Patch "bpf: Avoid splat in pskb_pull_reason" has been added to the 6.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 22 Jun 2024 19:38:58 -0400

This is a note to let you know that I've just added the patch titled

    bpf: Avoid splat in pskb_pull_reason

to the 6.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-avoid-splat-in-pskb_pull_reason.patch
and it can be found in the queue-6.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit b21c4322f909688d617567960b124ed86ff6b830
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Fri Jun 14 12:17:33 2024 +0200

    bpf: Avoid splat in pskb_pull_reason
    
    [ Upstream commit 2bbe3e5a2f4ef69d13be54f1cf895b4658287080 ]
    
    syzkaller builds (CONFIG_DEBUG_NET=y) frequently trigger a debug
    hint in pskb_may_pull.
    
    We'd like to retain this debug check because it might hint at integer
    overflows and other issues (kernel code should pull headers, not huge
    value).
    
    In bpf case, this splat isn't interesting at all: such (nonsensical)
    bpf programs are typically generated by a fuzzer anyway.
    
    Do what Eric suggested and suppress such warning.
    
    For CONFIG_DEBUG_NET=n we don't need the extra check because
    pskb_may_pull will do the right thing: return an error without the
    WARN() backtrace.
    
    Fixes: 219eee9c0d16 ("net: skbuff: add overflow debug check to pull/push helpers")
    Reported-by: syzbot+0c4150bff9fff3bf023c@xxxxxxxxxxxxxxxxxxxxxxxxx
    Suggested-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
    Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Acked-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
    Closes: https://syzkaller.appspot.com/bug?extid=0c4150bff9fff3bf023c
    Link: https://lore.kernel.org/netdev/9f254c96-54f2-4457-b7ab-1d9f6187939c@xxxxxxxxx/
    Link: https://lore.kernel.org/bpf/20240614101801.9496-1-fw@xxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/core/filter.c b/net/core/filter.c
index a5856a8b4498b..ce255e0a2fbd9 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1662,6 +1662,11 @@ static DEFINE_PER_CPU(struct bpf_scratchpad, bpf_sp);
 static inline int __bpf_try_make_writable(struct sk_buff *skb,
 					  unsigned int write_len)
 {
+#ifdef CONFIG_DEBUG_NET
+	/* Avoid a splat in pskb_may_pull_reason() */
+	if (write_len > INT_MAX)
+		return -EINVAL;
+#endif
 	return skb_ensure_writable(skb, write_len);
 }
 







