From 7cb260c88e780a3276cf39d3547bfa5ac8d1565f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 29 Apr 2025 16:30:14 +0200 Subject: [PATCH] 5.10-stable patches added patches: xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch --- queue-5.10/series | 1 + ...info-before-running-a-xdp-s-bpf-prog.patch | 59 +++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 queue-5.10/xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch diff --git a/queue-5.10/series b/queue-5.10/series index 0898537e6c..aaf96912e0 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -277,3 +277,4 @@ md-raid1-add-check-for-missing-source-disk-in-proces.patch s390-virtio_ccw-don-t-allocate-assign-airqs-for-non-existing-queues.patch comedi-jr3_pci-fix-synchronous-deletion-of-timer.patch crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch +xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch diff --git a/queue-5.10/xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch b/queue-5.10/xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch new file mode 100644 index 0000000000..4873bb0262 --- /dev/null +++ b/queue-5.10/xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch @@ -0,0 +1,59 @@ +From bigeasy@linutronix.de Tue Apr 29 16:25:48 2025 +From: Sebastian Andrzej Siewior +Date: Thu, 24 Apr 2025 15:04:05 +0200 +Subject: xdp: Reset bpf_redirect_info before running a xdp's BPF prog. +To: Greg KH +Cc: stable@vger.kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org, "Ricardo Cañuelo Navarro" , "Alexei Starovoitov" , "Andrii Nakryiko" , "Daniel Borkmann" , "David S. Miller" , "Jakub Kicinski" , "Jesper Dangaard Brouer" , "John Fastabend" , "Thomas Gleixner" , "Toke Høiland-Jørgensen" +Message-ID: <20250424130405.xenRxobI@linutronix.de> +Content-Disposition: inline + +From: Sebastian Andrzej Siewior + +Ricardo reported a KASAN discovered use after free in v6.6-stable. + +The syzbot starts a BPF program via xdp_test_run_batch() which assigns +ri->tgt_value via dev_hash_map_redirect() and the return code isn't +XDP_REDIRECT it looks like nonsense. So the output in +bpf_warn_invalid_xdp_action() appears once. +Then the TUN driver runs another BPF program (on the same CPU) which +returns XDP_REDIRECT without setting ri->tgt_value first. It invokes +bpf_trace_printk() to print four characters and obtain the required +return value. This is enough to get xdp_do_redirect() invoked which +then accesses the pointer in tgt_value which might have been already +deallocated. + +This problem does not affect upstream because since commit + 401cb7dae8130 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.") + +the per-CPU variable is referenced via task's task_struct and exists on +the stack during NAPI callback. Therefore it is cleared once before the +first invocation and remains valid within the RCU section of the NAPI +callback. + +Instead of performing the huge backport of the commit (plus its fix ups) +here is an alternative version which only resets the variable in +question prior invoking the BPF program. + +Acked-by: Toke Høiland-Jørgensen +Reported-by: Ricardo Cañuelo Navarro +Closes: https://lore.kernel.org/all/20250226-20250204-kasan-slab-use-after-free-read-in-dev_map_enqueue__submit-v3-0-360efec441ba@igalia.com/ +Fixes: 97f91a7cf04ff ("bpf: add bpf_redirect_map helper routine") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/filter.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -758,6 +758,10 @@ static __always_inline u32 bpf_prog_run_ + * already takes rcu_read_lock() when fetching the program, so + * it's not necessary here anymore. + */ ++ struct bpf_redirect_info *ri = this_cpu_ptr(&bpf_redirect_info); ++ ++ if (ri->map) ++ ri->map = NULL; + return __BPF_PROG_RUN(prog, xdp, BPF_DISPATCHER_FUNC(xdp)); + } + -- 2.47.3