* [PATCH bpf v2 0/2] bpf fix for unconnect af_unix socket
@ 2023-12-01 18:01 John Fastabend
2023-12-01 18:01 ` [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add John Fastabend
` (3 more replies)
0 siblings, 4 replies; 12+ messages in thread
From: John Fastabend @ 2023-12-01 18:01 UTC (permalink / raw)
To: martin.lau, edumazet, jakub; +Cc: john.fastabend, bpf, netdev
Eric reported a syzbot splat from a null ptr deref from recent fix to
resolve a use-after-free with af-unix stream sockets and BPF sockmap
usage.
The issue is I missed is we allow unconnected af_unix STREAM sockets to
be added to the sockmap. Fix this by blocking unconnected sockets.
v2: change sk_is_unix to sk_is_stream_unix (Eric) and remove duplicate
ASSERTS in selftests the xsocket helper already marks FAIL (Jakub)
John Fastabend (2):
bpf: syzkaller found null ptr deref in unix_bpf proto add
bpf: sockmap, test for unconnected af_unix sock
include/net/sock.h | 5 +++
net/core/sock_map.c | 2 ++
.../selftests/bpf/prog_tests/sockmap_basic.c | 34 +++++++++++++++++++
3 files changed, 41 insertions(+)
--
2.33.0
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add
2023-12-01 18:01 [PATCH bpf v2 0/2] bpf fix for unconnect af_unix socket John Fastabend
@ 2023-12-01 18:01 ` John Fastabend
2023-12-01 21:14 ` Kuniyuki Iwashima
2023-12-01 18:01 ` [PATCH bpf v2 2/2] bpf: sockmap, test for unconnected af_unix sock John Fastabend
` (2 subsequent siblings)
3 siblings, 1 reply; 12+ messages in thread
From: John Fastabend @ 2023-12-01 18:01 UTC (permalink / raw)
To: martin.lau, edumazet, jakub; +Cc: john.fastabend, bpf, netdev
I added logic to track the sock pair for stream_unix sockets so that we
ensure lifetime of the sock matches the time a sockmap could reference
the sock (see fixes tag). I forgot though that we allow af_unix unconnected
sockets into a sock{map|hash} map.
This is problematic because previous fixed expected sk_pair() to exist
and did not NULL check it. Because unconnected sockets have a NULL
sk_pair this resulted in the NULL ptr dereference found by syzkaller.
BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
Call Trace:
<TASK>
...
sock_hold include/net/sock.h:777 [inline]
unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
sock_map_init_proto net/core/sock_map.c:190 [inline]
sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
We considered just checking for the null ptr and skipping taking a ref
on the NULL peer sock. But, if the socket is then connected() after
being added to the sockmap we can cause the original issue again. So
instead this patch blocks adding af_unix sockets that are not in the
ESTABLISHED state.
Reported-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+e8030702aefd3444fb9e@syzkaller.appspotmail.com
Fixes: 8866730aed51 ("bpf, sockmap: af_unix stream sockets need to hold ref for pair sock")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
include/net/sock.h | 5 +++++
net/core/sock_map.c | 2 ++
2 files changed, 7 insertions(+)
diff --git a/include/net/sock.h b/include/net/sock.h
index 1d6931caf0c3..0201136b0b9c 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2799,6 +2799,11 @@ static inline bool sk_is_tcp(const struct sock *sk)
return sk->sk_type == SOCK_STREAM && sk->sk_protocol == IPPROTO_TCP;
}
+static inline bool sk_is_stream_unix(const struct sock *sk)
+{
+ return sk->sk_family == AF_UNIX && sk->sk_type == SOCK_STREAM;
+}
+
/**
* sk_eat_skb - Release a skb if it is no longer needed
* @sk: socket to eat this skb from
diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 4292c2ed1828..27d733c0f65e 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -536,6 +536,8 @@ static bool sock_map_sk_state_allowed(const struct sock *sk)
{
if (sk_is_tcp(sk))
return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_LISTEN);
+ if (sk_is_stream_unix(sk))
+ return (1 << sk->sk_state) & TCPF_ESTABLISHED;
return true;
}
--
2.33.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH bpf v2 2/2] bpf: sockmap, test for unconnected af_unix sock
2023-12-01 18:01 [PATCH bpf v2 0/2] bpf fix for unconnect af_unix socket John Fastabend
2023-12-01 18:01 ` [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add John Fastabend
@ 2023-12-01 18:01 ` John Fastabend
2023-12-12 10:09 ` [PATCH bpf v2 0/2] bpf fix for unconnect af_unix socket Jakub Sitnicki
2023-12-14 1:40 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 12+ messages in thread
From: John Fastabend @ 2023-12-01 18:01 UTC (permalink / raw)
To: martin.lau, edumazet, jakub; +Cc: john.fastabend, bpf, netdev
Add test to sockmap_basic to ensure af_unix sockets that are not connected
can not be added to the map. Ensure we keep DGRAM sockets working however
as these will not be connected typically.
