From patchwork Thu Dec 8 06:02:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 31169 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp24281wrr; Wed, 7 Dec 2022 22:06:48 -0800 (PST) X-Google-Smtp-Source: AA0mqf6yRf2yYjfmQifK2NcxBW59P6yQ73KVE8CP1fYFKL3QHJCU7kWI7dtRSGYqGI7XrPd2eNrA X-Received: by 2002:a17:907:77ce:b0:7c0:8225:54d with SMTP id kz14-20020a17090777ce00b007c08225054dmr34200303ejc.286.1670479608332; Wed, 07 Dec 2022 22:06:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670479608; cv=none; d=google.com; s=arc-20160816; b=EKzMEoJFYHM5jEilaAEpRSiJ/s/LQM/9zRxLkRz4+3AmXppympdiKcHCOSaeDButP+ ak175YxI7tSKER5uBHvLM/80/ulsNGKvo9JfiXw+P8fF++F418GMf0AcQKZAyw0B9vjR xyW5PZotKEhNj4rMf8PFxfeKeVzJ7z/PodkhCfXRsdOp5kn7+I/WCPq/5AKR/cfpvzxE a/E//pVUZFHFlCsmdjJaK4TlWjlI6Dh3s1xnoFh9+kvaQtQFGP/PFf7Jn/FVcy805+Hm 7Qpys1MU/9cxAvixv/K/pOgvMh8bhnxvk8q1l4pQ6p8meDZVyxrT7MZtPOwOmMIdcL4l dJsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=EPhmNwWi4z0Ewzi20WGpci8FcsM0lxXDqeltE0OefvQ=; b=OVgwQETkhwUEZvRq1I92sGajiK9pYtkEW0WRIqAyv/T0WLxSnNlPCTf/FOzjSBdqR6 TXlocvCvbqgWlxW2KrXuTtdzb9Hsh1Vf6WCrW4Y2R4xMK6x0PB2U/42ouvpOKljkM1Mf 9uFDjt9HnnuRZ2w+xdICX5mS47oGgoDRVLBkIn51BH0E1CyUHBOgi0tHlyeI8BIAFt7M p+E50b+vcuUMf6tWM8214JNLvynmFYozI61cQ/7RKsZnNVNYihknNIXnGnhC3Jf8+Nmo 1EOboEyOTCXii8ERHtA4MNqf7Cast9c7GAC7Ie5y1q8H0mJvkmaFHW47jlLkbTEYtjih ArCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QD4UFIWq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e24-20020a50fb98000000b0046c0d2186c3si5359430edq.446.2022.12.07.22.05.52; Wed, 07 Dec 2022 22:06:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QD4UFIWq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229601AbiLHGDI (ORCPT + 99 others); Thu, 8 Dec 2022 01:03:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48510 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229564AbiLHGDG (ORCPT ); Thu, 8 Dec 2022 01:03:06 -0500 Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EAC532E6BA for ; Wed, 7 Dec 2022 22:03:04 -0800 (PST) Received: by mail-pg1-x534.google.com with SMTP id f9so397162pgf.7 for ; Wed, 07 Dec 2022 22:03:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=EPhmNwWi4z0Ewzi20WGpci8FcsM0lxXDqeltE0OefvQ=; b=QD4UFIWqVRmHLPBU3XmHUK7j3Bt96je4dxF214FmmakwbxbdEo29dXdbh5svmH/Z2k lpN/vsfg+I/9XgYL9FgbSqBfxaEfGoRHjMJjBCIzxmlaFzPEd/1J9t6Cr4Ux1FF5gWpD WjFshPkVIbUlhW0bvhh+rPrLVbxLZMSPekKlc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EPhmNwWi4z0Ewzi20WGpci8FcsM0lxXDqeltE0OefvQ=; b=kG79ZTDqzvDtMAwGFa24VOmPr8lT3Pg/MrXynqlTtI4Pw8yDG2/gjGOPOoYdsru/fR eT9amd/nZd1aUuOpVfyWivQ3kWNxEMSMqWTHqf9zwX/jzX5Lmt4YugonP/1mfiVdHnFF qjLiLDUvMECG7lU6lyX9AB9rMFPT8PE3FRFkFoRU9H8RXjDZsTfHNo86j9KGUyFQwfU7 ew0v/mjwLXjcJMvi9FKwY8ZZtqxk8S8aPLiKDfu5N6LE6L97r/O31RwS+Gg2loy5agiq wsqtSesSy68dp2GTvf4cjh97ERpVfy2yY73ggcvK+G3QZC//DLblisXEZSvJpcSzIx1c 81bQ== X-Gm-Message-State: ANoB5pmvhX4zssF6VtfNaYyTX9ZlkAgm34H7VDVHtfBt6a87JCd+7yny l2YAG22AH/eGU3EZAmZ1TcqhRQ== X-Received: by 2002:a05:6a00:1a4c:b0:574:97d4:c10f with SMTP id h12-20020a056a001a4c00b0057497d4c10fmr65265284pfv.81.1670479384355; Wed, 07 Dec 2022 22:03:04 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id j4-20020a17090a840400b00219cf5c3829sm2070908pjn.57.2022.12.07.22.03.