On 10/19/24 12:11 AM, Daniel Yang wrote:
KMSAN detects uninitialized memory stored to memory by
bpf_clone_redirect(). Adding a check to the transmission path to find
malformed headers prevents this issue. Specifically, we check if the length
of the data stored in skb is less than the minimum device header length.
If so, drop the packet since the skb cannot contain a valid device header.
Also check if mac_header_len(skb) is outside the range provided of valid
device header lengths.
Testing this patch with syzbot removes the bug.
Fixes: 88264981f208 ("Merge tag 'sched_ext-for-6.12' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext")
I am pretty sure this is the wrong tag.
A test in selftests/bpf is needed to reproduce and better understand this. Only
bpf_clone_redirect() is needed to reproduce or other bpf_skb_*() helpers calls
are needed to reproduce?
Reported-by: syzbot+346474e3bf0b26bd3090@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=346474e3bf0b26bd3090
Signed-off-by: Daniel Yang <danielyangkang@xxxxxxxxx>
---
net/core/filter.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index cd3524cb3..92d8f2098 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2191,6 +2191,13 @@ static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev,
return -ERANGE;
}
+ if (unlikely(skb->len < dev->min_header_len ||
+ skb_mac_header_len(skb) < dev->min_header_len ||
+ skb_mac_header_len(skb) > dev->hard_header_len)) {
+ kfree_skb(skb);
+ return -ERANGE;
+ }
+
bpf_push_mac_rcsum(skb);
return flags & BPF_F_INGRESS ?
__bpf_rx_skb(dev, skb) : __bpf_tx_skb(dev, skb);
