From 09433b494808d4ac05a397fca830edb59470a190 Mon Sep 17 00:00:00 2001 From: John Fastabend Date: Wed, 30 Oct 2024 14:39:56 +0800 Subject: [PATCH 1/2] bpf, sockmap: Use stricter sk state checks in sk_lookup_assign mainline inclusion from mainline-v5.16-rc1 commit 40a34121ac1dc52ed9cd34a8f4e48e32517a52fd category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB0F23 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=40a34121ac1dc52ed9cd34a8f4e48e32517a52fd -------------------------------- In order to fix an issue with sockets in TCP sockmap redirect cases we plan to allow CLOSE state sockets to exist in the sockmap. However, the check in bpf_sk_lookup_assign() currently only invalidates sockets in the TCP_ESTABLISHED case relying on the checks on sockmap insert to ensure we never SOCK_CLOSE state sockets in the map. To prepare for this change we flip the logic in bpf_sk_lookup_assign() to explicitly test for the accepted cases. Namely, a tcp socket in TCP_LISTEN or a udp socket in TCP_CLOSE state. This also makes the code more resilent to future changes. Suggested-by: Jakub Sitnicki Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Reviewed-by: Jakub Sitnicki Link: https://lore.kernel.org/bpf/20211103204736.248403-2-john.fastabend@gmail.com Conflicts: include/linux/skmsg.h net/core/sock_map.c [Context conflicts] Signed-off-by: Yu Kuai --- include/linux/skmsg.h | 12 ++++++++++++ net/core/filter.c | 6 ++++-- net/core/sock_map.c | 12 ------------ 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h index f9d8e8b1a4e8..91ba0da57d0c 100644 --- a/include/linux/skmsg.h +++ b/include/linux/skmsg.h @@ -521,4 +521,16 @@ static inline bool sk_psock_strp_enabled(struct sk_psock *psock) return false; return psock->parser.enabled; } + +static inline bool sk_is_tcp(const struct sock *sk) +{ + return sk->sk_type == SOCK_STREAM && + sk->sk_protocol == IPPROTO_TCP; +} + +static inline bool sk_is_udp(const struct sock *sk) +{ + return sk->sk_type == SOCK_DGRAM && + sk->sk_protocol == IPPROTO_UDP; +} #endif /* _LINUX_SKMSG_H */ diff --git a/net/core/filter.c b/net/core/filter.c index 62d09520a55d..fb84fd152fd7 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -10370,8 +10370,10 @@ BPF_CALL_3(bpf_sk_lookup_assign, struct bpf_sk_lookup_kern *, ctx, return -EINVAL; if (unlikely(sk && sk_is_refcounted(sk))) return -ESOCKTNOSUPPORT; /* reject non-RCU freed sockets */ - if (unlikely(sk && sk->sk_state == TCP_ESTABLISHED)) - return -ESOCKTNOSUPPORT; /* reject connected sockets */ + if (unlikely(sk && sk_is_tcp(sk) && sk->sk_state != TCP_LISTEN)) + return -ESOCKTNOSUPPORT; /* only accept TCP socket in LISTEN */ + if (unlikely(sk && sk_is_udp(sk) && sk->sk_state != TCP_CLOSE)) + return -ESOCKTNOSUPPORT; /* only accept UDP socket in CLOSE */ /* Check if socket is suitable for packet L3/L4 protocol */ if (sk && sk->sk_protocol != ctx->protocol) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index c3c7f4469c80..7f3788200cb8 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -551,18 +551,6 @@ static bool sock_map_op_okay(const struct bpf_sock_ops_kern *ops) ops->op == BPF_SOCK_OPS_TCP_LISTEN_CB; } -static bool sk_is_tcp(const struct sock *sk) -{ - return sk->sk_type == SOCK_STREAM && - sk->sk_protocol == IPPROTO_TCP; -} - -static bool sk_is_udp(const struct sock *sk) -{ - return sk->sk_type == SOCK_DGRAM && - sk->sk_protocol == IPPROTO_UDP; -} - static bool sock_map_redirect_allowed(const struct sock *sk) { return sk_is_tcp(sk) && sk->sk_state != TCP_LISTEN; -- Gitee From 7c66f79d84188eb7ef033f4c3c2db35088e67114 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Wed, 30 Oct 2024 14:39:57 +0800 Subject: [PATCH 2/2] scsi: iscsi_tcp: restrict to TCP sockets mainline inclusion from mainline-v6.6-rc3 commit f4f82c52a0ead5ab363d207d06f81b967d09ffb8 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB0F23 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4f82c52a0ead5ab363d207d06f81b967d09ffb8 -------------------------------- Nothing prevents iscsi_sw_tcp_conn_bind() to receive file descriptor pointing to non TCP socket (af_unix for example). Return -EINVAL if this is attempted, instead of crashing the kernel. Fixes: 7ba247138907 ("[SCSI] open-iscsi/linux-iscsi-5 Initiator: Initiator code") Signed-off-by: Eric Dumazet Cc: Lee Duncan Cc: Chris Leech Cc: Mike Christie Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: open-iscsi@googlegroups.com Cc: linux-scsi@vger.kernel.org Reviewed-by: Mike Christie Signed-off-by: David S. Miller Conflicts: drivers/scsi/iscsi_tcp.c [commit 42f67eea3ba3 ("net: use sk_is_tcp() in more places") is not backported, include linux/skmsg.h here] Signed-off-by: Yu Kuai --- drivers/scsi/iscsi_tcp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c index 35273434aa56..6e7b7288cd20 100644 --- a/drivers/scsi/iscsi_tcp.c +++ b/drivers/scsi/iscsi_tcp.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -687,6 +688,10 @@ iscsi_sw_tcp_conn_bind(struct iscsi_cls_session *cls_session, return -EEXIST; } + err = -EINVAL; + if (!sk_is_tcp(sock->sk)) + goto free_socket; + err = iscsi_conn_bind(cls_session, cls_conn, is_leading); if (err) goto free_socket; -- Gitee