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
.../selftests/bpf/prog_tests/sockmap_basic.c | 34 +++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
index f75f84d0b3d7..7c2241fae19a 100644
--- a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
+++ b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
@@ -524,6 +524,37 @@ static void test_sockmap_skb_verdict_peek(void)
test_sockmap_pass_prog__destroy(pass);
}
+static void test_sockmap_unconnected_unix(void)
+{
+ int err, map, stream = 0, dgram = 0, zero = 0;
+ struct test_sockmap_pass_prog *skel;
+
+ skel = test_sockmap_pass_prog__open_and_load();
+ if (!ASSERT_OK_PTR(skel, "open_and_load"))
+ return;
+
+ map = bpf_map__fd(skel->maps.sock_map_rx);
+
+ stream = xsocket(AF_UNIX, SOCK_STREAM, 0);
+ if (stream < 0)
+ return;
+
+ dgram = xsocket(AF_UNIX, SOCK_DGRAM, 0);
+ if (dgram < 0) {
+ close(stream);
+ return;
+ }
+
+ err = bpf_map_update_elem(map, &zero, &stream, BPF_ANY);
+ ASSERT_ERR(err, "bpf_map_update_elem(stream)");
+
+ err = bpf_map_update_elem(map, &zero, &dgram, BPF_ANY);
+ ASSERT_OK(err, "bpf_map_update_elem(dgram)");
+
+ close(stream);
+ close(dgram);
+}
+
void test_sockmap_basic(void)
{
if (test__start_subtest("sockmap create_update_free"))
@@ -566,4 +597,7 @@ void test_sockmap_basic(void)
test_sockmap_skb_verdict_fionread(false);
if (test__start_subtest("sockmap skb_verdict msg_f_peek"))
test_sockmap_skb_verdict_peek();
+
+ if (test__start_subtest("sockmap unconnected af_unix"))
+ test_sockmap_unconnected_unix();
}
--
2.33.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add
2023-12-01 18:01 ` [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add John Fastabend
@ 2023-12-01 21:14 ` Kuniyuki Iwashima
2023-12-04 21:40 ` John Fastabend
0 siblings, 1 reply; 12+ messages in thread
From: Kuniyuki Iwashima @ 2023-12-01 21:14 UTC (permalink / raw)
To: john.fastabend; +Cc: bpf, edumazet, jakub, martin.lau, netdev, kuniyu
From: John Fastabend <john.fastabend@gmail.com>
Date: Fri, 1 Dec 2023 10:01:38 -0800
> I added logic to track the sock pair for stream_unix sockets so that we
> ensure lifetime of the sock matches the time a sockmap could reference
> the sock (see fixes tag). I forgot though that we allow af_unix unconnected
> sockets into a sock{map|hash} map.
>
> This is problematic because previous fixed expected sk_pair() to exist
> and did not NULL check it. Because unconnected sockets have a NULL
> sk_pair this resulted in the NULL ptr dereference found by syzkaller.
>
> BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
> Call Trace:
> <TASK>
> ...
> sock_hold include/net/sock.h:777 [inline]
> unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> sock_map_init_proto net/core/sock_map.c:190 [inline]
> sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
> sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
> sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
> bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
>
> We considered just checking for the null ptr and skipping taking a ref
> on the NULL peer sock. But, if the socket is then connected() after
> being added to the sockmap we can cause the original issue again. So
> instead this patch blocks adding af_unix sockets that are not in the
> ESTABLISHED state.
