[{"id":1798007,"web_url":"http://patchwork.ozlabs.org/comment/1798007/","msgid":"","list_archive_url":null,"date":"2017-11-02T15:28:26","subject":"Re: [PATCH net-next v2] bpf: fix verifier NULL pointer dereference","submitter":{"id":68234,"url":"http://patchwork.ozlabs.org/api/people/68234/","name":"Alexei Starovoitov","email":"ast@fb.com"},"content":"On 11/2/17 8:18 AM, Craig Gallek wrote:\n> From: Craig Gallek \n>\n> do_check() can fail early without allocating env->cur_state under\n> memory pressure. Syzkaller found the stack below on the linux-next\n> tree because of this.\n>\n> kasan: CONFIG_KASAN_INLINE enabled\n> kasan: GPF could be caused by NULL-ptr deref or user memory access\n> general protection fault: 0000 [#1] SMP KASAN\n> Dumping ftrace buffer:\n> (ftrace buffer empty)\n> Modules linked in:\n> CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106\n> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n> task: ffff8801c2c74700 task.stack: ffff8801c3e28000\n> RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]\n> RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533\n> RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202\n> RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000\n> RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380\n> RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f\n> R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28\n> R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20\n> FS: 00007f311079b700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000\n> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n> CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0\n> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n> Call Trace:\n> bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166\n> SYSC_bpf kernel/bpf/syscall.c:1690 [inline]\n> SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652\n> entry_SYSCALL_64_fastpath+0x1f/0xbe\n> RIP: 0033:0x452869\n> RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141\n> RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869\n> RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005\n> RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000\n> R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550\n> R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000\n> Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26\n> RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: ffff8801c3e2f5c8\n> RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: ffff8801c3e2f5c8\n> ---[ end trace c8d37f339dc64004 ]---\n>\n> Fixes: 638f5b90d460 (\"bpf: reduce verifier memory consumption\")\n> Fixes: 1969db47f8d0 (\"bpf: fix verifier memory leaks\")\n> Signed-off-by: Craig Gallek \n\nAcked-by: Alexei Starovoitov \n\nThanks!","headers":{"Return-Path":"","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=)","ozlabs.org; dkim=pass (1024-bit key;\n\tunprotected) header.d=fb.com header.i=@fb.com header.b=\"Iacu9ty1\";\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n\tunprotected) header.d=fb.onmicrosoft.com header.i=@fb.onmicrosoft.com\n\theader.b=\"Gx8yNPZT\"; dkim-atps=neutral"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3ySTWc1RFzz9s74\n\tfor ;\n\tFri, 3 Nov 2017 02:28:44 +1100 (AEDT)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S933724AbdKBP2l (ORCPT );\n\tThu, 2 Nov 2017 11:28:41 -0400","from mx0b-00082601.pphosted.com ([67.231.153.30]:44524 \"EHLO\n\tmx0a-00082601.pphosted.com\" rhost-flags-OK-OK-OK-FAIL)\n\tby vger.kernel.org with ESMTP id S933624AbdKBP2j (ORCPT\n\t); Thu, 2 Nov 2017 11:28:39 -0400","from pps.filterd (m0001303.ppops.net [127.0.0.1])\n\tby m0001303.ppops.net (8.16.0.21/8.16.0.21) with SMTP id\n\tvA2FNOCo018443; Thu, 2 Nov 2017 08:28:36 -0700","from mail.thefacebook.com ([199.201.64.23])\n\tby m0001303.ppops.net with ESMTP id 2dyuxp2xtr-1\n\t(version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT);\n\tThu, 02 Nov 2017 08:28:36 -0700","from NAM01-SN1-obe.outbound.protection.outlook.com (192.168.54.28)\n\tby o365-in.thefacebook.com (192.168.16.22) with Microsoft SMTP\n\tServer (TLS) id 14.3.319.2; Thu, 2 Nov 2017 08:28:34 -0700","from [IPv6:2620:10d:c081:1131::112d] (2620:10d:c090:180::1:a530) by\n\tCO1PR15MB0968.namprd15.prod.outlook.com (2a01:111:e400:7b64::26) with\n\tMicrosoft SMTP Server (version=TLS1_2,\n\tcipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.197.13;\n\tThu, 2 Nov 2017 15:28:31 +0000"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com;\n\th=subject : to : references\n\t: cc : from : message-id : date : mime-version : in-reply-to :\n\tcontent-type : content-transfer-encoding; s=facebook;\n\tbh=NNMqa9qRpMY5IMKj1hwnSrrjU6MmO6j0y5/49mn1hsU=;\n\tb=Iacu9ty1rhouM9E0DR8iRqjMP4OYAYCY1ddPcyDpQuH9kxbo0hRwvb5yoyYAzgl+2tJo\n\tJscrsU/ZO6eY4sKOqGLd9954rc/azHssC0BiQfGcuvRruZ6aSqI0RseUeAOYkOSzz+kf\n\tDp1PdGsmjVWPuPuve4Y+cIllz96TaDK+FAY= ","v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; \n\ts=selector1-fb-com;\n\th=From:Date:Subject:Message-ID:Content-Type:MIME-Version; \n\tbh=NNMqa9qRpMY5IMKj1hwnSrrjU6MmO6j0y5/49mn1hsU=;\n\tb=Gx8yNPZTRaXLF9uvgeG9Q2GuPnaTEuPGHfo1EM5r4oTsFaKZ3tn8QFklg5ofZxpaN6EuEGUZ9VIFt3OjkA1+1/yY1Cl+p+n7b83tgKiNO53tyEq58NznaB+NckMLby7WYCrESM/o0Fgp/G1wfsYIYUFm+nN7I1BE1mJXHOvKFwY="],"Subject":"Re: [PATCH net-next v2] bpf: fix verifier NULL pointer dereference","To":"Craig Gallek ,\n\t\"David S . Miller\" ","References":"<20171102142119.13894-1-kraigatgoog@gmail.com>\n\t<20171102151801.24500-1-kraigatgoog@gmail.com>","CC":"","From":"Alexei Starovoitov ","Message-ID":"","Date":"Thu, 2 Nov 2017 08:28:26 -0700","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0)\n\tGecko/20100101 