From patchwork Mon Jun 8 13:32:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 5003 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id jc29csp1885166mab; Mon, 8 Jun 2026 06:33:11 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ97na/d6qkgjChxaK/A+jmeOZVq2Xgu4iEqlijQGs5858L6QnetdIhlRTqmgURpd+JiSuI+Zi3f7Xw=@openvpn.net X-Received: by 2002:a05:6871:329c:b0:43d:1c8a:5977 with SMTP id 586e51a60fabf-441463d4f49mr5868269fac.24.1780925590813; Mon, 08 Jun 2026 06:33:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780925590; cv=none; d=google.com; s=arc-20240605; b=YPcHZPorZoL0ByOZm8Ht38w9Yh3rSlrxb6X7Kz0BIwSuSQqUp1oHzKraJeMqGT1Gu6 hzzGbtFVcQMHvG1ntaifh/kVhD+GFpAR0E0CdA6xIycSSqxEe7DEUt6GKLK6LjRE9l8H KVRJrHHqZ5o0DAFYli3ugBWU5Fq3WaAD9zp67FzBnCEvXBmyMGS9x7DRUO4AqOJlIX98 NSW7Ndwyh+uq/r3jNqjcs/Vn4ca/PrDnSwvVLJs8pIcmLBnyk59wbW2sGw67Xg2kF6DG zpj5NHxZhEARIjfc3FsXRHfTJ/fIO48t4RdEdc/Lpvew7Oi3i/6IgMhXLbpDjOjVvZrf gwtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=uTLBxFYXRMCbF0c7rGK9YaBd1dVo4Ina2/gLRre0jSg=; fh=BsMg/B0Yb/hS/rzP5Npz4luh0IleZm8REk1XWiWRt2A=; b=RUdbjgIW69Dp1IfcxDCk7VGnDvA9P7HRc6Q+JnEFuYh+Sm6QN1jWhE/OLFyntccUO5 kQgQ2xTqEN6Gyn4muU95fcOs5fX0/W9GK/9ymeWoIeoL4syjOH/ZFz2j4TQHOBG7BBIJ gesdL5vx2ec4OZWFsr/pY+1Q6d2lQZwK/MyttwMlrHYNsIXQuG1whwwK7KvW7pB8ISE3 mnGVL4N0MchKdRVLK5o4+EOkuatyBPvF7kzpGkg+pSoA5lHCkfHO8JQ3f8M+PPYQ7VNl WcBbifK0GMy07ETZmvSPPHEvzj9tlTMn8cTxAcWSzruhKbiGTjFIg5hfgNcto6Qo5mFI HtOg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Y8fH67F+; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=k3dCvDW6; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=M4HYmlqd; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=Z+vhfPoS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-440d860a317si13645776fac.173.2026.06.08.06.33.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jun 2026 06:33:10 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Y8fH67F+; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=k3dCvDW6; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=M4HYmlqd; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=Z+vhfPoS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=uTLBxFYXRMCbF0c7rGK9YaBd1dVo4Ina2/gLRre0jSg=; b=Y8fH67F+2CqDG8rn3fd9hf1fwy ktekRn09SbaK6YRbHN14flvWZDbc/5INSbuhUV9QXtQtBNbJ9mNxMchL44m54vWg+9GyzAVMnXitL ONj/VyHR3AbThYuWpCagZNJ9Wjgk3t5aUpuDwkZahUVJxPgEddW0dj7fg7+5k6B43Rvw=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wWa6I-0001vz-0d; Mon, 08 Jun 2026 13:33:07 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wWa6G-0001vr-4W for openvpn-devel@lists.sourceforge.net; Mon, 08 Jun 2026 13:33:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=JuwX2RQyhLSm7JVnRRkQX1KUFPvFgIajoELZ+RUujMg=; b=k3dCvDW65I0eZ2QuO2pIhrq3ZZ /oKGbicI2FS4hGtxBKldMFgrhSdRxJakzQ/Szo6wYy2LvW+qI9V4g7Ue5A2Q4SZ9m1dtP+yPxIJZk hypvqBy8PNCHuSL8CAccUzuQH/93pTEp/7dmc6vSPxDpGzafDTcidVTvZICXzqJpn/T4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=JuwX2RQyhLSm7JVnRRkQX1KUFPvFgIajoELZ+RUujMg=; b=M4HYmlqdoHtwk6VwXKb29A7kxy