qiurui
/
Ubuntu-focal-kernel
mirror of https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Ubuntu-focal-kernel/kernel
History
Eric Dumazet 86f22a7842 bpf: Make sure mac_header was set before using it 
BugLink: https://bugs.launchpad.net/bugs/1988225

commit 0326195f523a549e0a9d7fd44c70b26fd7265090 upstream.

Classic BPF has a way to load bytes starting from the mac header.

Some skbs do not have a mac header, and skb_mac_header()
in this case is returning a pointer that 65535 bytes after
skb->head.

Existing range check in bpf_internal_load_pointer_neg_helper()
was properly kicking and no illegal access was happening.

New sanity check in skb_mac_header() is firing, so we need
to avoid it.

WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 skb_mac_header include/linux/skbuff.h:2785 [inline]
WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 bpf_internal_load_pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.c:74
Modules linked in:
CPU: 1 PID: 28990 Comm: syz-executor.0 Not tainted 5.19.0-rc4-syzkaller-00865-g4874fb9484be #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
RIP: 0010:skb_mac_header include/linux/skbuff.h:2785 [inline]
RIP: 0010:bpf_internal_load_pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.c:74
Code: ff ff 45 31 f6 e9 5a ff ff ff e8 aa 27 40 00 e9 3b ff ff ff e8 90 27 40 00 e9 df fe ff ff e8 86 27 40 00 eb 9e e8 2f 2c f3 ff <0f> 0b eb b1 e8 96 27 40 00 e9 79 fe ff ff 90 41 57 41 56 41 55 41
RSP: 0018:ffffc9000309f668 EFLAGS: 00010216
RAX: 0000000000000118 RBX: ffffffffffeff00c RCX: ffffc9000e417000
RDX: 0000000000040000 RSI: ffffffff81873f21 RDI: 0000000000000003
RBP: ffff8880842878c0 R08: 0000000000000003 R09: 000000000000ffff
R10: 000000000000ffff R11: 0000000000000001 R12: 0000000000000004
R13: ffff88803ac56c00 R14: 000000000000ffff R15: dffffc0000000000
FS: 00007f5c88a16700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdaa9f6c058 CR3: 000000003a82c000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
____bpf_skb_load_helper_32 net/core/filter.c:276 [inline]
bpf_skb_load_helper_32+0x191/0x220 net/core/filter.c:264