I'm not sure if someone has the unconnected stream socket use case
though, can't we call additional sock_hold() in connect() by checking
sk_prot under sk_callback_lock ?
^ permalink raw reply [flat|nested] 12+ messages in thread
* RE: [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add
2023-12-01 21:14 ` Kuniyuki Iwashima
@ 2023-12-04 21:40 ` John Fastabend
2023-12-04 22:37 ` Kuniyuki Iwashima
` (2 more replies)
0 siblings, 3 replies; 12+ messages in thread
From: John Fastabend @ 2023-12-04 21:40 UTC (permalink / raw)
To: Kuniyuki Iwashima, john.fastabend
Cc: bpf, edumazet, jakub, martin.lau, netdev, kuniyu
Kuniyuki Iwashima wrote:
> From: John Fastabend <john.fastabend@gmail.com>
> Date: Fri, 1 Dec 2023 10:01:38 -0800
> > I added logic to track the sock pair for stream_unix sockets so that we
> > ensure lifetime of the sock matches the time a sockmap could reference
> > the sock (see fixes tag). I forgot though that we allow af_unix unconnected
> > sockets into a sock{map|hash} map.
> >
> > This is problematic because previous fixed expected sk_pair() to exist
> > and did not NULL check it. Because unconnected sockets have a NULL
> > sk_pair this resulted in the NULL ptr dereference found by syzkaller.
> >
> > BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> > Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
> > Call Trace:
> > <TASK>
> > ...
> > sock_hold include/net/sock.h:777 [inline]
> > unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> > sock_map_init_proto net/core/sock_map.c:190 [inline]
> > sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
> > sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
> > sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
> > bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
> >
> > We considered just checking for the null ptr and skipping taking a ref
> > on the NULL peer sock. But, if the socket is then connected() after
> > being added to the sockmap we can cause the original issue again. So
> > instead this patch blocks adding af_unix sockets that are not in the
> > ESTABLISHED state.
>
> I'm not sure if someone has the unconnected stream socket use case
> though, can't we call additional sock_hold() in connect() by checking
> sk_prot under sk_callback_lock ?
Could be done I guess yes. I'm not sure the utility of it though. I
thought above patch was the simplest solution and didn't require touching
main af_unix code. I don't actually use the sockmap with af_unix
sockets anywhere so maybe someone who is using this can comment if
unconnected is needed?
From rcu and locking side looks like holding sk_callback_lock would
be sufficient. I was thinking it would require a rcu grace period
or something but seems not.
I guess I could improve original patch if folks want.
.John
^ permalink raw reply [flat|nested] 12+ messages in thread
* RE: [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add
2023-12-04 21:40 ` John Fastabend
@ 2023-12-04 22:37 ` Kuniyuki Iwashima
2023-12-06 9:47 ` Jakub Sitnicki
2023-12-08 4:19 ` Cong Wang
2 siblings, 0 replies; 12+ messages in thread
From: Kuniyuki Iwashima @ 2023-12-04 22:37 UTC (permalink / raw)
To: john.fastabend
Cc: bpf, edumazet, jakub, kuniyu, martin.lau, netdev, cong.wang, jiang.wang
+cc Cong and Jiang, as potential users of AF_UNIX sockmap w/ unconnected
SOCK_STREAM sockets
https://lore.kernel.org/netdev/20231201180139.328529-1-john.fastabend@gmail.com/
From: John Fastabend <john.fastabend@gmail.com>
Date: Mon, 04 Dec 2023 13:40:40 -0800
> Kuniyuki Iwashima wrote:
> > From: John Fastabend <john.fastabend@gmail.com>
> > Date: Fri, 1 Dec 2023 10:01:38 -0800
> > > I added logic to track the sock pair for stream_unix sockets so that we
> > > ensure lifetime of the sock matches the time a sockmap could reference
> > > the sock (see fixes tag). I forgot though that we allow af_unix unconnected
> > > sockets into a sock{map|hash} map.
