From: "D. Wythe" <alibuda@xxxxxxxxxxxxxxxxx> A malicious eBPF program can interrupt the subsequent processing of a skb by returning an exceptional retval, and no one will be responsible for releasing the very skb. Moreover, normal programs can also have the demand to return NF_STOLEN, usually, the hook needs to take responsibility for releasing this skb itself, but currently, there is no such helper function to achieve that. Ignoring NF_STOLEN will also lead to skb leakage. Fixes: fd9c663b9ad6 ("bpf: minimal support for programs hooked into netfilter framework") Signed-off-by: D. Wythe <alibuda@xxxxxxxxxxxxxxxxx> --- net/netfilter/nf_bpf_link.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c index e502ec0..03c47d6 100644 --- a/net/netfilter/nf_bpf_link.c +++ b/net/netfilter/nf_bpf_link.c @@ -12,12 +12,29 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb, const struct nf_hook_state *s) { const struct bpf_prog *prog = bpf_prog; + unsigned int verdict; struct bpf_nf_ctx ctx = { .state = s, .skb = skb, }; - return bpf_prog_run(prog, &ctx); + verdict = bpf_prog_run(prog, &ctx); + switch (verdict) { + case NF_STOLEN: + consume_skb(skb); + fallthrough; + case NF_ACCEPT: + case NF_DROP: + case NF_QUEUE: + /* restrict the retval of the ebpf programs */ + break; + default: + /* force it to be dropped */ + verdict = NF_DROP_ERR(-EINVAL); + break; + } + + return verdict; } struct bpf_nf_link { -- 1.8.3.1