Commit 0e23f931 authored by Zijian Zhang's avatar Zijian Zhang Committed by Liu Jian
Browse files

bpf, sockmap: Several fixes to bpf_msg_pop_data 

stable inclusion
from stable-v6.6.64
commit 98c7ea7d11f2588e8197db042e0291e4ac8f8346
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEGFC
CVE: CVE-2024-56720

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=98c7ea7d11f2588e8197db042e0291e4ac8f8346



-------------------------------------------------

[ Upstream commit 5d609ba262475db450ba69b8e8a557bd768ac07a ]

Several fixes to bpf_msg_pop_data,
1. In sk_msg_shift_left, we should put_page
2. if (len == 0), return early is better
3. pop the entire sk_msg (last == msg->sg.size) should be supported
4. Fix for the value of variable "a"
5. In sk_msg_shift_left, after shifting, i has already pointed to the next
element. Addtional sk_msg_iter_var_next may result in BUG.

Fixes: 7246d8ed ("bpf: helper to pop data from messages")
Signed-off-by: default avatarZijian Zhang <zijianzhang@bytedance.com>
Reviewed-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/r/20241106222520.527076-8-zijianzhang@bytedance.com


Signed-off-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>
parent 1e381fff

net/core/filter.c

+9 −6
Original line number Diff line number Diff line
@@ -2889,8 +2889,10 @@ static const struct bpf_func_proto bpf_msg_push_data_proto = { 


static void sk_msg_shift_left(struct sk_msg *msg, int i)

{

	struct scatterlist *sge = sk_msg_elem(msg, i);

	int prev;



	put_page(sg_page(sge));

	do {

		prev = i;

		sk_msg_iter_var_next(i);
@@ -2927,6 +2929,9 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start, 
	if (unlikely(flags))

		return -EINVAL;



	if (unlikely(len == 0))

		return 0;



	/* First find the starting scatterlist element */

	i = msg->sg.start;

	do {
@@ -2939,7 +2944,7 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start, 
	} while (i != msg->sg.end);



	/* Bounds checks: start and pop must be inside message */

	if (start >= offset + l || last >= msg->sg.size)

	if (start >= offset + l || last > msg->sg.size)

		return -EINVAL;



	space = MAX_MSG_FRAGS - sk_msg_elem_used(msg);
@@ -2968,12 +2973,12 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start, 
	 */

	if (start != offset) {

		struct scatterlist *nsge, *sge = sk_msg_elem(msg, i);

		int a = start;

		int a = start - offset;

		int b = sge->length - pop - a;



		sk_msg_iter_var_next(i);



		if (pop < sge->length - a) {

		if (b > 0) {

			if (space) {

				sge->length = a;

				sk_msg_shift_right(msg, i);
@@ -2992,7 +2997,6 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start, 
				if (unlikely(!page))

					return -ENOMEM;



				sge->length = a;

				orig = sg_page(sge);

				from = sg_virt(sge);

				to = page_address(page);
@@ -3002,7 +3006,7 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start, 
				put_page(orig);

			}

			pop = 0;

		} else if (pop >= sge->length - a) {

		} else {

			pop -= (sge->length - a);

			sge->length = a;

		}
@@ -3036,7 +3040,6 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start, 
			pop -= sge->length;

			sk_msg_shift_left(msg, i);

		}

		sk_msg_iter_var_next(i);

	}



	sk_mem_uncharge(msg->sk, len - pop);