In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets
With a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages sent from one TCP socket (s1) to actually egress from another TCP socket (s2):
tcpbpfsendmsg(s1) // = skprot->sendmsg tcpbpfsendverdict(s1) // _SKREDIRECT case tcpbpfsendmsgredir(s2) tcpbpfpushlocked(s2) tcpbpfpush(s2) tcpratecheckapplimited(s2) // expects tcpsock tcpsendmsg_locked(s2) // ditto
There is a hard-coded assumption in the call-chain, that the egress socket (s2) is a TCP socket.
However in commit 122e6c79efe1 ("sockmap: Update sock type checks for UDP") we have enabled redirects to non-TCP sockets. This was done for the sake of BPF skskb programs. There was no indention to support sk_msg send-to-egress use case.
As a result, attempts to send-to-egress through a non-TCP socket lead to a crash due to invalid downcast from sock to tcp_sock:
BUG: kernel NULL pointer dereference, address: 000000000000002f ... Call Trace: <TASK> ? showregs+0x60/0x70 ? _die+0x1f/0x70 ? pagefaultoops+0x80/0x160 ? douseraddrfault+0x2d7/0x800 ? rcuiswatching+0x11/0x50 ? excpagefault+0x70/0x1c0 ? asmexcpagefault+0x27/0x30 ? tcptsosegs+0x14/0xa0 tcpwritexmit+0x67/0xce0 _tcppushpendingframes+0x32/0xf0 tcppush+0x107/0x140 tcpsendmsglocked+0x99f/0xbb0 tcpbpfpush+0x19d/0x3a0 tcpbpfsendmsgredir+0x55/0xd0 tcpbpfsendverdict+0x407/0x550 tcpbpfsendmsg+0x1a1/0x390 inetsendmsg+0x6a/0x70 socksendmsg+0x9d/0xc0 ? sockfdlookuplight+0x12/0x80 _syssendto+0x10e/0x160 ? syscallenterfromusermode+0x20/0x60 ? _thiscpupreemptcheck+0x13/0x20 ? lockdephardirqson+0x82/0x110 _x64syssendto+0x1f/0x30 dosyscall64+0x38/0x90 entrySYSCALL64afterhwframe+0x63/0xcd
Reject selecting a non-TCP sockets as redirect target from a BPF sk_msg program to prevent the crash. When attempted, user will receive an EACCES error from send/sendto/sendmsg() syscall.