:b0:16d:de1a:50c7 with SMTP id y23-20020a056358291700b0016dde1a50c7mr26012719rwb.27.1701453713486; Fri, 01 Dec 2023 10:01:53 -0800 (PST) Received: from john.lan ([2605:59c8:148:ba10:7a9a:8993:d50f:aaa4]) by smtp.gmail.com with ESMTPSA id l11-20020a635b4b000000b005b6c1972c99sm3362493pgm.7.2023.12.01.10.01.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Dec 2023 10:01:51 -0800 (PST) From: John Fastabend To: martin.lau@kernel.org, edumazet@google.com, jakub@cloudflare.com Cc: john.fastabend@gmail.com, bpf@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add Date: Fri, 1 Dec 2023 10:01:38 -0800 Message-Id: <20231201180139.328529-2-john.fastabend@gmail.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20231201180139.328529-1-john.fastabend@gmail.com> References: <20231201180139.328529-1-john.fastabend@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net I added logic to track the sock pair for stream_unix sockets so that we ensure lifetime of the sock matches the time a sockmap could reference the sock (see fixes tag). I forgot though that we allow af_unix unconnected sockets into a sock{map|hash} map. This is problematic because previous fixed expected sk_pair() to exist and did not NULL check it. Because unconnected sockets have a NULL sk_pair this resulted in the NULL ptr dereference found by syzkaller. BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171 Write of size 4 at addr 0000000000000080 by task syz-executor360/5073 Call Trace: ... sock_hold include/net/sock.h:777 [inline] unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171 sock_map_init_proto net/core/sock_map.c:190 [inline] sock_map_link+0xb87/0x1100 net/core/sock_map.c:294 sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483 sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577 bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167 We considered just checking for the null ptr and skipping taking a ref on the NULL peer sock. But, if the socket is then connected() after being added to the sockmap we can cause the original issue again. So instead this patch blocks adding af_unix sockets that are not in the ESTABLISHED state. Reported-by: Eric Dumazet Reported-by: syzbot+e8030702aefd3444fb9e@syzkaller.appspotmail.com Fixes: 8866730aed51 ("bpf, sockmap: af_unix stream sockets need to hold ref for pair sock") Signed-off-by: John Fastabend --- include/net/sock.h | 5 +++++ net/core/sock_map.c | 2 ++ 2 files changed, 7 insertions(+) diff --git a/include/net/sock.h b/include/net/sock.h index 1d6931caf0c3..0201136b0b9c 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -2799,6 +2799,11 @@ static inline bool sk_is_tcp(const struct sock *sk) return sk->sk_type == SOCK_STREAM && sk->sk_protocol == IPPROTO_TCP; } +static inline bool sk_is_stream_unix(const struct sock *sk) +{ + return sk->sk_family == AF_UNIX && sk->sk_type == SOCK_STREAM; +} + /** * sk_eat_skb - Release a skb if it is no longer needed * @sk: socket to eat this skb from diff --git a/net/core/sock_map.c b/net/core/sock_map.c index 4292c2ed1828..27d733c0f65e 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -536,6 +536,8 @@ static bool sock_map_sk_state_allowed(const struct sock *sk) { if (sk_is_tcp(sk)) return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_LISTEN); + if (sk_is_stream_unix(sk)) + return (1 << sk->sk_state) & TCPF_ESTABLISHED; return true; } From patchwork Fri Dec 1 18:01:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Fastabend X-Patchwork-Id: 13476240 X-Patchwork-Delegate: bpf@iogearbox.