> > >
> > > This is problematic because previous fixed expected sk_pair() to exist
> > > and did not NULL check it. Because unconnected sockets have a NULL
> > > sk_pair this resulted in the NULL ptr dereference found by syzkaller.
> > >
> > > BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> > > Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
> > > Call Trace:
> > > <TASK>
> > > ...
> > > sock_hold include/net/sock.h:777 [inline]
> > > unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> > > sock_map_init_proto net/core/sock_map.c:190 [inline]
> > > sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
> > > sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
> > > sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
> > > bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
> > >
> > > We considered just checking for the null ptr and skipping taking a ref
> > > on the NULL peer sock. But, if the socket is then connected() after
> > > being added to the sockmap we can cause the original issue again. So
> > > instead this patch blocks adding af_unix sockets that are not in the
> > > ESTABLISHED state.
> >
> > I'm not sure if someone has the unconnected stream socket use case
> > though, can't we call additional sock_hold() in connect() by checking
> > sk_prot under sk_callback_lock ?
>
> Could be done I guess yes. I'm not sure the utility of it though. I
> thought above patch was the simplest solution and didn't require touching
> main af_unix code. I don't actually use the sockmap with af_unix
> sockets anywhere so maybe someone who is using this can comment if
> unconnected is needed?
>
> From rcu and locking side looks like holding sk_callback_lock would
> be sufficient. I was thinking it would require a rcu grace period
> or something but seems not.
>
> I guess I could improve original patch if folks want.
>
> .John
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add
2023-12-04 21:40 ` John Fastabend
2023-12-04 22:37 ` Kuniyuki Iwashima
@ 2023-12-06 9:47 ` Jakub Sitnicki
2023-12-08 4:19 ` Cong Wang
2 siblings, 0 replies; 12+ messages in thread
From: Jakub Sitnicki @ 2023-12-06 9:47 UTC (permalink / raw)
To: John Fastabend; +Cc: bpf, edumazet, martin.lau, netdev, kuniyu
On Mon, Dec 04, 2023 at 01:40 PM -08, John Fastabend wrote:
> Kuniyuki Iwashima wrote:
>> From: John Fastabend <john.fastabend@gmail.com>
>> Date: Fri, 1 Dec 2023 10:01:38 -0800
>> > I added logic to track the sock pair for stream_unix sockets so that we
>> > ensure lifetime of the sock matches the time a sockmap could reference
>> > the sock (see fixes tag). I forgot though that we allow af_unix unconnected
>> > sockets into a sock{map|hash} map.
>> >
>> > This is problematic because previous fixed expected sk_pair() to exist
>> > and did not NULL check it. Because unconnected sockets have a NULL
>> > sk_pair this resulted in the NULL ptr dereference found by syzkaller.
>> >
>> > BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430
>> > net/unix/unix_bpf.c:171
>> > Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
>> > Call Trace:
>> > <TASK>
>> > ...
>> > sock_hold include/net/sock.h:777 [inline]
>> > unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
>> > sock_map_init_proto net/core/sock_map.c:190 [inline]
>> > sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
>> > sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
>> > sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
>> > bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
>> >
>> > We considered just checking for the null ptr and skipping taking a ref
>> > on the NULL peer sock. But, if the socket is then connected() after
>> > being added to the sockmap we can cause the original issue again. So
>> > instead this patch blocks adding af_unix sockets that are not in the
>> > ESTABLISHED state.
>>
>> I'm not sure if someone has the unconnected stream socket use case
>> though, can't we call additional sock_hold() in connect() by checking
>> sk_prot under sk_callback_lock ?
>
> Could be done I guess yes. I'm not sure the utility of it though. I
> thought above patch was the simplest solution and didn't require touching
> main af_unix code. I don't actually use the sockmap with af_unix
> sockets anywhere so maybe someone who is using this can comment if
> unconnected is needed?
>
> From rcu and locking side looks like holding sk_callback_lock would
> be sufficient. I was thinking it would require a rcu grace period
> or something but seems not.
