From patchwork Tue May 26 23:18:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 4979 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:4ec9:b0:861:c897:cb9d with SMTP id i9csp36349mas; Tue, 26 May 2026 16:19:37 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ8N7F6NV4AAnsYlv4oC4MRkmWRtIkWpmzzD4vIOjP82vIpYmOawxvX7040+7yzIa3KZw4oP9hcrIY0=@openvpn.net X-Received: by 2002:a05:6871:530b:b0:42f:beec:92dc with SMTP id 586e51a60fabf-43b5af685cfmr13944916fac.35.1779837576984; Tue, 26 May 2026 16:19:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779837576; cv=none; d=google.com; s=arc-20240605; b=RODvgVYk+SDHuPIKfPXhWe3vF+XBXTd7EubLLYKtfUMOTkhbBz/I3KItPrqEJmHNup x7QHFd3wWCnA3AsLe0qT0CkgjoJgvmI5q1E2FhM41UsZQOV9FZY1VVSFqqlxDcPqs+8i Cy2IFZHinWCIDvXbSmKxvaI+MQIiPCXyH+Ix594tr12moB96oeFgFdvB+d+Fd+3ogj0g 3KnyAWPjGMGeb/gH/L0jTe2lIxDnNrPAjuyNx6FbZn2hWKlVK/M5P3lNItt/uvvnsavj 3xUhd5VJtl2sSE3SEuv/ccg9C5BJUKoHe9FRH8lRTLaCVf7KxOUmsnaTUm9I8yGNYsEu +/OQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=uTLBxFYXRMCbF0c7rGK9YaBd1dVo4Ina2/gLRre0jSg=; fh=BsMg/B0Yb/hS/rzP5Npz4luh0IleZm8REk1XWiWRt2A=; b=FAo1HQphFESn1Rv0wRzYRRGuf2B27lwkjSv4IagcTWz0MfBBUJURdBAs5y6oSSQlXE 8DHJlt5tOXlb/NYM0/4TIoSdghmj9xWNOwFPnGy8Znm/aNM+rwaAAuI8TimPXzqduTiX YWCRXXWFEsDccNtWfsnU3bJVZ/2ikmFpW0OsAVJrav2KWRmieGDMm0sCNV8hWo9xJfmz 7FgP702/GX7aMzW9AMI8NhPdGQv9KiF6uZpxX6kVc85oR25inx5rn1OuH1dbThAtHi3w Y2E+5xYsA3D3+1UrxQvi4kJvBtJw2SmwAYQ1j4LwJHEvPcOj4PSCtm8fw3jDU8EMF3Ns s2pw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=mqnz6aC7; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JavLz1nt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=cVN7XBXg; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=hZpVZAxB; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-43b63d0903csi11747599fac.360.2026.05.26.16.19.36 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 May 2026 16:19:36 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=mqnz6aC7; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JavLz1nt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=cVN7XBXg; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=hZpVZAxB; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=uTLBxFYXRMCbF0c7rGK9YaBd1dVo4Ina2/gLRre0jSg=; b=mqnz6aC7q1zh42V7RzfeZueYsV NNW++VZAF9WXRK665kBTP5SkcgucfpgrgLU+hxuj40vvtljkzVNqhw+0EG6n3tGn1vLBcWo9Ho3tK FYZD8+vYJ6Ir05+3dlVMllUMqgu6kF5sfZEBTx0+Z6A8yCIUTkt9pCLdf+UkfmTQS438=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wS13a-0002rs-Ej; Tue, 26 May 2026 23:19:31 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wS13W-0002pd-RX for openvpn-devel@lists.sourceforge.net; Tue, 26 May 2026 23:19:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=JuwX2RQyhLSm7JVnRRkQX1KUFPvFgIajoELZ+RUujMg=; b=JavLz1ntAPHIrf+FzGE/zJxGKV q0gvfQOzmmPx3W84uhoAQgtJo9UqnLZlfuFd1x3hf3BY6Rx+2MX56QkcvFv2lStOqoRu9mKIfp8RB 1SmPhruAcgFkdszwP6orNrnkezvRwT3Hyowpwq3Zb7e3kV0yn+d8ivpjaR/AnM07AnpU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=JuwX2RQyhLSm7JVnRRkQX1KUFPvFgIajoELZ+RUujMg=; b=cVN7XBXgmczOcS/9lGE5CyDLye