From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=k+HZ=YH=vger.kernel.org=bpf-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 20E2AECE58E
	for <bpf@archiver.kernel.org>; Mon, 14 Oct 2019 18:45:10 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id F2A4520873
	for <bpf@archiver.kernel.org>; Mon, 14 Oct 2019 18:45:09 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DXkrF4PU"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732193AbfJNSpI (ORCPT <rfc822;bpf@archiver.kernel.org>);
        Mon, 14 Oct 2019 14:45:08 -0400
Received: from mail-lj1-f196.google.com ([209.85.208.196]:43195 "EHLO
        mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730971AbfJNSpI (ORCPT <rfc822;bpf@vger.kernel.org>);
        Mon, 14 Oct 2019 14:45:08 -0400
Received: by mail-lj1-f196.google.com with SMTP id n14so17613641ljj.10;
        Mon, 14 Oct 2019 11:45:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=eUxWIPHMP0PFmpZXC2jVL6Z+f/bCEtwgxXXPzHX8O4c=;
        b=DXkrF4PUtgHsSPPNrqQzC1ApTctQ4tahNPiJrBqe8+Lq0oP0qp1uGxQBlxP83MAfqs
         0SmybhYaa17r/7JXbil+iFpnAopTZGX7Yand/U/dclIUhQl9/5UEtR3CPh6her4OlFWz
         nF/46mgHblgFn03AUedFVXK8+H62WMV0E5poGWd7Qf2+PCNMTo+yJTKdgV/JA2RQwn7O
         MVexPNz59Z0UQOfLvubxAPa0TXvceVNDRmjVoIw2xADgtEJOWX8XkP5jo/hU5EExi40z
         WFUsjlgZOA0ubD+tgyHAyfw6fLMeLqjIWaRXCWq/Z3MSm6rH9XQ0BHfYffqPgF8nb8U9
         uc7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=eUxWIPHMP0PFmpZXC2jVL6Z+f/bCEtwgxXXPzHX8O4c=;
        b=t59/eE5suj2h6s+cV4UhBwqQXnNYR3sCUAseymlUI4iq9SYifg4sx4P0WfkX8ATUe0
         tjaAy5iJ1xUvHeDqYSyeUFrooYwsqBGJ+AgbP/8pUcn6YCyYoVqr4mP7P3s3MFmyY1f7
         F805uJqeY2Zgr6b5W85I/UME+K1b4nL+d+Rz2gIRGYJfj6GKi62alab5YLHOW7kB3D7Z
         9VwwxDQoCwBj9DcrZFOcxZFUFM9T5mpdTVzB/3F+dfWfZfbUE8R6vkr+sE7G4sQEdzS1
         4OKfEjNJLhu/rYlZoIM+n65NMg24GOjvzdLPhxg4bf97pY6w97S1IvCkjSCgfc0jyDpg
         y1Zg==
X-Gm-Message-State: APjAAAWp7hhhtwFVnGwQQ6l7rStBKst5t+H2hKmARrSdcalqYrhYmJLZ
        PY+VfjR6yGmK7PuNzBjn1wP8iTUy3gD9OCTpr/g=
X-Google-Smtp-Source: APXvYqxRktItFKhpgX2RQhYSQPgUe73TihGFmiZmeh7pJw2jy47Tfiv9ClXZEg/OraYOdsZbZfvwxhFRAFyvtj/eT1M=
X-Received: by 2002:a2e:9b12:: with SMTP id u18mr20287215lji.142.1571078704060;
 Mon, 14 Oct 2019 11:45:04 -0700 (PDT)
MIME-Version: 1.0
References: <111664d58fe4e9dd9c8014bb3d0b2dab93086a9e.1570609794.git.jbenc@redhat.com>
 <CAADnVQKgXnmbEhBd1FvM16RP_i8s7+risvgM9yftwuP2DejFmA@mail.gmail.com> <CAFTs51WM7yC3Z2HDGy9APSgqy1LCczQtFVG_y+X0WdxY9WSd9Q@mail.gmail.com>
In-Reply-To: <CAFTs51WM7yC3Z2HDGy9APSgqy1LCczQtFVG_y+X0WdxY9WSd9Q@mail.gmail.com>
From:   Alexei Starovoitov <alexei.starovoitov@gmail.com>
Date:   Mon, 14 Oct 2019 11:44:52 -0700
Message-ID: <CAADnVQ+vHYwZGdmeKJRiTXkoOuu+6DNmT1F3RsAOCxhkhsOnSg@mail.gmail.com>
Subject: Re: [PATCH bpf] bpf: lwtunnel: fix reroute supplying invalid dst
To:     Peter Oskolkov <posk@posk.io>
Cc:     Jiri Benc <jbenc@redhat.com>, bpf <bpf@vger.kernel.org>,
        Network Development <netdev@vger.kernel.org>,
        Peter Oskolkov <posk@google.com>,
        Stanislav Fomichev <sdf@google.com>,
        Eric Dumazet <edumazet@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: bpf-owner@vger.kernel.org
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org

On Mon, Oct 14, 2019 at 10:39 AM Peter Oskolkov <posk@posk.io> wrote:
>
> On Sat, Oct 12, 2019 at 9:59 AM Alexei Starovoitov
> <alexei.starovoitov@gmail.com> wrote:
> >
> > On Wed, Oct 9, 2019 at 1:31 AM Jiri Benc <jbenc@redhat.com> wrote:
> > >
> > > The dst in bpf_input() has lwtstate field set. As it is of the
> > > LWTUNNEL_ENCAP_BPF type, lwtstate->data is struct bpf_lwt. When the bpf
> > > program returns BPF_LWT_REROUTE, ip_route_input_noref is directly called on
> > > this skb. This causes invalid memory access, as ip_route_input_slow calls
> > > skb_tunnel_info(skb) that expects the dst->lwstate->data to be
> > > struct ip_tunnel_info. This results to struct bpf_lwt being accessed as
> > > struct ip_tunnel_info.
> > >
> > > Drop the dst before calling the IP route input functions (both for IPv4 and
> > > IPv6).
> > >
> > > Reported by KASAN.
> > >
> > > Fixes: 3bd0b15281af ("bpf: add handling of BPF_LWT_REROUTE to lwt_bpf.c")
> > > Cc: Peter Oskolkov <posk@google.com>
> > > Signed-off-by: Jiri Benc <jbenc@redhat.com>
> >
> > Peter and other google folks,
> > please review.
>
> selftests/bpf/test_lwt_ip_encap.sh passes. Seems OK.
>
> Acked-by: Peter Oskolkov <posk@google.com>

Applied to bpf tree. Thanks