A BPF_PROG_TYPE_SK_SKB stream parser runs on strparser's message head, which can chain skbs through frag_list. A parser that resizes the skb frees the frag_list segments that strparser still tracks through skb_nextp, leading to a use-after-free.
A stream parser is only meant to measure the next message, not to modify the packet, so reject a packet-modifying parser at attach time. v4: - drop the Fixes tag (Jiayuan Chen) - drop the unsafe skb modification from the test prog (John Fastabend) v3: - https://lore.kernel.org/all/[email protected]/ v2: - https://lore.kernel.org/all/[email protected]/ v1: - https://lore.kernel.org/all/[email protected]/ Sechang Lim (3): selftests/bpf: don't modify the skb in the strparser parser prog bpf, sockmap: reject a packet-modifying SK_SKB stream parser selftests/bpf: test rejection of a packet-modifying SK_SKB stream parser net/core/sock_map.c | 20 ++++++++++++ .../selftests/bpf/prog_tests/sockmap_strp.c | 31 +++++++++++++++++++ .../selftests/bpf/progs/sockmap_parse_prog.c | 22 ------------- .../selftests/bpf/progs/test_sockmap_strp.c | 7 +++++ 4 files changed, 58 insertions(+), 22 deletions(-) -- 2.43.0