Thunderbird/45.8.0","MIME-Version":"1.0","In-Reply-To":"<20171102151801.24500-1-kraigatgoog@gmail.com>","Content-Type":"text/plain; charset=\"windows-1252\"; format=flowed","Content-Transfer-Encoding":"7bit","X-Originating-IP":"[2620:10d:c090:180::1:a530]","X-ClientProxiedBy":"SN4PR0501CA0048.namprd05.prod.outlook.com\n\t(2603:10b6:803:41::25) To CO1PR15MB0968.namprd15.prod.outlook.com\n\t(2a01:111:e400:7b64::26)","X-MS-PublicTrafficType":"Email","X-MS-Office365-Filtering-Correlation-Id":"a23d6213-94f6-40a4-c3df-08d522065ffb","X-Microsoft-Antispam":"UriScan:; BCL:0; PCL:0;\n\tRULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603238);\n\tSRVR:CO1PR15MB0968; ","X-Microsoft-Exchange-Diagnostics":["1; CO1PR15MB0968;\n\t3:KgoTs1nJIUqSRIYkUb9xGxA6o800YlOwPTOybZnHpcXMSkzcsTDq2jzoiN5eRWP6oVdqbGEyjXiE9O8uw/maayOZBgTJ0HahBIjgeOfYLbfbpxDFeIfAwSlK8ImCNntJA6mQj8Gn93mN1DPWCGdiD93D7lttJyBNVub9Td5MZHAW7R65xQVfFJsCRAinty3Ts4RShnxh2cfO/zxZNwB7+KHFxGO3UHUbtZm4RbR/ypDAaMFQ/NxEKGbL5GdArHDB;\n\t25:POETy899ZBrvH7A95H56blWnfzB5GpztbVaNPHGgXXedgnZu8KEhiSfu8M0mkH7TFUv5SfNBFNMjyXUHJcUoqi3Yr31fZ35/xxENeblaq4oRHJHEvHsgXzOMoIija3ILt70cvbXkgHYJmiVLjAUekSX057ehQkklQXIrwLtR++aV79M7Bw6yzsyGEBwpV/P1le27WQhlLJYPoeI2g+ak6jjesbyUP4iro16Ro4TWhvudIOAJxD1SpEGV7ZDWqMzm1wUR4MaxUI1Jy5F0AAWfwGBqWmGjEu2QOTO5N3hAz5sRgQOePpLT/AsSRv+KRJWz8rMrCEb3PAbbup7hQrd2ng==;\n\t31:M82Pi6Lvv7BKDOS8/LFS52OczNy8Hdo57PoapRj++T5SFwBgHXWdCgimQB4Zw8D4V9bwX44DaG9SFHil9JOf3rMWKGbOeELn3aQlBzwnFklCAH2POxcBkwWuBKPZOKd2OdcpfNa7AjKFWUOy5h4WF8IokluDM+p5DtLD9BLDIb+JS+g+q97YFRapSnEeqAB7jf6y6VNaCGEPnc/PRY6XzmMVwosDLSCMoIsXQRvKcrc=","1; CO1PR15MB0968;\n\t20:mPGmcrpviYwl30MPvQFDv9/pP/+RuzrE3h34LuWRKeAIDlxTuWNeiUURCTo/07v3pbh2hTeHj3fFQA9uoXUUsRu93t9acktZxQ8yaRYTrKZcqPM0YpDMirInjYub8fV+LyY86TPhIgKZicsISPmn7uoQb30v2REjeKzPbFY+QEg299FsfVue6DE4bQpj9wNxJnrTKAOrGFD4M00f2cCiO5qZ7Qr7QDeCbOZp4e9W92fzRl7lm3jblFsc671igPWW7NTtF2m0YF0wZHUBoz0cVIDAKoIuXDqV5j47fRqKAA6gTJMPYSXp1wr/n1sdWjVhwY6Z2hztHLwzzBWmaPx8Er96Lmc1l3pKsL18vRIe2Fi8Aj4R+7TnhOamlZrAJhwvM28ZJStu6WBAMFosnzjN15dXvMdHLK55z0DnQ9Xgy6Sx35Dc1YXvb7vt1/+BBDHqeb3XEvWri0/Zn1u8gObj+E0hcawCIyGAzaM4Gx6wFyRvs4ZsSNb6WBfG3UbUZtFQ;\n\t4:BKbd0nc2nAZted28Eia4oZxpPutvhRZhg/tBYQ/r4kNcR/GdokE6AuD3SCJs09HoSj9PzgQmXqgyB0MU4e+zIkzqN49xg1z5ZPF+dRU/E1Prt9miCC9SuW/Ev4hTfs+19Wi25d+HPb9RhTspB8uZRNsQB/82APcyo3kfqDAX7nozga5/ObRzvZnK8GJ1wwZ+SebFS6H7hiTOZqRY0d6hTWgV9V3YrWLVG6g3ZHuMyTOh4tRL4jP7K+eQQEHrgfPPL8utryfIZoPr82sOrkmX8JYUI0RT2xZj4OHR7aVbm7sRRZ2nv83pFwwMQNLWWKGD+Qkdi2gJPxJny4fwcwY/efCc9pjNU1ssUu88/y1eDfw=","=?windows-1252?q?1=3BCO1PR15MB0968=3B23?=\n\t=?windows-1252?q?=3Aflqzrd6rzVunJhKRxQRmOSA+K+EJr0u7kdh78s7xxfQWxQ?=\n\t=?windows-1252?q?ITq9c/go5Po/JzOjmg3XoCBfBkOI+Mp4+HN22IY7Nwk8GHn+/?=\n\t=?windows-1252?q?CTKE5JZy7Ec5LEaeZWZchG4InBWkoyEuHyO66r22zGiIRQRX3?=\n\t=?windows-1252?q?BuQUhls0+1oSmjsDVfUOsoamGOA5rNfEndHrQfYJOVeLay15r?=\n\t=?windows-1252?q?pg96cgC4u/hlAHQ0jTjvd+WQBI0fjfzUNm64MPSxwsSft8zCa?=\n\t=?windows-1252?q?JXw+2TfXtxiXd9R3L+oKmojjCeAgBevfCw1Q18iyKwCY5sDh2?=\n\t=?windows-1252?q?PYG0Pv9RnCiVcVItrK6UGL3tCcZSLlOklSQJeM8D6UQiCGuYe?=\n\t=?windows-1252?q?QJKNg1afM2ajsjAUnytc8yAS+95WKAh1KZgnqLExknLN1tJvS?=\n\t=?windows-1252?q?358iOmbNBq2FFGj58N5+a6tbOR7OP2exXc8o2v6ksFEyDLe/a?=\n\t=?windows-1252?q?LrO1Np8tK0e1NwTB+5M9w1mHa4IAVpWDGCMbypM9r0X4aJ4Jh?=\n\t=?windows-1252?q?M3lxJ7OsHX84j6Jgm6mIxkxvtwJuKY2mmvKlON/tDg28pEcRl?=\n\t=?windows-1252?q?f0qJ9shrvkkZ17M5D8qEtrOrv6fen68q4jiNa7GJkknLwRh3e?=\n\t=?windows-1252?q?cH8NoFVxIOKhH3pUor4J5tURXCW929Rj3Evt8P98rmNPKVbrO?=\n\t=?windows-1252?q?YL5l5xPlx8rJVLp8/1vOBRmmkUzSNRVnID3N++GnH+p2fzscT?=\n\t=?windows-1252?q?obqmfCl7AVoCqpCs5bnRcc/tfk15sG9KYRY8ZSxtxfiCsLzeH?=\n\t=?windows-1252?q?R7Cd86NCusTRSjJXl0Vukeh7z8dtbClub0kjvWit6HvER12Un?=\n\t=?windows-1252?q?c3v3JoVHLPankJCdYyOAuO1X38IFrfR8Z/3IWB+sWg8r2cmHu?=\n\t=?windows-1252?q?0ExLduktqwAab5PQC/Q8nPX1Iwclu0RHwoksCEYVy9u8HkEiC?=\n\t=?windows-1252?q?QneTH6Thcj60z3v0IvfwG6fbVS4naw5ZJ6qEvLStUhWltzfM0?=\n\t=?windows-1252?q?52QKXGNPblOQ20z8vd1M0aMZiqWbfDR5h3HswQC0Jh0CcCe6s?=\n\t=?windows-1252?q?sYsz3ZRtx3a8XFkaiY+Ttze1lbAXq2sIdXWJor6pGQHl4Nc9X?=\n\t=?windows-1252?q?xDePxnm3clkoZ6rVQKMQzebgWP3tG1N1cB3IO7YhBdURT+jpo?=\n\t=?windows-1252?q?ugXwGz0y6WPhZ+nrbgR2Lxjl5jPDgSc6wI1xvE2dSuy4GS73L?=\n\t=?windows-1252?q?kutIzZ2aLRBj8IDMjbjB7Gb4aBEuJIWw0Xy4U/ctBCUlteXwZ?=\n\t=?windows-1252?q?luDbFUzbgRoge/r50ONmAOdOaCSj2cxWGZkWj3AqlmbXkJjq7?=\n\t=?windows-1252?q?60g3I+433tw3Q1bDxMFkpAepeZya5iqtgUxTnT3DrF/+N/g4Q?=\n\t=?windows-1252?q?enabW7000URAe6qI+DtSW5TcxhiElNyGpJBlssG/9ZMlwm0dy?=\n\t=?windows-1252?q?YJ2D9Jevbl6bQLm/0GeGCL1JIh/8FBVNEA0A4rr8j97RLw=3D?=\n\t=?windows-1252?q?=3D?=","1; CO1PR15MB0968;\n\t6:Jiq2DIphzTf1eIm3DOQ5G4/7T5RxD/NeqIo+liK7kbdXixnnrVWvrHLbaEJSGaTPbaqQvLMu8B5dZ+MYBd4xDJx7k7v5A3GMf22RSpoahatj+TlA+nIIErGE/M72LvczPgfevTOgqa/n+eUeqOHcN6Gsi7q76CFxdnH6XPIPiMTK2FmJyDz21i9D5i5bqKhLRUfSfgKKllJVujx7yZvF7N9RE66P7TiqGwZ8Js4jyYP491XmP5MGnDdDJVhzGdzPi4TxR4Gg6DNEn/L5z+VHefbnaW0cR1IWeegQMQfypT07c9VLvGJp8HrJKxw93oxdaPmHkL7FWYB4FwS20tNYHkAxdIcwLUek5F8nUs4l+jI=;\n\t5:wZsJSkygNq7cLJ1HtgEEEvkMijEzX4FdkGWrlG5ISzg2ejYkimqqFWwecyevsh9Ju5KEHKgDUVlsmpA8cJpT/oO5uQxWTBxVEBpb8SJ0UoZ0slMAZaY/L3zhz0S8+xpXdWqX/e+XhDYPHYYfcIwonqVKMzyglZAfzwnjZV2utD0=;\n\t24:/huioPZxAULt2PSIXTXfFBGyVyLfXzm1/xHeSFwQQ8naT7IINReBODsAoocF3PS3sL6e+KPuHoEoALc81sFzbN4ykszXM1BSJNJB/z/8Pyw=;\n\t7:LMw25qINSQBzx713KLbvsmgr/mfweu9cUo/d5oFM66f/AaPl3s1weayiH2zPkEleE+8+S3vQMveLB2jg7AuCREabF4HWXNIhQ4aUROqo1BWud3NHstI++5U+aUjDGJewXX0ko75BnHC552uivFeTpuNShhiS8uk1qazsAvaFdF+Dme4qLYQtZ6Me8BAYPZdi/Irp4AGe3yIOF32mPHRhqlrzV1DJ+0+ipMMjACXlc/yWuo/Zf7vmWkqaKg1jk6Wf","1; CO1PR15MB0968;\n\t20:UZ7cK+/hq+x/8zCm6kIqqZsBeCxnzfy1/sW+t9sVPlAb6uc/vPUI+Rsln0UxM+P0SdoXN5CrKogeQIAof8MGl30276D3LJstYMKLRA04TKF6FlpnAGb3hpo26NAfpiDLcW6BjgEnCaYILs9ZWbzU10h1RoaJH1XX203nJdfzhuw="],"X-MS-TrafficTypeDiagnostic":"CO1PR15MB0968:","X-Exchange-Antispam-Report-Test":"UriScan:(211936372134217)(153496737603132); ","X-Microsoft-Antispam-PRVS":"","X-Exchange-Antispam-Report-CFA-Test":"BCL:0; PCL:0;\n\tRULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(11241501159)(6040450)(2401047)(8121501046)(5005006)(3231020)(3002001)(93006095)(93001095)(100000703101)(100105400095)(10201501046)(920507026)(6041248)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123564025)(20161123555025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);\n\tSRVR:CO1PR15MB0968; BCL:0; PCL:0;\n\tRULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);\n\tSRVR:CO1PR15MB0968; ","X-Forefront-PRVS":"047999FF16","X-Forefront-Antispam-Report":"SFV:NSPM;\n\tSFS:(10019020)(6009001)(346002)(376002)(189002)(24454002)(199003)(67846002)(65956001)(23746002)(65806001)(97736004)(229853002)(106356001)(105586002)(47776003)(6486002)(31686004)(316002)(53546010)(83506002)(2906002)(58126008)(189998001)(110136005)(65826007)(5660300001)(2950100002)(6666003)(76176999)(50986999)(54356999)(8676002)(81166006)(25786009)(81156014)(6246003)(1706002)(39060400002)(478600001)(64126003)(305945005)(7736002)(86362001)(575784001)(50466002)(4326008)(33646002)(34040400001)(6116002)(36756003)(31696002)(8936002)(230700001)(101416001)(53936002)(45080400002)(68736007)(42262002);\n\tDIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR15MB0968;\n\tH:[IPv6:2620:10d:c081:1131::112d]; FPR:; SPF:None;\n\tPTR:InfoNoRecords; MX:1; A:1; LANG:en; ","Received-SPF":"None (protection.outlook.com: fb.com does not designate\n\tpermitted sender hosts)","SpamDiagnosticOutput":"1:99","SpamDiagnosticMetadata":"NSPM","X-MS-Exchange-CrossTenant-OriginalArrivalTime":"02 Nov 2017 15:28:31.1557\n\t(UTC)","X-MS-Exchange-CrossTenant-Network-Message-Id":"a23d6213-94f6-40a4-c3df-08d522065ffb","X-MS-Exchange-CrossTenant-FromEntityHeader":"Hosted","X-MS-Exchange-CrossTenant-Id":"8ae927fe-1255-47a7-a2af-5f3a069daaa2","X-MS-Exchange-Transport-CrossTenantHeadersStamped":"CO1PR15MB0968","X-OriginatorOrg":"fb.com","X-Proofpoint-Spam-Reason":"safe","X-FB-Internal":"Safe","X-Proofpoint-Virus-Version":"vendor=fsecure engine=2.50.10432:, ,\n\tdefinitions=2017-11-02_05:, , signatures=0","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netdev@vger.kernel.org"}},{"id":1798318,"web_url":"http://patchwork.ozlabs.org/comment/1798318/","msgid":"<59FB9A93.5090904@iogearbox.net>","list_archive_url":null,"date":"2017-11-02T22:22:11","subject":"Re: [PATCH net-next v2] bpf: fix verifier NULL pointer dereference","submitter":{"id":65705,"url":"http://patchwork.ozlabs.org/api/people/65705/","name":"Daniel Borkmann","email":"daniel@iogearbox.net"},"content":"On 11/02/2017 04:18 PM, Craig Gallek wrote:\n> From: Craig Gallek \n>\n> do_check() can fail early without allocating env->cur_state under\n> memory pressure. Syzkaller found the stack below on the linux-next\n> tree because of this.