On Fri, Jan 7, 2022 at 10:31 AM Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote:
>
> The bpf_xdp_link_update() function didn't check the program type before
> updating the program, which made it possible to install any program type as
> an XDP program, which is obviously not good. Syzbot managed to trigger this
> by swapping in an LWT program on the XDP hook which would crash in a helper
> call.
>
> Fix this by adding a check and bailing out if the types don't match.
>
> Fixes: 026a4c28e1db ("bpf, xdp: Implement LINK_UPDATE for BPF XDP link")
> Reported-by: syzbot+983941aa85af6ded1fd9@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
> ---
The fix looks good to me, thanks. I'd love it if this was done
generically in link_update, but each link type has its own locking
schema for link->prog, so I didn't figure out a way to do this in a
centralized way.
Acked-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
> net/core/dev.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/net/core/dev.c b/net/core/dev.c
> index c4708e2487fb..2078d04c6482 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -9656,6 +9656,12 @@ static int bpf_xdp_link_update(struct bpf_link *link, struct bpf_prog *new_prog,
> goto out_unlock;
> }
> old_prog = link->prog;
> + if (old_prog->type != new_prog->type ||
> + old_prog->expected_attach_type != new_prog->expected_attach_type) {
> + err = -EINVAL;
> + goto out_unlock;
> + }
> +
> if (old_prog == new_prog) {
> /* no-op, don't disturb drivers */
> bpf_prog_put(new_prog);
> --
> 2.34.1
>
