Re: [PATCH bpf v2] bpf, sockmap: fix use-after-free when the stream parser resizes the skb

Next message: Xin Zhao: "Re: [PATCH] coredump/fcntl: Add FD_CLOBCOR flag to close fd before dumping core"
Previous message: phucduc . bui: "[PATCH 56/78] ASoC: codecs: tas2783: Use guard() for mutex locks"
In reply to: Kuniyuki Iwashima: "Re: [PATCH bpf v2] bpf, sockmap: fix use-after-free when the stream parser resizes the skb"
Next in thread: Jiayuan Chen: "Re: [PATCH bpf v2] bpf, sockmap: fix use-after-free when the stream parser resizes the skb"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sechang Lim

Date: Thu Jun 18 2026 - 00:58:27 EST

On Thu, Jun 18, 2026 at 12:25:57AM +0000, Kuniyuki Iwashima wrote:

From: Sechang Lim <rhkrqnwk98@xxxxxxxxx>
Date: Fri, 12 Jun 2026 12:35:51 +0000

sk_psock_strp_parse() runs the BPF_PROG_TYPE_SK_SKB stream-parser program
to find the length of the next message. strparser assembles a message out
of several received skbs by chaining them onto the head's frag_list and
recording where to append the next one in strp->skb_nextp:

*strp->skb_nextp = skb;
strp->skb_nextp = &skb->next;

and then calls the parser on the head:

len = (*strp->cb.parse_msg)(strp, head);

The parser is only meant to inspect the skb, but the program may call
bpf_skb_change_tail() -- or the sibling bpf_skb_pull_data(),
bpf_skb_change_head(), bpf_skb_adjust_room(), all allowed for SK_SKB.

It's bpf prog's responsibility not to abuse them.

Even setting aside that, why not simply block such BPF prog ?

It cannot be done at load time, but doable at attach time.

Thanks, this is cleaner than cloning. Will fix in v3.

Best,
Sechang