bpf: Fix use-after-free of sockmap #8686
Open
+91
−4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![kernel-patches-daemon-bpf[bot]](https://avatars.githubusercontent.com/u/70728002?s=60&v=4){kind=small}
|
Upstream branch: 812f770 |
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
014f72f to
4d1d6fc
Compare
|
Upstream branch: b02f072 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/938035=>bpf-next
branch
from
8e5f91a to
9de4b50
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
4d1d6fc to
e14a0d8
Compare
|
Upstream branch: f3f8649 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/938035=>bpf-next
branch
from
9de4b50 to
f341117
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
e14a0d8 to
503edd4
Compare
|
Upstream branch: ae0a457 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/938035=>bpf-next
branch
from
f341117 to
17d38a2
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
503edd4 to
7e623dc
Compare
|
Upstream branch: f4edc66 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/938035=>bpf-next
branch
from
17d38a2 to
eb23d26
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
7e623dc to
156a3ac
Compare
|
Upstream branch: 6ca2162 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/938035=>bpf-next
branch
from
eb23d26 to
39b13a4
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
156a3ac to
50dba77
Compare
|
Upstream branch: a259804 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/938035=>bpf-next
branch
from
39b13a4 to
e937709
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
50dba77 to
ce294a5
Compare
|
Upstream branch: 79db658 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/938035=>bpf-next
branch
from
e937709 to
418c46b
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
ce294a5 to
e34fe93
Compare
|
Upstream branch: e16e64f |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/938035=>bpf-next
branch
from
418c46b to
8a10487
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
e34fe93 to
8c0b07b
Compare
|
Upstream branch: 51d6504 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/938035=>bpf-next
branch
from
8a10487 to
76f9a80
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
8c0b07b to
c55d243
Compare
|
Upstream branch: 307ef66 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/938035=>bpf-next
branch
from
76f9a80 to
9b963d7
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
c55d243 to
5cf614b
Compare
|
Upstream branch: 9aa8fe2 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/938035=>bpf-next
branch
from
9b963d7 to
ca64eff
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
5cf614b to
c9cf71b
Compare
|
Upstream branch: 9aa8fe2 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/938035=>bpf-next
branch
from
ca64eff to
7bcd864
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
c9cf71b to
26ba3c4
Compare
The sk->sk_socket is not locked or referenced, and during the call to
skb_send_sock(), there is a race condition with the release of sk_socket.
All types of sockets(tcp/udp/unix/vsock) will be affected.
Race conditions:
'''
CPU0 CPU1
skb_send_sock
sendmsg_unlocked
sock_sendmsg
sock_sendmsg_nosec
close(fd):
...
ops->release()
sock_map_close()
sk_socket->ops = NULL
free(socket)
sock->ops->sendmsg
^
panic here
'''
Based on the fact that we already wait for the workqueue to finish in
sock_map_close() if psock is held, we simply increase the psock
reference count to avoid race conditions.
'''
void sock_map_close()
{
...
if (likely(psock)) {
...
psock = sk_psock_get(sk);
if (unlikely(!psock))
goto no_psock; <=== Control usually jumps here via goto
...
cancel_delayed_work_sync(&psock->work); <=== not executed
sk_psock_put(sk, psock);
...
}
'''
The panic I catched:
'''
Workqueue: events sk_psock_backlog
RIP: 0010:sock_sendmsg+0x21d/0x440
RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001
...
Call Trace:
<TASK>
? die_addr+0x40/0xa0
? exc_general_protection+0x14c/0x230
? asm_exc_general_protection+0x26/0x30
? sock_sendmsg+0x21d/0x440
? sock_sendmsg+0x3e0/0x440
? __pfx_sock_sendmsg+0x10/0x10
__skb_send_sock+0x543/0xb70
sk_psock_backlog+0x247/0xb80
...
'''
Reported-by: Michal Luczaj <[email protected]>
Fixes: 799aa7f ("skmsg: Avoid lock_sock() in sk_psock_backlog()")
Signed-off-by: Jiayuan Chen <[email protected]>
|
Upstream branch: 9aa8fe2 |
There are potential concurrency issues, as shown below.
'''
CPU0 CPU1
sk_psock_verdict_data_ready:
socket *sock = sk->sk_socket
if (!sock) return
close(fd):
...
ops->release()
if (!sock->ops) return
sock->ops = NULL
rcu_call(sock)
free(sock)
READ_ONCE(sock->ops)
^
use 'sock' after free
'''
RCU is not applicable to Unix sockets read path, because the Unix socket
implementation itself assumes it's always in process context and heavily
uses mutex_lock, so, we can't call read_skb within rcu lock.
Incrementing the psock reference count would not help either, since
sock_map_close() does not wait for data_ready() to complete its execution.
While we don't utilize sk_socket here, implementing read_skb at the sock
layer instead of socket layer might be architecturally preferable ?
However, deferring this optimization as current fix adequately addresses
the immediate issue.
Fixes: c638291 ("af_unix: Implement ->psock_update_sk_prot()")
Reported-by: [email protected]
Closes: https://lore.kernel.org/bpf/[email protected]/
Signed-off-by: Jiayuan Chen <[email protected]>
Add edge case tests for sockmap. Signed-off-by: Jiayuan Chen <[email protected]>
kernel-patches-daemon-bpf
bot
force-pushed
the
series/938035=>bpf-next
branch
from
7bcd864 to
3c64a8d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: Fix use-after-free of sockmap
version: 3
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=944583