Commit 9c142989 authored Jun 04, 2024 by Jakub Sitnicki Committed by Liu Jian Jun 04, 2024

bpf: Allow delete from sockmap/sockhash only if update is allowed

mainline inclusion
from mainline-v6.10-rc2
commit 98e948fb60d41447fd8d2d0c3b8637fc6b6dc26d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG7M
CVE: CVE-2024-35895

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=98e948fb60d41447fd8d2d0c3b8637fc6b6dc26d



---------------------------

We have seen an influx of syzkaller reports where a BPF program attached to
a tracepoint triggers a locking rule violation by performing a map_delete
on a sockmap/sockhash.

We don't intend to support this artificial use scenario. Extend the
existing verifier allowed-program-type check for updating sockmap/sockhash
to also cover deleting from a map.

From now on only BPF programs which were previously allowed to update
sockmap/sockhash can delete from these map types.

Fixes: ff9105993240 ("bpf, sockmap: Prevent lock inversion deadlock in map delete elem")
Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Reported-by:  <syzbot+ec941d6e24f633a59172@syzkaller.appspotmail.com>
Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by:  <syzbot+ec941d6e24f633a59172@syzkaller.appspotmail.com>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=ec941d6e24f633a59172
Link: https://lore.kernel.org/bpf/20240527-sockmap-verify-deletes-v1-1-944b372f2101@cloudflare.com


Signed-off-by: Liu Jian <liujian56@huawei.com>

parent 58341373

kernel/bpf/verifier.c

+7 −3

Original line number	Diff line number	Diff line
		@@ -4938,7 +4938,8 @@ static bool may_update_sockmap(struct bpf_verifier_env *env, int func_id)
		enum bpf_attach_type eatype = env->prog->expected_attach_type;
		enum bpf_prog_type type = resolve_prog_type(env->prog);

		if (func_id != BPF_FUNC_map_update_elem)
		if (func_id != BPF_FUNC_map_update_elem &&
		func_id != BPF_FUNC_map_delete_elem)
		return false;

		/* It's not possible to get access to a locked struct sock in these
		@@ -4949,6 +4950,11 @@ static bool may_update_sockmap(struct bpf_verifier_env *env, int func_id)
		if (eatype == BPF_TRACE_ITER)
		return true;
		break;
		case BPF_PROG_TYPE_SOCK_OPS:
		/* map_update allowed only via dedicated helpers with event type checks */
		if (func_id == BPF_FUNC_map_delete_elem)
		return true;
		break;
		case BPF_PROG_TYPE_SOCKET_FILTER:
		case BPF_PROG_TYPE_SCHED_CLS:
		case BPF_PROG_TYPE_SCHED_ACT:
		@@ -5036,7 +5042,6 @@ static int check_map_func_compatibility(struct bpf_verifier_env *env,
		case BPF_MAP_TYPE_SOCKMAP:
		if (func_id != BPF_FUNC_sk_redirect_map &&
		func_id != BPF_FUNC_sock_map_update &&
		func_id != BPF_FUNC_map_delete_elem &&
		func_id != BPF_FUNC_msg_redirect_map &&
		func_id != BPF_FUNC_sk_select_reuseport &&
		func_id != BPF_FUNC_map_lookup_elem &&
		@@ -5046,7 +5051,6 @@ static int check_map_func_compatibility(struct bpf_verifier_env *env,
		case BPF_MAP_TYPE_SOCKHASH:
		if (func_id != BPF_FUNC_sk_redirect_hash &&
		func_id != BPF_FUNC_sock_hash_update &&
		func_id != BPF_FUNC_map_delete_elem &&
		func_id != BPF_FUNC_msg_redirect_hash &&
		func_id != BPF_FUNC_sk_select_reuseport &&
		func_id != BPF_FUNC_map_lookup_elem &&