Commit cabd1a97 authored by Eric Dumazet's avatar Eric Dumazet Committed by Jakub Kicinski
Browse files

net/sched: cls_u32: use skb_header_pointer_careful() 



skb_header_pointer() does not fully validate negative @offset values.

Use skb_header_pointer_careful() instead.

GangMin Kim provided a report and a repro fooling u32_classify():

BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221

Fixes: fbc2e7d9 ("cls_u32: use skb_header_pointer() to dereference data safely")
Reported-by: default avatarGangMin Kim <km.kim1503@gmail.com>
Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/


Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 13e00fdc

net/sched/cls_u32.c

+6 −7
Original line number Diff line number Diff line
@@ -161,10 +161,8 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb, 
			int toff = off + key->off + (off2 & key->offmask);

			__be32 *data, hdata;



			if (skb_headroom(skb) + toff > INT_MAX)

				goto out;



			data = skb_header_pointer(skb, toff, 4, &hdata);

			data = skb_header_pointer_careful(skb, toff, 4,

							  &hdata);

			if (!data)

				goto out;

			if ((*data ^ key->val) & key->mask) {
@@ -214,8 +212,9 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb, 
		if (ht->divisor) {

			__be32 *data, hdata;



			data = skb_header_pointer(skb, off + n->sel.hoff, 4,

						  &hdata);

			data = skb_header_pointer_careful(skb,

							  off + n->sel.hoff,

							  4, &hdata);

			if (!data)

				goto out;

			sel = ht->divisor & u32_hash_fold(*data, &n->sel,
@@ -229,7 +228,7 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb, 
			if (n->sel.flags & TC_U32_VAROFFSET) {

				__be16 *data, hdata;



				data = skb_header_pointer(skb,

				data = skb_header_pointer_careful(skb,

							  off + n->sel.offoff,

							  2, &hdata);

				if (!data)