From 65073a67331de3d2cce35607807ddec284e75e81 Mon Sep 17 00:00:00 2001 From: Daniel Borkmann Date: Wed, 31 Jan 2018 12:58:56 +0100 Subject: bpf: fix null pointer deref in bpf_prog_test_run_xdp syzkaller was able to generate the following XDP program ... (18) r0 = 0x0 (61) r5 = *(u32 *)(r1 +12) (04) (u32) r0 += (u32) 0 (95) exit ... and trigger a NULL pointer dereference in ___bpf_prog_run() via bpf_prog_test_run_xdp() where this was attempted to run. Reason is that recent xdp_rxq_info addition to XDP programs updated all drivers, but not bpf_prog_test_run_xdp(), where xdp_buff is set up. Thus when context rewriter does the deref on the netdev it's NULL at runtime. Fix it by using xdp_rxq from loopback dev. __netif_get_rx_queue() helper can also be reused in various other locations later on. Fixes: 02dd3291b2f0 ("bpf: finally expose xdp_rxq_info to XDP bpf-programs") Reported-by: syzbot+1eb094057b338eb1fc00@syzkaller.appspotmail.com Signed-off-by: Daniel Borkmann Cc: Jesper Dangaard Brouer Acked-by: Jesper Dangaard Brouer Signed-off-by: Alexei Starovoitov --- include/linux/netdevice.h | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'include') diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 4c77f39ebd65..5eef6c8e2741 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -3228,6 +3228,12 @@ static inline int netif_set_real_num_rx_queues(struct net_device *dev, } #endif +static inline struct netdev_rx_queue * +__netif_get_rx_queue(struct net_device *dev, unsigned int rxq) +{ + return dev->_rx + rxq; +} + #ifdef CONFIG_SYSFS static inline unsigned int get_netdev_rx_queue_index( struct netdev_rx_queue *queue) -- cgit v1.2.3 From 3df1928302950dfa728ab2eade28eea0da291567 Mon Sep 17 00:00:00 2001 From: William Tu Date: Mon, 5 Feb 2018 13:35:34 -0800 Subject: net: erspan: fix metadata extraction Commit d350a823020e ("net: erspan: create erspan metadata uapi header") moves the erspan 'version' in front of the 'struct erspan_md2' for later extensibility reason. This breaks the existing erspan metadata extraction code because the erspan_md2 then has a 4-byte offset to between the erspan_metadata and erspan_base_hdr. This patch fixes it. Fixes: 1a66a836da63 ("gre: add collect_md mode to ERSPAN tunnel") Fixes: ef7baf5e083c ("ip6_gre: add ip6 erspan collect_md mode") Fixes: 1d7e2ed22f8d ("net: erspan: refactor existing erspan code") Signed-off-by: William Tu Signed-off-by: David S. Miller --- include/net/erspan.h | 26 +++++++++++++------------- net/ipv4/ip_gre.c | 5 ++++- net/ipv6/ip6_gre.c | 6 ++++-- 3 files changed, 21 insertions(+), 16 deletions(-) (limited to 'include') diff --git a/include/net/erspan.h b/include/net/erspan.h index 5daa4866412b..d044aa60cc76 100644 --- a/include/net/erspan.h +++ b/include/net/erspan.h @@ -159,13 +159,13 @@ static inline void erspan_build_header(struct sk_buff *skb, struct ethhdr *eth = (struct ethhdr *)skb->data; enum erspan_encap_type enc_type; struct erspan_base_hdr *ershdr; - struct erspan_metadata *ersmd; struct qtag_prefix { __be16 eth_type; __be16 tci; } *qp; u16 vlan_tci = 0; u8 tos; + __be32 *idx; tos = is_ipv4 ? ip_hdr(skb)->tos : (ipv6_hdr(skb)->priority << 4) + @@ -195,8 +195,8 @@ static inline void erspan_build_header(struct sk_buff *skb, set_session_id(ershdr, id); /* Build metadata */ - ersmd = (struct erspan_metadata *)(ershdr + 1); - ersmd->u.index = htonl(index & INDEX_MASK); + idx = (__be32 *)(ershdr + 1); + *idx = htonl(index & INDEX_MASK); } /* ERSPAN GRA: timestamp granularity @@ -225,7 +225,7 @@ static inline void erspan_build_header_v2(struct sk_buff *skb, { struct ethhdr *eth = (struct ethhdr *)skb->data; struct erspan_base_hdr *ershdr; - struct erspan_metadata *md; + struct erspan_md2 *md2; struct qtag_prefix { __be16 eth_type; __be16 tci; @@ -261,15 +261,15 @@ static inline void erspan_build_header_v2(struct sk_buff *skb, set_session_id(ershdr, id); /* Build metadata */ - md = (struct erspan_metadata *)(ershdr + 1); - md->u.md2.timestamp = erspan_get_timestamp(); - md->u.md2.sgt = htons(sgt); - md->u.md2.p = 1; - md->u.md2.ft = 0; - md->u.md2.dir = direction; - md->u.md2.gra = gra; - md->u.md2.o = 0; - set_hwid(&md->u.md2, hwid); + md2 = (struct erspan_md2 *)(ershdr + 1); + md2->timestamp = erspan_get_timestamp(); + md2->sgt = htons(sgt); + md2->p = 1; + md2->ft = 0; + md2->dir = direction; + md2->gra = gra; + md2->o = 0; + set_hwid(md2, hwid); } #endif diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 6ec670fbbbdd..9b50eddd1882 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -261,6 +261,7 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, struct ip_tunnel_net *itn; struct ip_tunnel *tunnel; const struct iphdr *iph; + struct erspan_md2 *md2; int ver; int len; @@ -313,8 +314,10 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, return PACKET_REJECT; md = ip_tunnel_info_opts(&tun_dst->u.tun_info); - memcpy(md, pkt_md, sizeof(*md)); md->version = ver; + md2 = &md->u.md2; + memcpy(md2, pkt_md, ver == 1 ? ERSPAN_V1_MDSIZE : + ERSPAN_V2_MDSIZE); info = &tun_dst->u.tun_info; info->key.tun_flags |= TUNNEL_ERSPAN_OPT; diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index 05f070e123e4..50913dbd0612 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -505,6 +505,7 @@ static int ip6erspan_rcv(struct sk_buff *skb, int gre_hdr_len, struct erspan_base_hdr *ershdr; struct erspan_metadata *pkt_md; const struct ipv6hdr *ipv6h; + struct erspan_md2 *md2; struct ip6_tnl *tunnel; u8 ver; @@ -551,9 +552,10 @@ static int ip6erspan_rcv(struct sk_buff *skb, int gre_hdr_len, info = &tun_dst->u.tun_info; md = ip_tunnel_info_opts(info); - - memcpy(md, pkt_md, sizeof(*md)); md->version = ver; + md2 = &md->u.md2; + memcpy(md2, pkt_md, ver == 1 ? ERSPAN_V1_MDSIZE : + ERSPAN_V2_MDSIZE); info->key.tun_flags |= TUNNEL_ERSPAN_OPT; info->options_len = sizeof(*md); -- cgit v1.2.3