I'd revist the option of grabbing an skpair ref in unix_stream_sendmsg.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add
2023-12-04 21:40 ` John Fastabend
2023-12-04 22:37 ` Kuniyuki Iwashima
2023-12-06 9:47 ` Jakub Sitnicki
@ 2023-12-08 4:19 ` Cong Wang
2023-12-11 14:56 ` Daniel Borkmann
2 siblings, 1 reply; 12+ messages in thread
From: Cong Wang @ 2023-12-08 4:19 UTC (permalink / raw)
To: John Fastabend
Cc: Kuniyuki Iwashima, bpf, edumazet, jakub, martin.lau, netdev, amery.hung
On Mon, Dec 04, 2023 at 01:40:40PM -0800, John Fastabend wrote:
> Kuniyuki Iwashima wrote:
> > From: John Fastabend <john.fastabend@gmail.com>
> > Date: Fri, 1 Dec 2023 10:01:38 -0800
> > > I added logic to track the sock pair for stream_unix sockets so that we
> > > ensure lifetime of the sock matches the time a sockmap could reference
> > > the sock (see fixes tag). I forgot though that we allow af_unix unconnected
> > > sockets into a sock{map|hash} map.
> > >
> > > This is problematic because previous fixed expected sk_pair() to exist
> > > and did not NULL check it. Because unconnected sockets have a NULL
> > > sk_pair this resulted in the NULL ptr dereference found by syzkaller.
> > >
> > > BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> > > Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
> > > Call Trace:
> > > <TASK>
> > > ...
> > > sock_hold include/net/sock.h:777 [inline]
> > > unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> > > sock_map_init_proto net/core/sock_map.c:190 [inline]
> > > sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
> > > sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
> > > sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
> > > bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
> > >
> > > We considered just checking for the null ptr and skipping taking a ref
> > > on the NULL peer sock. But, if the socket is then connected() after
> > > being added to the sockmap we can cause the original issue again. So
> > > instead this patch blocks adding af_unix sockets that are not in the
> > > ESTABLISHED state.
> >
> > I'm not sure if someone has the unconnected stream socket use case
> > though, can't we call additional sock_hold() in connect() by checking
> > sk_prot under sk_callback_lock ?
>
> Could be done I guess yes. I'm not sure the utility of it though. I
> thought above patch was the simplest solution and didn't require touching
> main af_unix code. I don't actually use the sockmap with af_unix
> sockets anywhere so maybe someone who is using this can comment if
> unconnected is needed?
>
Our use case is also connected unix stream socket, as demonstrated in
the selftest unix_redir_to_connected().
Thanks.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add
2023-12-08 4:19 ` Cong Wang
@ 2023-12-11 14:56 ` Daniel Borkmann
2023-12-13 23:23 ` [External] " Amery Hung
0 siblings, 1 reply; 12+ messages in thread
From: Daniel Borkmann @ 2023-12-11 14:56 UTC (permalink / raw)
To: Cong Wang, John Fastabend
Cc: Kuniyuki Iwashima, bpf, edumazet, jakub, martin.lau, netdev, amery.hung
On 12/8/23 5:19 AM, Cong Wang wrote:
> On Mon, Dec 04, 2023 at 01:40:40PM -0800, John Fastabend wrote:
>> Kuniyuki Iwashima wrote:
>>> From: John Fastabend <john.fastabend@gmail.com>
>>> Date: Fri, 1 Dec 2023 10:01:38 -0800
>>>> I added logic to track the sock pair for stream_unix sockets so that we
>>>> ensure lifetime of the sock matches the time a sockmap could reference
>>>> the sock (see fixes tag). I forgot though that we allow af_unix unconnected
>>>> sockets into a sock{map|hash} map.
>>>>
>>>> This is problematic because previous fixed expected sk_pair() to exist
>>>> and did not NULL check it. Because unconnected sockets have a NULL
>>>> sk_pair this resulted in the NULL ptr dereference found by syzkaller.
>>>>
>>>> BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
>>>> Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
>>>> Call Trace:
>>>> <TASK>
>>>> ...
