bpf: fix out-of-bounds read in __bpf_skc_lookup [Linux 5.2]

bpf: fix out-of-bounds read in __bpf_skc_lookup [Linux 5.2]

This Linux kernel change "bpf: fix out-of-bounds read in __bpf_skc_lookup" is included in the Linux 5.2 release. This change is authored by Lorenz Bauer <lmb [at] cloudflare.com> on Tue May 21 08:52:38 2019 +0100. The commit for this change in Linux stable tree is 9b28ae2 (patch).

bpf: fix out-of-bounds read in __bpf_skc_lookup

__bpf_skc_lookup takes a socket tuple and the length of the
tuple as an argument. Based on the length, it decides which
address family to pass to the helper function sk_lookup.

In case of AF_INET6, it fails to verify that the length
of the tuple is long enough. sk_lookup may therefore access
data past the end of the tuple.

Fixes: 6acc9b432e67 ("bpf: Add helper to retrieve socket in BPF")
Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

There are 8 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 net/core/filter.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index 55bfc94..76f1d99 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -5304,7 +5304,13 @@ static struct sock *sk_lookup(struct net *net, struct bpf_sock_tuple *tuple,
    struct net *net;
    int sdif;

-   family = len == sizeof(tuple->ipv4) ? AF_INET : AF_INET6;
+   if (len == sizeof(tuple->ipv4))
+       family = AF_INET;
+   else if (len == sizeof(tuple->ipv6))
+       family = AF_INET6;
+   else
+       return NULL;
+
    if (unlikely(family == AF_UNSPEC || flags ||
             !((s32)netns_id < 0 || netns_id <= S32_MAX)))
        goto out;

Leave a Reply

Your email address will not be published. Required fields are marked *