This Linux kernel change "bpf: fix out-of-bounds read in __bpf_skc_lookup" is included in the Linux 5.2 release. This change is authored by Lorenz Bauer <lmb [at] cloudflare.com> on Tue May 21 08:52:38 2019 +0100. The commit for this change in Linux stable tree is 9b28ae2 (patch).
bpf: fix out-of-bounds read in __bpf_skc_lookup __bpf_skc_lookup takes a socket tuple and the length of the tuple as an argument. Based on the length, it decides which address family to pass to the helper function sk_lookup. In case of AF_INET6, it fails to verify that the length of the tuple is long enough. sk_lookup may therefore access data past the end of the tuple. Fixes: 6acc9b432e67 ("bpf: Add helper to retrieve socket in BPF") Signed-off-by: Lorenz Bauer <email@example.com> Signed-off-by: Daniel Borkmann <firstname.lastname@example.org>
There are 8 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.
net/core/filter.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/core/filter.c b/net/core/filter.c index 55bfc94..76f1d99 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -5304,7 +5304,13 @@ static struct sock *sk_lookup(struct net *net, struct bpf_sock_tuple *tuple, struct net *net; int sdif; - family = len == sizeof(tuple->ipv4) ? AF_INET : AF_INET6; + if (len == sizeof(tuple->ipv4)) + family = AF_INET; + else if (len == sizeof(tuple->ipv6)) + family = AF_INET6; + else + return NULL; + if (unlikely(family == AF_UNSPEC || flags || !((s32)netns_id < 0 || netns_id <= S32_MAX))) goto out;