From: Paul Chaignon Date: Fri, 1 Aug 2025 09:47:23 +0000 (+0200) Subject: bpf: Check flow_dissector ctx accesses are aligned X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ead3d7b2b6afa5ee7958620c4329982a7d9c2b78;p=thirdparty%2Fkernel%2Flinux.git bpf: Check flow_dissector ctx accesses are aligned flow_dissector_is_valid_access doesn't check that the context access is aligned. As a consequence, an unaligned access within one of the exposed field is considered valid and later rejected by flow_dissector_convert_ctx_access when we try to convert it. The later rejection is problematic because it's reported as a verifier bug with a kernel warning and doesn't point to the right instruction in verifier logs. Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook") Reported-by: syzbot+ccac90e482b2a81d74aa@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ccac90e482b2a81d74aa Signed-off-by: Paul Chaignon Acked-by: Yonghong Song Acked-by: Eduard Zingerman Link: https://lore.kernel.org/r/cc1b036be484c99be45eddf48bd78cc6f72839b1.1754039605.git.paul.chaignon@gmail.com Signed-off-by: Alexei Starovoitov --- diff --git a/net/core/filter.c b/net/core/filter.c index c09a85c17496e..da391e2b0788d 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -9458,6 +9458,9 @@ static bool flow_dissector_is_valid_access(int off, int size, if (off < 0 || off >= sizeof(struct __sk_buff)) return false; + if (off % size != 0) + return false; + if (type == BPF_WRITE) return false;