BiRjZJBAlMWC2OCamNx148fxa82L5l1o+WxJa3jFvaokeqSQYMB14HPcSZnwoasFN7+ycae9yTi30 qF2mdKxQBGAtJfPvAzpubwWPDa3HYZQr16ZfHtkqeIC2sTgD483p3gpLbCHpZLCapXU0=; Received: from mout-p-101.mailbox.org ([80.241.56.151]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wS13G-0000TI-FG for openvpn-devel@lists.sourceforge.net; Tue, 26 May 2026 23:19:11 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4gQ7wy27pQz9thq; Wed, 27 May 2026 01:18:58 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unstable.cc; s=MBO0001; t=1779837538; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JuwX2RQyhLSm7JVnRRkQX1KUFPvFgIajoELZ+RUujMg=; b=hZpVZAxBkARsTAuZhNoforuDYhH2Si0rfNICFvCNIqbM/GS7dj93uA0xCPrLI1uSloH8e8 yo+H00YS/uUwFXnh6T0/750MJir2kj53zLM6ldDmPY868Vl2xdg4cBPUeaddz8iR+qUL+L ziV+t0whQpZCF9Iu8iZfoSAn8KHvh8gdiYPKpnYfDRpjYgAhykXvYZobJNJ6BdAbFQ8F98 momFHo43Xyb9Ul403Sri7vF528f9ny+eSXExvCIyd6qt1quMbRYdJDWAABo8in2K8aKMOt v2PUUpB/CWohdnlWukbIb+XKJWyLeGq+knuzwpBVK35et0AbdH7C46nEUrAiLA== From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Wed, 27 May 2026 01:18:45 +0200 Message-ID: <20260526231850.2511369-4-a@unstable.cc> In-Reply-To: <20260526231850.2511369-1-a@unstable.cc> References: <20260526231850.2511369-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli Some subsystems, like BPF SOCKMAP, set sk_user_data without actually setting the encap_type. For this reason, we must make sure that the type is the one ovpn expects before dereferencing sk_user_data. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1wS13G-0000TI-FG Subject: [Openvpn-devel] [PATCH ovpn net 4/9] ovpn: ensure socket is owned by ovpn before deref sk_user_data X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1866294966909868541 X-GMAIL-MSGID: 1866294966909868541 From: Antonio Quartulli Some subsystems, like BPF SOCKMAP, set sk_user_data without actually setting the encap_type. For this reason, we must make sure that the type is the one ovpn expects before dereferencing sk_user_data. Failing to do so may lead to out-of-bounds reads. Fixes: f6226ae7a0cd ("ovpn: introduce the ovpn_socket object") Signed-off-by: Antonio Quartulli --- drivers/net/ovpn/socket.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/net/ovpn/socket.c b/drivers/net/ovpn/socket.c index 517caa64a4fe..6cbeb2caaeec 100644 --- a/drivers/net/ovpn/socket.c +++ b/drivers/net/ovpn/socket.c @@ -162,6 +162,15 @@ struct ovpn_socket *ovpn_socket_new(struct socket *sock, struct ovpn_peer *peer) rcu_read_lock(); ovpn_sock = rcu_dereference_sk_user_data(sk); if (ovpn_sock) { + /* something else filled the sk_user_data without + * setting the encap_type. Reject the socket. + */ + if (!type) { + ovpn_sock = ERR_PTR(-EBUSY); + rcu_read_unlock(); + goto sock_release; + } + /* socket owned by another ovpn instance, we can't use it */ if (ovpn_sock->ovpn != peer->ovpn) { ovpn_sock = ERR_PTR(-EBUSY);