PgWFjQvh1TCncCfU9axZtmaJkjkWAZJ5z5FWJ9wLQSIJCb5qDpUhBZHX5hVTt23zhI1WHwsZyOZ9t DiHHKB/xrV0tlkAtOQKsC1xAYCB8NpK/PR9Rj6TVbbVfetZdPbio7twD+ayFj1c2OIjI=; Received: from mout-p-202.mailbox.org ([80.241.56.172]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wWa6C-0004wM-BD for openvpn-devel@lists.sourceforge.net; Mon, 08 Jun 2026 13:33:05 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4gYtJm730Xz9tQF; Mon, 8 Jun 2026 15:32:56 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unstable.cc; s=MBO0001; t=1780925577; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JuwX2RQyhLSm7JVnRRkQX1KUFPvFgIajoELZ+RUujMg=; b=Z+vhfPoSg9oTHeZKx3rbi9oiPmcIzA4VRq6bE36c9d3dRoBMKA+KmwsU2xJS5SfMBSYGeB i7SsdmSGb9+KRVByoh0YysdGzVAiYMXx6q+8v/GbK/gXCATkJjtv6vSTxQk0z0PIxANZY/ FGC6BNrRrRzMnHZga1vBEOd32HUBOLzBBGrSqbiCkBw0IBAgdZ28sCBVNVf1DpxGVBEa4A 49dMl46Pf36PAdi68EVHW2epObdlWNG1tIciF3Y2qF3jWD2hJPjrv3C1t989N/W50qIzId 6c6Lhx09SNzsIyW6un8frBFWJbZb9dGTiwQMxuIszcUPbZnEdYnMAbVmZkYaMw== From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Mon, 8 Jun 2026 15:32:46 +0200 Message-ID: <20260608133251.3128542-4-a@unstable.cc> In-Reply-To: <20260608133251.3128542-1-a@unstable.cc> References: <20260608133251.3128542-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli Some subsystems, like BPF SOCKMAP, set sk_user_data without actually setting the encap_type. For this reason, we must make sure that the type is the one ovpn expects before dereferencing sk_user_data. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 RCVD_IN_MSPIKE_H5 RBL: Excellent reputation (+5) [80.241.56.172 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1wWa6C-0004wM-BD Subject: [Openvpn-devel] [PATCH ovpn net v2 4/9] ovpn: ensure socket is owned by ovpn before deref sk_user_data X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1867435832538602081 X-GMAIL-MSGID: 1867435832538602081 From: Antonio Quartulli Some subsystems, like BPF SOCKMAP, set sk_user_data without actually setting the encap_type. For this reason, we must make sure that the type is the one ovpn expects before dereferencing sk_user_data. Failing to do so may lead to out-of-bounds reads. Fixes: f6226ae7a0cd ("ovpn: introduce the ovpn_socket object") Signed-off-by: Antonio Quartulli --- drivers/net/ovpn/socket.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/net/ovpn/socket.c b/drivers/net/ovpn/socket.c index 517caa64a4fe..6cbeb2caaeec 100644 --- a/drivers/net/ovpn/socket.c +++ b/drivers/net/ovpn/socket.c @@ -162,6 +162,15 @@ struct ovpn_socket *ovpn_socket_new(struct socket *sock, struct ovpn_peer *peer) rcu_read_lock(); ovpn_sock = rcu_dereference_sk_user_data(sk); if (ovpn_sock) { + /* something else filled the sk_user_data without + * setting the encap_type. Reject the socket. + */ + if (!type) { + ovpn_sock = ERR_PTR(-EBUSY); + rcu_read_unlock(); + goto sock_release; + } + /* socket owned by another ovpn instance, we can't use it */ if (ovpn_sock->ovpn != peer->ovpn) { ovpn_sock = ERR_PTR(-EBUSY);