diff options
| author | Paul Chaignon <paul.chaignon@gmail.com> | 2025-08-01 11:47:23 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-08-15 12:13:58 +0200 |
| commit | eb2035c1adeb7d67402fb56d64e22a1dd57d4c29 (patch) | |
| tree | e82119eeecbe5729320eef5cc0d4820c6758c7d0 | |
| parent | b2a3018e83254969dea9fea4f02473a17a663fe2 (diff) | |
bpf: Check flow_dissector ctx accesses are aligned
[ Upstream commit ead3d7b2b6afa5ee7958620c4329982a7d9c2b78 ]
flow_dissector_is_valid_access doesn't check that the context access is
aligned. As a consequence, an unaligned access within one of the exposed
field is considered valid and later rejected by
flow_dissector_convert_ctx_access when we try to convert it.
The later rejection is problematic because it's reported as a verifier
bug with a kernel warning and doesn't point to the right instruction in
verifier logs.
Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
Reported-by: syzbot+ccac90e482b2a81d74aa@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ccac90e482b2a81d74aa
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/cc1b036be484c99be45eddf48bd78cc6f72839b1.1754039605.git.paul.chaignon@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
| -rw-r--r-- | net/core/filter.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/core/filter.c b/net/core/filter.c index 1c0cf6f2fff5..02fedc404d7f 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -9407,6 +9407,9 @@ static bool flow_dissector_is_valid_access(int off, int size, if (off < 0 || off >= sizeof(struct __sk_buff)) return false; + if (off % size != 0) + return false; + if (type == BPF_WRITE) return false; |