Re: [PATCH net] net/netfilter: bpf: avoid leakage of skb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 11/29/23 9:18 PM, Florian Westphal wrote:
D. Wythe <alibuda@xxxxxxxxxxxxxxxxx> wrote:
From: "D. Wythe" <alibuda@xxxxxxxxxxxxxxxxx>

A malicious eBPF program can interrupt the subsequent processing of
a skb by returning an exceptional retval, and no one will be responsible
for releasing the very skb.
How?  The bpf verifier is supposed to reject nf bpf programs that
return a value other than accept or drop.

If this is a real bug, please also figure out why
006c0e44ed92 ("selftests/bpf: add missing netfilter return value and ctx access tests")
failed to catch it.

Hi Florian,

You are right, i make a mistake.. , it's not a bug..

And my origin intention was to allow ebpf progs to return NF_STOLEN, we are trying to modify some netfilter modules via ebpf, and some scenarios require the use of NF_STOLEN, but from your description, it seems that at least currently, you do not want to return NF_STOLEN, until there is a helper for sonsume_skb(), right ?

Again, very sorry to bother you.

Best wishes,
D. Wythe.

Moreover, normal programs can also have the demand to return NF_STOLEN,
No, this should be disallowed already.

  net/netfilter/nf_bpf_link.c | 19 ++++++++++++++++++-
  1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
index e502ec0..03c47d6 100644
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@@ -12,12 +12,29 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb,
  				    const struct nf_hook_state *s)
  	const struct bpf_prog *prog = bpf_prog;
+	unsigned int verdict;
  	struct bpf_nf_ctx ctx = {
  		.state = s,
  		.skb = skb,
- return bpf_prog_run(prog, &ctx);
+	verdict = bpf_prog_run(prog, &ctx);
+	switch (verdict) {
+	case NF_STOLEN:
+		consume_skb(skb);
+		fallthrough;
This can't be right.  STOLEN really means STOLEN (free'd,
redirected, etc, "skb" MUST be "leaked".

Which is also why the bpf program is not allowed to return it.

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux