Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/833404/?format=api
{ "id": 833404, "url": "http://patchwork.ozlabs.org/api/1.2/patches/833404/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/patch/20171102151801.24500-1-kraigatgoog@gmail.com/", "project": { "id": 7, "url": "http://patchwork.ozlabs.org/api/1.2/projects/7/?format=api", "name": "Linux network development", "link_name": "netdev", "list_id": "netdev.vger.kernel.org", "list_email": "netdev@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20171102151801.24500-1-kraigatgoog@gmail.com>", "list_archive_url": null, "date": "2017-11-02T15:18:01", "name": "[net-next,v2] bpf: fix verifier NULL pointer dereference", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "a27ddb78b210a04fbdbffe7d7f10b08ac49d7c43", "submitter": { "id": 67365, "url": "http://patchwork.ozlabs.org/api/1.2/people/67365/?format=api", "name": "Craig Gallek", "email": "kraigatgoog@gmail.com" }, "delegate": { "id": 34, "url": "http://patchwork.ozlabs.org/api/1.2/users/34/?format=api", "username": "davem", "first_name": "David", "last_name": "Miller", "email": "davem@davemloft.net" }, "mbox": "http://patchwork.ozlabs.org/project/netdev/patch/20171102151801.24500-1-kraigatgoog@gmail.com/mbox/", "series": [ { "id": 11531, "url": "http://patchwork.ozlabs.org/api/1.2/series/11531/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/list/?series=11531", "date": "2017-11-02T15:18:01", "name": "[net-next,v2] bpf: fix verifier NULL pointer dereference", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/11531/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/833404/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/833404/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<netdev-owner@vger.kernel.org>", "X-Original-To": "patchwork-incoming@ozlabs.org", "Delivered-To": "patchwork-incoming@ozlabs.org", "Authentication-Results": "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)", "Received": [ "from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3ySTHQ54fJz9sNw\n\tfor <patchwork-incoming@ozlabs.org>;\n\tFri, 3 Nov 2017 02:18:10 +1100 (AEDT)", "(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S933789AbdKBPSH (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tThu, 2 Nov 2017 11:18:07 -0400", "from mail-yw0-f194.google.com ([209.85.161.194]:55998 \"EHLO\n\tmail-yw0-f194.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S933418AbdKBPSE (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Thu, 2 Nov 2017 11:18:04 -0400", "by mail-yw0-f194.google.com with SMTP id t11so5061549ywg.12\n\tfor <netdev@vger.kernel.org>; Thu, 02 Nov 2017 08:18:04 -0700 (PDT)", "from monkey.nyc.corp.google.com ([100.101.213.10])\n\tby smtp.gmail.com with ESMTPSA id\n\tz205sm1498667ywg.21.2017.11.02.08.18.02\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);\n\tThu, 02 Nov 2017 08:18:02 -0700 (PDT)" ], "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to\n\t:references;\n\tbh=MJ3Oc9jrgaiHSFGjIq5skVl6r0bRw/AmkslcK9aM7n8=;\n\tb=atq/SOci92zgjO7P4K7H4H0PGwK1SeOT2lAMQMC5QXVDctNFujgVyDsAQVOGGRuT4t\n\tV4t21bGdZ3XaGj30i2W+Fooyq2ERY1j453Uo1gONAEtd1nJM2D51ita1KU+0ULbTNFrC\n\tdC0bmx4wabxuOe6ubriYx4ahdG6R9+Vla8+G5Jhp4BERYrSwQq7HrO14sKN0Rn7d/WXL\n\tdde0k43oQCCJjWfgeyhGJjmiH4+tak3D3XZDwYz6k0xCP0/NviXyeAV+7jN9YZflKHmT\n\ttx3kHfwPbtCX9ltjhpPtu3L9T+YhcayKqd2JmZn/rpeVahODs6Lj60lnxwSha2RweySK\n\tqBjA==", "X-Gm-Message-State": "AMCzsaV5AL2UiVfFZ13I6diIcvrTW5K324/aEXm7zZDlE0WBplTP+QrR\n\t4v7FWL2YOgU8C+0VvjMW2UOuag==", "X-Google-Smtp-Source": "ABhQp+Q287zTl/JHZF6uSExXdXTyyYrxAZH9lMlgFlqS1G7LttsYbzd1P1kaGKNctXMsZ7HsX4oDmA==", "X-Received": "by 10.129.94.138 with SMTP id s132mr2459686ywb.424.1509635883321;\n\tThu, 02 Nov 2017 08:18:03 -0700 (PDT)", "From": "Craig Gallek <kraigatgoog@gmail.com>", "To": "Alexei Starovoitov <ast@fb.com>, \"David S . Miller\" <davem@davemloft.net>", "Cc": "netdev@vger.kernel.org", "Subject": "[PATCH net-next v2] bpf: fix verifier NULL pointer dereference", "Date": "Thu, 2 Nov 2017 11:18:01 -0400", "Message-Id": "<20171102151801.24500-1-kraigatgoog@gmail.com>", "X-Mailer": "git-send-email 2.15.0.403.gc27cc4dac6-goog", "In-Reply-To": "<20171102142119.13894-1-kraigatgoog@gmail.com>", "References": "<20171102142119.13894-1-kraigatgoog@gmail.com>", "Sender": "netdev-owner@vger.kernel.org", "Precedence": "bulk", "List-ID": "<netdev.vger.kernel.org>", "X-Mailing-List": "netdev@vger.kernel.org" }, "content": "From: Craig Gallek <kraig@google.com>\n\ndo_check() can fail early without allocating env->cur_state under\nmemory pressure. Syzkaller found the stack below on the linux-next\ntree because of this.\n\n kasan: CONFIG_KASAN_INLINE enabled\n kasan: GPF could be caused by NULL-ptr deref or user memory access\n general protection fault: 0000 [#1] SMP KASAN\n Dumping ftrace buffer:\n (ftrace buffer empty)\n Modules linked in:\n CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n task: ffff8801c2c74700 task.stack: ffff8801c3e28000\n RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]\n RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533\n RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000\n RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380\n RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f\n R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28\n R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20\n FS: 00007f311079b700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166\n SYSC_bpf kernel/bpf/syscall.c:1690 [inline]\n SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652\n entry_SYSCALL_64_fastpath+0x1f/0xbe\n RIP: 0033:0x452869\n RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141\n RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869\n RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005\n RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550\n R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000\n Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26\n RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: ffff8801c3e2f5c8\n RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: ffff8801c3e2f5c8\n ---[ end trace c8d37f339dc64004 ]---\n\nFixes: 638f5b90d460 (\"bpf: reduce verifier memory consumption\")\nFixes: 1969db47f8d0 (\"bpf: fix verifier memory leaks\")\nSigned-off-by: Craig Gallek <kraig@google.com>\n---\n kernel/bpf/verifier.c | 12 ++++++++----\n 1 file changed, 8 insertions(+), 4 deletions(-)\n\nv2:\n Forgot second spot for the same bug in bpf_analyzer (from Alexei).", "diff": "diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c\nindex 530b68550fd2..624aee966ab5 100644\n--- a/kernel/bpf/verifier.c\n+++ b/kernel/bpf/verifier.c\n@@ -4530,8 +4530,10 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)\n \tenv->allow_ptr_leaks = capable(CAP_SYS_ADMIN);\n \n \tret = do_check(env);\n-\tfree_verifier_state(env->cur_state, true);\n-\tenv->cur_state = NULL;\n+\tif (env->cur_state) {\n+\t\tfree_verifier_state(env->cur_state, true);\n+\t\tenv->cur_state = NULL;\n+\t}\n \n skip_full_check:\n \twhile (!pop_stack(env, NULL, NULL));\n@@ -4637,8 +4639,10 @@ int bpf_analyzer(struct bpf_prog *prog, const struct bpf_ext_analyzer_ops *ops,\n \tenv->allow_ptr_leaks = capable(CAP_SYS_ADMIN);\n \n \tret = do_check(env);\n-\tfree_verifier_state(env->cur_state, true);\n-\tenv->cur_state = NULL;\n+\tif (env->cur_state) {\n+\t\tfree_verifier_state(env->cur_state, true);\n+\t\tenv->cur_state = NULL;\n+\t}\n \n skip_full_check:\n \twhile (!pop_stack(env, NULL, NULL));\n", "prefixes": [ "net-next", "v2" ] }