Fixes: f9aefd6b2aa3 ("net: warn if mac header was not set")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20220707123900.945305-1-edumazet@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
 		2022-09-16 10:59:55 +02:00
..
bpf bpf: Make sure mac_header was set before using it 2022-09-16 10:59:55 +02:00
cgroup cgroup: Use separate src/dst nodes when preloading css_sets for migration 2022-09-16 10:59:12 +02:00
configs
debug UBUNTU: SAUCE: debug: Lock down kgdb 2022-05-21 11:27:20 -03:00
dma dma-debug: make things less spammy under memory pressure 2022-08-26 11:10:39 +02:00
events perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() 2022-09-16 10:59:38 +02:00
gcov gcov: re-fix clang-11+ support 2021-05-04 16:08:44 +02:00
irq random: remove unused irq_flags argument from add_interrupt_randomness() 2022-08-26 11:09:48 +02:00
livepatch livepatch: Nullify obj->mod in klp_module_coming()'s error path 2019-08-19 13:03:37 +02:00
locking locking/lockdep: Avoid RCU-induced noinstr fail 2022-01-13 18:42:05 +01:00
power PM: suspend: fix return value of __setup handler 2022-05-20 15:18:34 +02:00
printk printk: fix return value of printk.devkmsg __setup handler 2022-05-20 15:18:43 +02:00
rcu rcu: Don't deboost before reporting expedited quiescent state 2022-05-20 15:18:07 +02:00
sched sched/rt: Disable RT_RUNTIME_SHARE by default 2022-09-16 10:59:13 +02:00
time timekeeping: Add raw clock fallback for random_get_entropy() 2022-08-26 11:10:23 +02:00
trace tracing/histograms: Fix memory leak problem 2022-09-16 10:59:10 +02:00
.gitignore kbuild: update config_data.gz only when the content of .config is changed 2021-05-19 10:59:49 +02:00
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt sched/rt, Kconfig: Unbreak def/oldconfig with CONFIG_PREEMPT=y 2019-07-22 18:05:11 +02:00
Makefile kbuild: update config_data.gz only when the content of .config is changed 2021-05-19 10:59:49 +02:00
acct.c
async.c Revert "module, async: async_synchronize_full() on module init iff async is used" 2022-04-14 11:32:16 +02:00
audit.c audit: improve audit queue handling when "audit=1" on cmdline 2022-03-29 09:13:56 +02:00
audit.h audit: log AUDIT_TIME_* records only from rules 2022-05-20 15:18:33 +02:00
audit_fsnotify.c
audit_tree.c audit: move put_tree() to avoid trim_trees refcount underflow and UAF 2021-10-01 11:31:10 +02:00
audit_watch.c audit: CONFIG_CHANGE don't log internal bookkeeping as an event 2020-11-09 14:47:30 +01:00
auditfilter.c audit: fix a net reference leak in audit_list_rules_send() 2020-08-08 01:53:12 -04:00
auditsc.c audit: log AUDIT_TIME_* records only from rules 2022-05-20 15:18:33 +02:00
backtracetest.c
bounds.c
capability.c
compat.c
configs.c kernel/configs: Replace GPL boilerplate code with SPDX identifier 2019-07-30 18:34:15 +02:00
context_tracking.c
cpu.c random: clear fast pool, crng, and batches in cpuhp bring up 2022-08-26 11:10:11 +02:00
cpu_pm.c kernel/cpu_pm: Fix uninitted local in cpu_pm 2020-08-08 01:53:12 -04:00
crash_core.c
crash_dump.c
cred.c keys: Fix request_key() cache 2020-01-30 16:24:47 +01:00
delayacct.c
dma.c
exec_domain.c
exit.c don't dump the threads that had been already exiting when zapped. 2020-12-10 12:06:38 +01:00
extable.c extable: Add function to search only kernel exception table 2019-08-21 22:23:48 +10:00
fail_function.c fail_function: Remove a redundant mutex unlock 2021-01-20 14:24:22 +01:00
fork.c copy_process(): Move fd_install() out of sighand->siglock critical section 2022-04-14 11:32:25 +02:00
freezer.c Revert "libata, freezer: avoid block device removal while system is frozen" 2019-10-06 09:11:37 -06:00
futex.c mm, futex: fix shared futex pgoff on shmem huge page 2021-08-13 09:44:31 +02:00
gen_kheaders.sh kbuild: add variables for compression tools 2020-09-16 05:15:01 -04:00
groups.c
hung_task.c
iomem.c
irq_work.c
jump_label.c jump_label: Fix usage in module __init 2021-11-25 12:09:02 +01:00
kallsyms.c kallsyms: Refactor kallsyms_show_value() to take cred 2020-08-08 01:53:12 -04:00
kcmp.c exec: Transform exec_update_mutex into a rw_semaphore 2021-02-19 16:43:34 +01:00
