Commit b7bf516c authored by Kohei Enju's avatar Kohei Enju Committed by Alexei Starovoitov
Browse files

bpf: Fix stack-out-of-bounds write in devmap 



get_upper_ifindexes() iterates over all upper devices and writes their
indices into an array without checking bounds.

Also the callers assume that the max number of upper devices is
MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
but that assumption is not correct and the number of upper devices could
be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
stack-out-of-bounds write.

Add a max parameter to get_upper_ifindexes() to avoid the issue.
When there are too many upper devices, return -EOVERFLOW and abort the
redirect.

To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
Then send a packet to the device to trigger the XDP redirect path.

Reported-by: default avatar <syzbot+10cc7f13760b31bd2e61@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/all/698c4ce3.050a0220.340abe.000b.GAE@google.com/T/


Fixes: aeea1b86 ("bpf, devmap: Exclude XDP broadcast to master device")
Reviewed-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: default avatarKohei Enju <kohei@enjuk.jp>
Link: https://lore.kernel.org/r/20260225053506.4738-1-kohei@enjuk.jp


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent ad6fface

kernel/bpf/devmap.c

+17 −5
Original line number Diff line number Diff line
@@ -588,18 +588,22 @@ static inline bool is_ifindex_excluded(int *excluded, int num_excluded, int ifin 
}



/* Get ifindex of each upper device. 'indexes' must be able to hold at

 * least MAX_NEST_DEV elements.

 * Returns the number of ifindexes added.

 * least 'max' elements.

 * Returns the number of ifindexes added, or -EOVERFLOW if there are too

 * many upper devices.

 */

static int get_upper_ifindexes(struct net_device *dev, int *indexes)

static int get_upper_ifindexes(struct net_device *dev, int *indexes, int max)

{

	struct net_device *upper;

	struct list_head *iter;

	int n = 0;



	netdev_for_each_upper_dev_rcu(dev, upper, iter) {

		if (n >= max)

			return -EOVERFLOW;

		indexes[n++] = upper->ifindex;

	}



	return n;

}
@@ -615,7 +619,11 @@ int dev_map_enqueue_multi(struct xdp_frame *xdpf, struct net_device *dev_rx, 
	int err;



	if (exclude_ingress) {

		num_excluded = get_upper_ifindexes(dev_rx, excluded_devices);

		num_excluded = get_upper_ifindexes(dev_rx, excluded_devices,

						   ARRAY_SIZE(excluded_devices) - 1);

		if (num_excluded < 0)

			return num_excluded;



		excluded_devices[num_excluded++] = dev_rx->ifindex;

	}
@@ -733,7 +741,11 @@ int dev_map_redirect_multi(struct net_device *dev, struct sk_buff *skb, 
	int err;



	if (exclude_ingress) {

		num_excluded = get_upper_ifindexes(dev, excluded_devices);

		num_excluded = get_upper_ifindexes(dev, excluded_devices,

						   ARRAY_SIZE(excluded_devices) - 1);

		if (num_excluded < 0)

			return num_excluded;



		excluded_devices[num_excluded++] = dev->ifindex;

	}