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Dec 2022 22:03:03 -0800 (PST) From: Kees Cook To: Jakub Kicinski Cc: Kees Cook , syzbot+fda18eaa8c12534ccb3b@syzkaller.appspotmail.com, Eric Dumazet , "David S. Miller" , Paolo Abeni , Pavel Begunkov , pepsipu , Vlastimil Babka , kasan-dev , Andrii Nakryiko , ast@kernel.org, bpf , Daniel Borkmann , Hao Luo , Jesper Dangaard Brouer , John Fastabend , jolsa@kernel.org, KP Singh , martin.lau@linux.dev, Stanislav Fomichev , song@kernel.org, Yonghong Song , netdev@vger.kernel.org, LKML , Rasesh Mody , Ariel Elior , Manish Chopra , Menglong Dong , David Ahern , Richard Gobert , Andrey Konovalov , David Rientjes , GR-Linux-NIC-Dev@marvell.com, linux-hardening@vger.kernel.org Subject: [PATCH net-next v3] skbuff: Introduce slab_build_skb() Date: Wed, 7 Dec 2022 22:02:59 -0800 Message-Id: <20221208060256.give.994-kees@kernel.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7775; h=from:subject:message-id; bh=0NU8DDppqfAVLsDlfD+CO5h/nC1dPBT2P22dmT0qs/s=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjkX4T8itmDqz4eyTltyQjXCELJvJjKlc3Cc8Uy4Uo wA3kFEKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY5F+EwAKCRCJcvTf3G3AJtpJEA CSFMdkjZnrrqIciMt7F/Iys/d0n+Bm7l+cY6KzpPc866MFxjbtFv1bpZY58WcNggumlz0EVVSvLxgQ 3i5EUOP4LV75465l5Y4K8EBgUquHqYUQw6ejtHDoHEDSza1r8Q6YLTBVU3Q2AE1SYRsUTBZpLAxRGS A706N11gpuBeLptE0B3VKTQT3NYBvqLSZ5aWG6B4cjFlSxVb42do2Ip4aQasccTdU1FPD9ceTlCsNg GPkXxwOo6M4+Phr1QgE6OzGNqfHKEMjOTQcrwG3tPaIj8zu3Skzu+wmg38K8eHIdBurcf1NL8Jau96 8i3Am2Akw/4uQ+uBpTVt4M6zBLig6gDB6NmGmGupXSBe3/ChpBIB9WtsTmMlJGW4uwK6eXEUMkcfwe OxLuVS1w75c/yNv+d3mbIfMGtzb/bqv0GhmruHcqKHw1zjN6Ngdipo4H0kqKGhwuU6CtWz73ojFNRb kNA2gW0VkJZQHtwyZQnXPlVEAh7IZNhl6TXV46hBvUSDP2MUU5QonqQs/qULRaw6P4KH5d+yiswesS ucokQWTA1IvyZX1dm3+QK0Ti+Z9TnQen9CIgsPCAdD9BqOapmZArDrEbq33+Ml6bOq9+u5HnNl78uU A5sKU5bKYk3fWyKSURPECICkTXIebhoGmGWHqG4Rf9DwgP/3dot7jelU+Org== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751624825691116689?= X-GMAIL-MSGID: =?utf-8?q?1751624825691116689?= syzkaller reported: BUG: KASAN: slab-out-of-bounds in __build_skb_around+0x235/0x340 net/core/skbuff.c:294 Write of size 32 at addr ffff88802aa172c0 by task syz-executor413/5295 For bpf_prog_test_run_skb(), which uses a kmalloc()ed buffer passed to build_skb(). When build_skb() is passed a frag_size of 0, it means the buffer came from kmalloc. In these cases, ksize() is used to find its actual size, but since the allocation may not have been made to that size, actually perform the krealloc() call so that all the associated buffer size checking will be correctly notified (and use the "new" pointer so that compiler hinting works correctly). Split this logic out into a new interface, slab_build_skb(), but leave the original 0 checking for now to catch any stragglers. Reported-by: syzbot+fda18eaa8c12534ccb3b@syzkaller.appspotmail.com