Re: [PATCH net v2] net: fix use-after-free when UDP GRO with shared fraglist

2021-01-08 Thread Daniel Borkmann
On 1/7/21 3:44 PM, Willem de Bruijn wrote: On Thu, Jan 7, 2021 at 8:33 AM Daniel Borkmann wrote: On 1/7/21 2:05 PM, Willem de Bruijn wrote: On Thu, Jan 7, 2021 at 7:52 AM Daniel Borkmann wrote: On 1/7/21 12:40 PM, Dongseok Yi wrote: On 2021-01-07 20:05, Daniel Borkmann wrote: On 1/7/21 1:3

Re: [PATCH net v2] net: fix use-after-free when UDP GRO with shared fraglist

2021-01-07 Thread Willem de Bruijn
On Thu, Jan 7, 2021 at 8:33 AM Daniel Borkmann wrote: > > On 1/7/21 2:05 PM, Willem de Bruijn wrote: > > On Thu, Jan 7, 2021 at 7:52 AM Daniel Borkmann wrote: > >> On 1/7/21 12:40 PM, Dongseok Yi wrote: > >>> On 2021-01-07 20:05, Daniel Borkmann wrote: > On 1/7/21 1:39 AM, Dongseok Yi wrote:

Re: [PATCH net v2] net: fix use-after-free when UDP GRO with shared fraglist

2021-01-07 Thread Daniel Borkmann
On 1/7/21 2:05 PM, Willem de Bruijn wrote: On Thu, Jan 7, 2021 at 7:52 AM Daniel Borkmann wrote: On 1/7/21 12:40 PM, Dongseok Yi wrote: On 2021-01-07 20:05, Daniel Borkmann wrote: On 1/7/21 1:39 AM, Dongseok Yi wrote: skbs in fraglist could be shared by a BPF filter loaded at TC. It triggers

Re: [PATCH net v2] net: fix use-after-free when UDP GRO with shared fraglist

2021-01-07 Thread Willem de Bruijn
On Thu, Jan 7, 2021 at 7:52 AM Daniel Borkmann wrote: > > On 1/7/21 12:40 PM, Dongseok Yi wrote: > > On 2021-01-07 20:05, Daniel Borkmann wrote: > >> On 1/7/21 1:39 AM, Dongseok Yi wrote: > >>> skbs in fraglist could be shared by a BPF filter loaded at TC. It > >>> triggers skb_ensure_writable ->

Re: [PATCH net v2] net: fix use-after-free when UDP GRO with shared fraglist

2021-01-07 Thread Daniel Borkmann
On 1/7/21 12:40 PM, Dongseok Yi wrote: On 2021-01-07 20:05, Daniel Borkmann wrote: On 1/7/21 1:39 AM, Dongseok Yi wrote: skbs in fraglist could be shared by a BPF filter loaded at TC. It triggers skb_ensure_writable -> pskb_expand_head -> skb_clone_fraglist -> skb_get on each skb in the fraglis

RE: [PATCH net v2] net: fix use-after-free when UDP GRO with shared fraglist

2021-01-07 Thread Dongseok Yi
On 2021-01-07 20:05, Daniel Borkmann wrote: > > On 1/7/21 1:39 AM, Dongseok Yi wrote: > > skbs in fraglist could be shared by a BPF filter loaded at TC. It > > triggers skb_ensure_writable -> pskb_expand_head -> > > skb_clone_fraglist -> skb_get on each skb in the fraglist. > > > > While tcpdump,

Re: [PATCH net v2] net: fix use-after-free when UDP GRO with shared fraglist

2021-01-07 Thread Daniel Borkmann
On 1/7/21 1:39 AM, Dongseok Yi wrote: skbs in fraglist could be shared by a BPF filter loaded at TC. It triggers skb_ensure_writable -> pskb_expand_head -> skb_clone_fraglist -> skb_get on each skb in the fraglist. While tcpdump, sk_receive_queue of PF_PACKET has the original fraglist. But the s

[PATCH net v2] net: fix use-after-free when UDP GRO with shared fraglist

2021-01-06 Thread Dongseok Yi
skbs in fraglist could be shared by a BPF filter loaded at TC. It triggers skb_ensure_writable -> pskb_expand_head -> skb_clone_fraglist -> skb_get on each skb in the fraglist. While tcpdump, sk_receive_queue of PF_PACKET has the original fraglist. But the same fraglist is queued to PF_INET (or PF