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Rbw/fuWn" Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 45CCADF; Fri, 1 Dec 2023 10:02:10 -0800 (PST) Received: by mail-pf1-x436.google.com with SMTP id d2e1a72fcca58-6cdd13c586fso2207540b3a.0; Fri, 01 Dec 2023 10:02:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701453730; x=1702058530; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=nro0EszP1rhH59gXkDCgGwx5cVROlNqWjcCjSot6oJI=; b=Rbw/fuWnnBKy5zlnYq4CuZxbjyAqInzYliFLDBfHTmx/cfSUAodZLpGzVQzW8tLXlw mmwHT307BEBRVKdj8hfshXL/G7OvbF84HxMDZGoysa4b6RLcS1WtsHebMF0dDaTUSqpL fCFYD7GhBJ3mpBRA0rvt/7z0I9Bgn7netqYZPL8BADkLiWnsT8ZVpKMWR54Y/nRglmmg W1K16vjzId6xT17BD9x/GwuFp1gR/A9Op42XVYOeO0SPIhxWjdlvw3rW+fM9xt+Vxkz7 SGSFFniWYgDZ9bkcSLuf6neB3klfNd2u7o6XWdcFfyqcZ3uUQQJR4vLcyEnPV7GQ9R5J V2mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701453730; x=1702058530; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nro0EszP1rhH59gXkDCgGwx5cVROlNqWjcCjSot6oJI=; b=A+/C19TXD8Oorl/4Xo7bUiZem1nN+ALQJdidoW6zKtJhEdL2LPlojhLJIUkt5C37J7 PwVBlxAnqZV3baEA/EoCvTZfy6IzagGso0u+HBPfVbjZjUO1exUmtdm4vQLHH5X3lJEN jbM5SNL91nEtZv0L0bhL0vI/lirkU9AOzEYM7/bfQe7RfEdPVDCE22Pmt194fQx43Zia 3laU0zoJB56hM60whMoyq+64zYtGY/NriKRAhBbfF3fgkmIHrSd0tymw33jCrCioftxi LDjJdmX0M4/XrJ6UiY3LgBd1OzmnJuq69ojw8MGQJbDyZ8uQINg4+tPDS++1JhsFJVE9 /Qpw== X-Gm-Message-State: AOJu0YxG8QLLe6Ooy62it10kpk8mlGt1yy/xzoiOTpOzCyz5B8IyiLRY cp2K9XdK/fJcr2kwgprCO6c= X-Google-Smtp-Source: AGHT+IEhT+9mBnEj1djlx5Sg3lcL9l5JUcs2cb43+VMeXCzjYqYkuoIjzv7IlCeF5noKlye1fgyrfA== X-Received: by 2002:a05:6a00:35c7:b0:6cb:4c60:7398 with SMTP id dc7-20020a056a0035c700b006cb4c607398mr24448415pfb.13.1701453729529; Fri, 01 Dec 2023 10:02:09 -0800 (PST) Received: from john.lan ([2605:59c8:148:ba10:7a9a:8993:d50f:aaa4]) by smtp.gmail.com with ESMTPSA id l11-20020a635b4b000000b005b6c1972c99sm3362493pgm.7.2023.12.01.10.01.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Dec 2023 10:01:57 -0800 (PST) From: John Fastabend To: martin.lau@kernel.org, edumazet@google.com, jakub@cloudflare.com Cc: john.fastabend@gmail.com, bpf@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH bpf v2 2/2] bpf: sockmap, test for unconnected af_unix sock Date: Fri, 1 Dec 2023 10:01:39 -0800 Message-Id: <20231201180139.328529-3-john.fastabend@gmail.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20231201180139.328529-1-john.fastabend@gmail.com> References: <20231201180139.328529-1-john.fastabend@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net Add test to sockmap_basic to ensure af_unix sockets that are not connected can not be added to the map. Ensure we keep DGRAM sockets working however as these will not be connected typically. Signed-off-by: John Fastabend --- .../selftests/bpf/prog_tests/sockmap_basic.c | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c index f75f84d0b3d7..7c2241fae19a 100644 --- a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c +++ b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c @@ -524,6 +524,37 @@ static void test_sockmap_skb_verdict_peek(void) test_sockmap_pass_prog__destroy(pass); } +static void test_sockmap_unconnected_unix(void) +{ + int err, map, stream = 0, dgram = 0, zero = 0; + struct test_sockmap_pass_prog *skel; + + skel = test_sockmap_pass_prog__open_and_load(); + if (!ASSERT_OK_PTR(skel, "open_and_load")) + return; + + map = bpf_map__fd(skel->maps.sock_map_rx); + + stream = xsocket(AF_UNIX, SOCK_STREAM, 0); + if (stream < 0) + return; + + dgram = xsocket(AF_UNIX, SOCK_DGRAM, 0); + if (dgram < 0) { + close(stream); + return; + } + + err = bpf_map_update_elem(map, &zero, &stream, BPF_ANY); + ASSERT_ERR(err, "bpf_map_update_elem(stream)"); + + err = bpf_map_update_elem(map, &zero, &dgram, BPF_ANY); + ASSERT_OK(err, "bpf_map_update_elem(dgram)"); + + close(stream); + close(dgram); +} + void test_sockmap_basic(void) { if (test__start_subtest("sockmap create_update_free")) @@ -566,4 +597,7 @@ void test_sockmap_basic(void) test_sockmap_skb_verdict_fionread(false); if (test__start_subtest("sockmap skb_verdict msg_f_peek")) test_sockmap_skb_verdict_peek(); + + if (test__start_subtest("sockmap unconnected af_unix")) + test_sockmap_unconnected_unix(); }