>>>> sock_hold include/net/sock.h:777 [inline]
>>>> unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
>>>> sock_map_init_proto net/core/sock_map.c:190 [inline]
>>>> sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
>>>> sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
>>>> sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
>>>> bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
>>>>
>>>> We considered just checking for the null ptr and skipping taking a ref
>>>> on the NULL peer sock. But, if the socket is then connected() after
>>>> being added to the sockmap we can cause the original issue again. So
>>>> instead this patch blocks adding af_unix sockets that are not in the
>>>> ESTABLISHED state.
>>>
>>> I'm not sure if someone has the unconnected stream socket use case
>>> though, can't we call additional sock_hold() in connect() by checking
>>> sk_prot under sk_callback_lock ?
>>
>> Could be done I guess yes. I'm not sure the utility of it though. I
>> thought above patch was the simplest solution and didn't require touching
>> main af_unix code. I don't actually use the sockmap with af_unix
>> sockets anywhere so maybe someone who is using this can comment if
>> unconnected is needed?
>
> Our use case is also connected unix stream socket, as demonstrated in
> the selftest unix_redir_to_connected().
Great, is everyone good to move this fix forward then? Would be great if
this receives at least one ack if the latter is indeed the case.
Thanks,
Daniel
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH bpf v2 0/2] bpf fix for unconnect af_unix socket
2023-12-01 18:01 [PATCH bpf v2 0/2] bpf fix for unconnect af_unix socket John Fastabend
2023-12-01 18:01 ` [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add John Fastabend
2023-12-01 18:01 ` [PATCH bpf v2 2/2] bpf: sockmap, test for unconnected af_unix sock John Fastabend
@ 2023-12-12 10:09 ` Jakub Sitnicki
2023-12-14 1:40 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 12+ messages in thread
From: Jakub Sitnicki @ 2023-12-12 10:09 UTC (permalink / raw)
To: John Fastabend, Daniel Borkmann; +Cc: martin.lau, edumazet, bpf, netdev
On Fri, Dec 01, 2023 at 10:01 AM -08, John Fastabend wrote:
> Eric reported a syzbot splat from a null ptr deref from recent fix to
> resolve a use-after-free with af-unix stream sockets and BPF sockmap
> usage.
>
> The issue is I missed is we allow unconnected af_unix STREAM sockets to
> be added to the sockmap. Fix this by blocking unconnected sockets.
>
> v2: change sk_is_unix to sk_is_stream_unix (Eric) and remove duplicate
> ASSERTS in selftests the xsocket helper already marks FAIL (Jakub)
>
> John Fastabend (2):
> bpf: syzkaller found null ptr deref in unix_bpf proto add
> bpf: sockmap, test for unconnected af_unix sock
>
> include/net/sock.h | 5 +++
> net/core/sock_map.c | 2 ++
> .../selftests/bpf/prog_tests/sockmap_basic.c | 34 +++++++++++++++++++
> 3 files changed, 41 insertions(+)
For the series:
Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [External] Re: [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add
2023-12-11 14:56 ` Daniel Borkmann
@ 2023-12-13 23:23 ` Amery Hung
0 siblings, 0 replies; 12+ messages in thread
From: Amery Hung @ 2023-12-13 23:23 UTC (permalink / raw)
To: Daniel Borkmann
Cc: Cong Wang, John Fastabend, Kuniyuki Iwashima, bpf, edumazet,
jakub, martin.lau, netdev
On Mon, Dec 11, 2023 at 6:56 AM Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> On 12/8/23 5:19 AM, Cong Wang wrote:
> > On Mon, Dec 04, 2023 at 01:40:40PM -0800, John Fastabend wrote:
> >> Kuniyuki Iwashima wrote:
> >>> From: John Fastabend <john.fastabend@gmail.com>
> >>> Date: Fri, 1 Dec 2023 10:01:38 -0800
> >>>> I added logic to track the sock pair for stream_unix sockets so that we
> >>>> ensure lifetime of the sock matches the time a sockmap could reference
> >>>> the sock (see fixes tag). I forgot though that we allow af_unix unconnected
> >>>> sockets into a sock{map|hash} map.
