On 2022/04/21 20:15, Tetsuo Handa wrote:
>> I feel that amount of output above is too short for "char program[2053]".
>> How can TCP/IPv6 socket be created from this quite limited operations?
>
> Since bpf_skb_load_helper_8() nothing but reads a byte, I don't think that
> bpf(BPF_PROG_LOAD) / setsockopt(SOL_SOCKET, SO_ATTACH_BPF) can affect this
> use-after-free bug, unless "char program[2053]" is doing something other
> than reading a byte.
It turned out that only first 37 bytes of "char program[2053]" was meaningful.
const union bpf_attr attr = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = 5,
.insns = (unsigned long long)
"\xbf\x16\x00\x00\x00\x00\x00\x00\xb7\x07\x00\x00\x01\x00\xf0\xff"
"\x50\x70\x00\x00\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\xc0\x00"
"\x95\x00\x00\x00\x00",
.license = (unsigned long long) "GPL",
};
Thus, I think that the output of "tools/bpf/bpftool/bpftool prog dump xlat id $NUM"
was correct.
Moreover, it turned out that even no-op program which does only
r0 = 0
exit
can trigger this use-after-free bug.
const union bpf_attr attr = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = 2,
.insns = (unsigned long long) "\xb7\x00\x00\x00\x00\x00\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00",
.license = (unsigned long long) "GPL",
};
That is, it seems that loading a BPF program using bpf(BPF_PROG_LOAD) and attaching
that program using setsockopt(SOL_SOCKET, SO_ATTACH_BPF) itself somehow affects this
use-after-free bug.
Now, I suspect that some refcount is taken by setsockopt(SOL_SOCKET, SO_ATTACH_BPF)
and is causing the socket to stay alive long enough to fire tcp_retransmit_timer().
Any ideas?
