From: "D. Wythe" <alibuda@xxxxxxxxxxxxxxxxx>
A malicious eBPF program can interrupt the subsequent processing of
a skb by returning an exceptional retval, and no one will be responsible
for releasing the very skb.
Moreover, normal programs can also have the demand to return NF_STOLEN,
usually, the hook needs to take responsibility for releasing this skb
itself, but currently, there is no such helper function to achieve that.
Ignoring NF_STOLEN will also lead to skb leakage.
Fixes: fd9c663b9ad6 ("bpf: minimal support for programs hooked into netfilter framework")
Signed-off-by: D. Wythe <alibuda@xxxxxxxxxxxxxxxxx>
---
net/netfilter/nf_bpf_link.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
index e502ec0..03c47d6 100644
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@@ -12,12 +12,29 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb,
const struct nf_hook_state *s)
{
const struct bpf_prog *prog = bpf_prog;
+ unsigned int verdict;
struct bpf_nf_ctx ctx = {
.state = s,
.skb = skb,
};
- return bpf_prog_run(prog, &ctx);
+ verdict = bpf_prog_run(prog, &ctx);
+ switch (verdict) {
+ case NF_STOLEN:
+ consume_skb(skb);
+ fallthrough;
+ case NF_ACCEPT:
+ case NF_DROP:
+ case NF_QUEUE:
+ /* restrict the retval of the ebpf programs */
+ break;
+ default:
+ /* force it to be dropped */
+ verdict = NF_DROP_ERR(-EINVAL);
+ break;
+ }
+
+ return verdict;
}
struct bpf_nf_link {
--
1.8.3.1