Link: https://groups.google.com/g/syzkaller-bugs/c/UnIKxTtU5-0/m/-wbXinkgAQAJ Fixes: 38931d8989b5 ("mm: Make ksize() a reporting-only function") Cc: Jakub Kicinski Cc: Eric Dumazet Cc: "David S. Miller" Cc: Paolo Abeni Cc: Pavel Begunkov Cc: pepsipu Cc: syzbot+fda18eaa8c12534ccb3b@syzkaller.appspotmail.com Cc: Vlastimil Babka Cc: kasan-dev Cc: Andrii Nakryiko Cc: ast@kernel.org Cc: bpf Cc: Daniel Borkmann Cc: Hao Luo Cc: Jesper Dangaard Brouer Cc: John Fastabend Cc: jolsa@kernel.org Cc: KP Singh Cc: martin.lau@linux.dev Cc: Stanislav Fomichev Cc: song@kernel.org Cc: Yonghong Song Cc: netdev@vger.kernel.org Cc: LKML Signed-off-by: Kees Cook --- v3: - make sure "resized" is passed back so compiler hints survive - update kerndoc (kuba) v2: https://lore.kernel.org/lkml/20221208000209.gonna.368-kees@kernel.org v1: https://lore.kernel.org/netdev/20221206231659.never.929-kees@kernel.org/ --- drivers/net/ethernet/broadcom/bnx2.c | 2 +- drivers/net/ethernet/qlogic/qed/qed_ll2.c | 2 +- include/linux/skbuff.h | 1 + net/bpf/test_run.c | 2 +- net/core/skbuff.c | 70 ++++++++++++++++++++--- 5 files changed, 66 insertions(+), 11 deletions(-) diff --git a/drivers/net/ethernet/broadcom/bnx2.c b/drivers/net/ethernet/broadcom/bnx2.c index fec57f1982c8..b2230a4a2086 100644 --- a/drivers/net/ethernet/broadcom/bnx2.c +++ b/drivers/net/ethernet/broadcom/bnx2.c @@ -3045,7 +3045,7 @@ bnx2_rx_skb(struct bnx2 *bp, struct bnx2_rx_ring_info *rxr, u8 *data, dma_unmap_single(&bp->pdev->dev, dma_addr, bp->rx_buf_use_size, DMA_FROM_DEVICE); - skb = build_skb(data, 0); + skb = slab_build_skb(data); if (!skb) { kfree(data); goto error; diff --git a/drivers/net/ethernet/qlogic/qed/qed_ll2.c b/drivers/net/ethernet/qlogic/qed/qed_ll2.c index ed274f033626..e5116a86cfbc 100644 --- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c +++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c @@ -200,7 +200,7 @@ static void qed_ll2b_complete_rx_packet(void *cxt, dma_unmap_single(&cdev->pdev->dev, buffer->phys_addr, cdev->ll2->rx_size, DMA_FROM_DEVICE); - skb = build_skb(buffer->data, 0); + skb = slab_build_skb(buffer->data); if (!skb) { DP_INFO(cdev, "Failed to build SKB\n"); kfree(buffer->data); diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 7be5bb4c94b6..0b391b635430 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -1253,6 +1253,7 @@ struct sk_buff *build_skb_around(struct sk_buff *skb, void skb_attempt_defer_free(struct sk_buff *skb); struct sk_buff *napi_build_skb(void *data, unsigned int frag_size); +struct sk_buff *slab_build_skb(void *data); /** * alloc_skb - allocate a network buffer diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c index 13d578ce2a09..611b1f4082cf 100644 --- a/net/bpf/test_run.c +++ b/net/bpf/test_run.c @@ -1130,7 +1130,7 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr, } sock_init_data(NULL, sk); - skb = build_skb(data, 0); + skb = slab_build_skb(data); if (!skb) { kfree(data); kfree(ctx); diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 1d9719e72f9d..ae5a6f7db37b 