> >>>>
> >>>> This is problematic because previous fixed expected sk_pair() to exist
> >>>> and did not NULL check it. Because unconnected sockets have a NULL
> >>>> sk_pair this resulted in the NULL ptr dereference found by syzkaller.
> >>>>
> >>>> BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> >>>> Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
> >>>> Call Trace:
> >>>> <TASK>
> >>>> ...
> >>>> sock_hold include/net/sock.h:777 [inline]
> >>>> unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
> >>>> sock_map_init_proto net/core/sock_map.c:190 [inline]
> >>>> sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
> >>>> sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
> >>>> sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
> >>>> bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
> >>>>
> >>>> We considered just checking for the null ptr and skipping taking a ref
> >>>> on the NULL peer sock. But, if the socket is then connected() after
> >>>> being added to the sockmap we can cause the original issue again. So
> >>>> instead this patch blocks adding af_unix sockets that are not in the
> >>>> ESTABLISHED state.
> >>>
> >>> I'm not sure if someone has the unconnected stream socket use case
> >>> though, can't we call additional sock_hold() in connect() by checking
> >>> sk_prot under sk_callback_lock ?
> >>
> >> Could be done I guess yes. I'm not sure the utility of it though. I
> >> thought above patch was the simplest solution and didn't require touching
> >> main af_unix code. I don't actually use the sockmap with af_unix
> >> sockets anywhere so maybe someone who is using this can comment if
> >> unconnected is needed?
> >
> > Our use case is also connected unix stream socket, as demonstrated in
> > the selftest unix_redir_to_connected().
>
> Great, is everyone good to move this fix forward then? Would be great if
> this receives at least one ack if the latter is indeed the case.
>
> Thanks,
> Daniel
I just want to ack that we are not inserting unconnected UDS to sockmap.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH bpf v2 0/2] bpf fix for unconnect af_unix socket
2023-12-01 18:01 [PATCH bpf v2 0/2] bpf fix for unconnect af_unix socket John Fastabend
` (2 preceding siblings ...)
2023-12-12 10:09 ` [PATCH bpf v2 0/2] bpf fix for unconnect af_unix socket Jakub Sitnicki
@ 2023-12-14 1:40 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 12+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-12-14 1:40 UTC (permalink / raw)
To: John Fastabend; +Cc: martin.lau, edumazet, jakub, bpf, netdev
Hello:
This series was applied to bpf/bpf.git (master)
by Martin KaFai Lau <martin.lau@kernel.org>:
On Fri, 1 Dec 2023 10:01:37 -0800 you wrote:
> Eric reported a syzbot splat from a null ptr deref from recent fix to
> resolve a use-after-free with af-unix stream sockets and BPF sockmap
> usage.
>
> The issue is I missed is we allow unconnected af_unix STREAM sockets to
> be added to the sockmap. Fix this by blocking unconnected sockets.
>
> [...]
Here is the summary with links:
- [bpf,v2,1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add
https://git.kernel.org/bpf/bpf/c/8d6650646ce4
- [bpf,v2,2/2] bpf: sockmap, test for unconnected af_unix sock
https://git.kernel.org/bpf/bpf/c/50d96f05af67
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2023-12-14 1:40 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-01 18:01 [PATCH bpf v2 0/2] bpf fix for unconnect af_unix socket John Fastabend
2023-12-01 18:01 ` [PATCH bpf v2 1/2] bpf: syzkaller found null ptr deref in unix_bpf proto add John Fastabend
2023-12-01 21:14 ` Kuniyuki Iwashima
2023-12-04 21:40 ` John Fastabend
2023-12-04 22:37 ` Kuniyuki Iwashima
2023-12-06 9:47 ` Jakub Sitnicki
2023-12-08 4:19 ` Cong Wang
2023-12-11 14:56 ` Daniel Borkmann
2023-12-13 23:23 ` [External] " Amery Hung
2023-12-01 18:01 ` [PATCH bpf v2 2/2] bpf: sockmap, test for unconnected af_unix sock John Fastabend
2023-12-12 10:09 ` [PATCH bpf v2 0/2] bpf fix for unconnect af_unix socket Jakub Sitnicki
2023-12-14 1:40 ` patchwork-bot+netdevbpf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.