[PATCH v2 0/3] bpf: fix sock_ops rtt_min OOB read and related guard issues

[Werner Kasselman]

Patch 3 fixes an out-of-bounds read in sock_ops_convert_ctx_access()
for the rtt_min context field. It is the only tcp_sock-backed field
that bypasses the is_locked_tcp_sock guard, so on request_sock-backed
sock_ops callbacks the converted BPF load reads past the end of a
tcp_request_sock.

Patches 1 and 2 are groundwork. Patch 1 fixes a pre-existing info
leak in SOCK_OPS_GET_FIELD() and SOCK_OPS_GET_SK() where dst_reg is
left holding the context pointer on the guard-failure branch when
dst_reg == src_reg, instead of being zeroed. Patch 2 extracts
SOCK_OPS_LOAD_TCP_SOCK_FIELD() from SOCK_OPS_GET_FIELD() so the
rtt_min sub-field access in patch 3 can reuse it.

Patches 1 and 3 carry Fixes: tags and Cc: stable. Patch 2 is a pure
refactor.

v1: https://lore.kernel.org/bpf/ (earlier single-patch posting)
  - Inlined the guarded load sequence by hand.
  - Feedback: please factor it through the existing helper instead
    of open-coding 30 lines.

v2:
  - Patch 1 (new): fix latent dst == src info leak in both macros.
  - Patch 2 (new): refactor SOCK_OPS_GET_FIELD().
  - Patch 3: use SOCK_OPS_LOAD_TCP_SOCK_FIELD() for rtt_min and use
    offsetof(struct minmax_sample, v) for the sub-field offset.

Werner Kasselman (3):
  bpf: zero dst_reg on sock_ops field guard failure when dst == src
  bpf: extract SOCK_OPS_LOAD_TCP_SOCK_FIELD from SOCK_OPS_GET_FIELD
  bpf: guard sock_ops rtt_min against non-locked tcp_sock

 net/core/filter.c | 37 +++++++++++++++++++++----------------
 1 file changed, 21 insertions(+), 16 deletions(-)

-- 
2.43.0