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -269,12 +269,10 @@ static struct sk_buff *napi_skb_cache_get(void) return skb; } -/* Caller must provide SKB that is memset cleared */ -static void __build_skb_around(struct sk_buff *skb, void *data, - unsigned int frag_size) +static inline void __finalize_skb_around(struct sk_buff *skb, void *data, + unsigned int size) { struct skb_shared_info *shinfo; - unsigned int size = frag_size ? : ksize(data); size -= SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); @@ -296,15 +294,71 @@ static void __build_skb_around(struct sk_buff *skb, void *data, skb_set_kcov_handle(skb, kcov_common_handle()); } +static inline void *__slab_build_skb(struct sk_buff *skb, void *data, + unsigned int *size) +{ + void *resized; + + /* Must find the allocation size (and grow it to match). */ + *size = ksize(data); + /* krealloc() will immediately return "data" when + * "ksize(data)" is requested: it is the existing upper + * bounds. As a result, GFP_ATOMIC will be ignored. Note + * that this "new" pointer needs to be passed back to the + * caller for use so the __alloc_size hinting will be + * tracked correctly. + */ + resized = krealloc(data, *size, GFP_ATOMIC); + WARN_ON_ONCE(resized != data); + return resized; +} + +/* build_skb() variant which can operate on slab buffers. + * Note that this should be used sparingly as slab buffers + * cannot be combined efficiently by GRO! + */ +struct sk_buff *slab_build_skb(void *data) +{ + struct sk_buff *skb; + unsigned int size; + + skb = kmem_cache_alloc(skbuff_head_cache, GFP_ATOMIC); + if (unlikely(!skb)) + return NULL; + + memset(skb, 0, offsetof(struct sk_buff, tail)); + data = __slab_build_skb(skb, data, &size); + __finalize_skb_around(skb, data, size); + + return skb; +} +EXPORT_SYMBOL(slab_build_skb); + +/* Caller must provide SKB that is memset cleared */ +static void __build_skb_around(struct sk_buff *skb, void *data, + unsigned int frag_size) +{ + unsigned int size = frag_size; + + /* frag_size == 0 is considered deprecated now. Callers + * using slab buffer should use slab_build_skb() instead. + */ + if (WARN_ONCE(size == 0, "Use slab_build_skb() instead")) + data = __slab_build_skb(skb, data, &size); + + __finalize_skb_around(skb, data, size); +} + /** * __build_skb - build a network buffer * @data: data buffer provided by caller - * @frag_size: size of data, or 0 if head was kmalloced + * @frag_size: size of data (must not be 0) * * Allocate a new &sk_buff. Caller provides space holding head and - * skb_shared_info. @data must have been allocated by kmalloc() only if - * @frag_size is 0, otherwise data should come from the page allocator - * or vmalloc() + * skb_shared_info. @data must have been allocated from the page + * allocator or vmalloc(). (A @frag_size of 0 to indicate a kmalloc() + * allocation is deprecated, and callers should use slab_build_skb() + * instead.) * The return is the new skb buffer. * On a failure the return is %NULL, and @data is not freed. * Notes :