kcov.c
kexec.c kexec_load: Disable at runtime if the kernel is locked down 2019-08-19 21:54:15 -07:00
kexec_core.c kernel: kexec: remove the lock operation of system_transition_mutex 2021-03-24 11:11:19 +01:00
kexec_elf.c kexec_elf: support 32 bit ELF files 2019-09-06 23:58:44 +02:00
kexec_file.c kexec_file: drop weak attribute from arch_kexec_apply_relocations[_add] 2022-08-26 11:11:25 +02:00
kexec_internal.h
kheaders.c
kmod.c kmod: make request_module() return an error when autoloading is disabled 2020-05-05 12:32:22 +02:00
kprobes.c kprobes: Limit max data_size of the kretprobe instances 2022-02-03 18:57:22 +01:00
ksysfs.c
kthread.c kthread: Fix PF_KTHREAD vs to_kthread() race 2021-10-01 11:33:59 +02:00
latencytop.c
module-internal.h
module.c module/ftrace: handle patchable-function-entry 2022-04-14 11:32:17 +02:00
module_signature.c module: harden ELF info handling 2021-04-23 11:58:31 +02:00
module_signing.c module: harden ELF info handling 2021-04-23 11:58:31 +02:00
notifier.c kernel/notifier.c: intercept duplicate registrations to avoid infinite loops 2020-11-09 14:47:25 +01:00
nsproxy.c
padata.c padata: add separate cpuhp node for CPUHP_PADATA_DEAD 2020-08-08 01:53:12 -04:00
panic.c panic: ensure preemption is disabled during panic() 2019-10-07 15:47:19 -07:00
params.c lockdown: Lock down module params that specify hardware parameters (eg. ioport) 2019-08-19 21:54:16 -07:00
pid.c kernel/pid.c: convert struct pid count to refcount_t 2019-07-16 19:23:24 -07:00
pid_namespace.c memcg: enable accounting for pids in nested pid namespaces 2021-10-12 16:31:40 -06:00
profile.c profiling: fix shift-out-of-bounds bugs 2021-10-27 17:04:21 -06:00
ptrace.c ptrace: Reimplement PTRACE_KILL by always sending SIGKILL 2022-08-26 11:07:09 +02:00
range.c
reboot.c Revert "PM: ACPI: reboot: Use S5 for reboot" 2022-04-14 11:32:31 +02:00
relay.c kernel/relay.c: fix memleak on destroy relay channel 2020-09-16 05:13:26 -04:00
resource.c /dev/mem: Revoke mappings when a driver claims the region 2020-08-08 01:53:12 -04:00
rseq.c
seccomp.c seccomp: Invalidate seccomp mode to catch death failures 2022-04-14 11:32:10 +02:00
signal.c signal handling: don't use BUG_ON() for debugging 2022-09-16 10:59:30 +02:00
smp.c smp: Fix offline cpu check in flush_smp_call_function_queue() 2022-06-22 14:50:41 +02:00
smpboot.c kthread: Extract KTHREAD_IS_PER_CPU 2021-03-24 11:11:35 +01:00
smpboot.h
softirq.c
stackleak.c
stacktrace.c stacktrace: Don't skip first entry on noncurrent tasks 2019-11-04 21:19:25 +01:00
stop_machine.c stop_machine: Avoid potential race behaviour 2019-10-17 12:47:12 +02:00
sys.c prctl: allow to setup brk for et_dyn executables 2021-10-27 17:04:21 -06:00
sys_ni.c
sysctl-test.c kernel/sysctl-test: Add null pointer test for sysctl.c:proc_dointvec() 2020-11-09 14:47:16 +01:00
sysctl.c mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE 2022-09-16 10:59:23 +02:00
sysctl_binary.c
task_work.c UBUNTU: SAUCE: import aufs driver 2019-11-25 14:56:45 +01:00
taskstats.c taskstats: fix data-race 2020-01-30 16:21:42 +01:00
test_kprobes.c
torture.c torture: Remove exporting of internal functions 2019-08-01 14:30:22 -07:00
tracepoint.c tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing 2021-08-13 09:44:55 +02:00
tsacct.c taskstats: Cleanup the use of task->exit_code 2022-04-14 11:32:19 +02:00
ucount.c proc/sysctl: add shared variables for range check 2019-07-18 17:08:07 -07:00
uid16.c
uid16.h
umh.c usermodehelper: reset umask to default before executing user process 2020-11-09 14:48:17 +01:00
up.c smp: Fix smp_call_function_single_async prototype 2021-05-26 15:39:25 +02:00
user-return-notifier.c
user.c
user_namespace.c UBUNTU: SAUCE: add a sysctl to disable unprivileged user namespace unsharing 2019-11-25 14:56:26 +01:00
utsname.c
utsname_sysctl.c
watchdog.c watchdog/softlockup: Enforce that timestamp is valid on boot 2020-02-24 16:20:00 +01:00
watchdog_hld.c
workqueue.c workqueue: Fix unbind_workers() VS wq_worker_running() race 2022-03-07 16:35:02 +01:00
workqueue_internal.h