Re: [PATCH net v2] net: fix use-after-free when UDP GRO with shared fraglist

From: Daniel Borkmann
Date: Fri Jan 08 2021 - 05:33:27 EST

Next message: Lorenzo Pieralisi: "Re: [PATCH] arm64: PCI: Enable SMC conduit"
Previous message: Pavel Machek: "Re: Aarch64 EXT4FS inode checksum failures - seems to be weak memory ordering issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/7/21 3:44 PM, Willem de Bruijn wrote:

On Thu, Jan 7, 2021 at 8:33 AM Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote:

On 1/7/21 2:05 PM, Willem de Bruijn wrote:

On Thu, Jan 7, 2021 at 7:52 AM Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote:

On 1/7/21 12:40 PM, Dongseok Yi wrote:

On 2021-01-07 20:05, Daniel Borkmann wrote:

On 1/7/21 1:39 AM, Dongseok Yi wrote:

[...]

PF_PACKET handles untouched fraglist. To modify the payload only
for udp_rcv_segment, skb_unclone is necessary.

I don't parse this last sentence here, please elaborate in more detail on why
it is necessary.

For example, if tc layer would modify mark on the skb, then __copy_skb_header()
in skb_segment_list() will propagate it. If tc layer would modify payload, the
skb_ensure_writable() will take care of that internally and if needed pull in
parts from fraglist into linear section to make it private. The purpose of the
skb_clone() above iff shared is to make the struct itself private (to safely
modify its struct members). What am I missing?

If tc writes, it will call skb_make_writable and thus pskb_expand_head
to create a private linear section for the head_skb.

skb_segment_list overwrites part of the skb linear section of each
fragment itself. Even after skb_clone, the frag_skbs share their
linear section with their clone in pf_packet, so we need a
pskb_expand_head here, too.

Ok, got it, thanks for the explanation. Would be great to have it in the v3 commit
log as well as that was more clear than the above. Too bad in that case (otoh
the pf_packet situation could be considered corner case ...); ether way, fix makes
sense then.

Thanks for double checking the tricky logic. Pf_packet + BPF is indeed
a peculiar corner case. But there are perhaps more, like raw sockets,
and other BPF hooks that can trigger an skb_make_writable.

Come to think of it, the no touching shared data rule is also violated
without a BPF program? Then there is nothing in the frag_skbs
themselves signifying that they are shared, but the head_skb is
cloned, so its data may still not be modified.

The skb_ensure_writable() is used in plenty of places from bpf, ovs, netfilter
to core stack (e.g. vlan, mpls, icmp), but either way there should be nothing
wrong with that as it's making sure to pull the data into its linear section
before modification. Uncareful use of skb_store_bits() with offset into skb_frags
for example could defeat that, but I don't see any in-tree occurrence that would
be problematic at this point..

This modification happens to be safe in practice, as the pf_packet
clones don't access the bytes before skb->data where this path inserts
headers. But still.

Next message: Lorenzo Pieralisi: "Re: [PATCH] arm64: PCI: Enable SMC conduit"
Previous message: Pavel Machek: "Re: Aarch64 EXT4FS inode checksum failures - seems to be weak memory ordering issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]