Daniel Borkmann <daniel@xxxxxxxxxxxxx> writes:
> On 9/20/24 2:56 PM, Toke Høiland-Jørgensen wrote:
>> The bpf_redirect_info is shared between the SKB and XDP redirect paths,
>> and the two paths use the same numeric flag values in the ri->flags
>> field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that
>> if skb bpf_redirect_neigh() is used with a non-NULL params argument and,
>> subsequently, an XDP redirect is performed using the same
>> bpf_redirect_info struct, the XDP path will get confused and end up
>> crashing, which syzbot managed to trigger.
>>
>> With the stack-allocated bpf_redirect_info, the structure is no longer
>> shared between the SKB and XDP paths, so the crash doesn't happen
>> anymore. However, different code paths using identically-numbered flag
>> values in the same struct field still seems like a bit of a mess, so
>> this patch cleans that up by moving the flag definitions together and
>> redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap
>> with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make
>> sure the overlap is not re-introduced by mistake.
>>
>> Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support")
>> Reported-by: syzbot+cca39e6e84a367a7e6f6@xxxxxxxxxxxxxxxxxxxxxxxxx
>> Closes: https://syzkaller.appspot.com/bug?extid=cca39e6e84a367a7e6f6
>> Signed-off-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
>> ---
>> include/uapi/linux/bpf.h | 14 ++++++--------
>> net/core/filter.c | 8 +++++---
>> 2 files changed, 11 insertions(+), 11 deletions(-)
> Lgtm, applied, thanks! I also added a tools header sync.I took this into
> bpf tree, so that stable can pick it up.
Great! Thanks for the fixups :)
-Toke
