On Fri, Jun 17, 2022 at 9:19 AM Di Zhu <zhudi2@xxxxxxxxxx> wrote: > > Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any > skbs, that is, the flow->head is null. > The root cause, as the [2] says, is because that bpf_prog_test_run_skb() > run a bpf prog which redirects empty skbs. > So we should determine whether the length of the packet modified by bpf > prog or others like bpf_prog_test is 0 before forwarding it directly. > > LINK: [1] https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16ec96c5 > LINK: [2] https://www.spinics.net/lists/netdev/msg777503.html > > Reported-by: syzbot+7a12909485b94426aceb@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Di Zhu <zhudi2@xxxxxxxxxx> > --- > net/core/filter.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/core/filter.c b/net/core/filter.c > index 5af58eb48587..c7fbfa90898a 100644 > --- a/net/core/filter.c > +++ b/net/core/filter.c > @@ -2156,6 +2156,9 @@ static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev, > static int __bpf_redirect(struct sk_buff *skb, struct net_device *dev, > u32 flags) > { > + if (unlikely(skb->len == 0)) > + return -EINVAL; > + You focus again on fq_codel, but we have a more generic issue at hand. I said that most drivers will assume packets are Ethernet ones, having at least an Ethernet header in them. Also returning -EINVAL will leak the skb :/ I think a better fix would be to make sure the skb carries an expected packet length, and this probably differs in __bpf_redirect_common() and __bpf_redirect_no_mac() ? Current test in __bpf_redirect_common() seems not good enough. + /* Verify that a link layer header is carried */ + if (unlikely(skb->mac_header >= skb->network_header)) { + kfree_skb(skb); + return -ERANGE; + } + It should check that the link layer header size is >= dev->min_header_len > if (dev_is_mac_header_xmit(dev)) > return __bpf_redirect_common(skb, dev, flags); > else > -- > 2.27.0 >