\n>\n> kasan: CONFIG_KASAN_INLINE enabled\n> kasan: GPF could be caused by NULL-ptr deref or user memory access\n> general protection fault: 0000 [#1] SMP KASAN\n> Dumping ftrace buffer:\n> (ftrace buffer empty)\n> Modules linked in:\n> CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106\n> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n> task: ffff8801c2c74700 task.stack: ffff8801c3e28000\n> RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]\n> RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533\n> RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202\n> RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000\n> RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380\n> RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f\n> R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28\n> R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20\n> FS: 00007f311079b700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000\n> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n> CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0\n> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n> Call Trace:\n> bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166\n> SYSC_bpf kernel/bpf/syscall.c:1690 [inline]\n> SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652\n> entry_SYSCALL_64_fastpath+0x1f/0xbe\n> RIP: 0033:0x452869\n> RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141\n> RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869\n> RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005\n> RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000\n> R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550\n> R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000\n> Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26\n> RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: ffff8801c3e2f5c8\n> RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: ffff8801c3e2f5c8\n> ---[ end trace c8d37f339dc64004 ]---\n>\n> Fixes: 638f5b90d460 (\"bpf: reduce verifier memory consumption\")\n> Fixes: 1969db47f8d0 (\"bpf: fix verifier memory leaks\")\n> Signed-off-by: Craig Gallek \n\nAcked-by: Daniel Borkmann ","headers":{"Return-Path":"","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3ySfhq15N7z9sQl\n\tfor ;\n\tFri, 3 Nov 2017 09:22:19 +1100 (AEDT)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S964862AbdKBWWR (ORCPT );\n\tThu, 2 Nov 2017 18:22:17 -0400","from www62.your-server.de ([213.133.104.62]:36715 \"EHLO\n\twww62.your-server.de\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S934407AbdKBWWQ (ORCPT\n\t); Thu, 2 Nov 2017 18:22:16 -0400","from [194.230.159.142] (helo=localhost.localdomain)\n\tby www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256)\n\t(Exim 4.85_2) (envelope-from )\n\tid 1eANsK-0001z0-Ds; Thu, 02 Nov 2017 23:22:12 +0100"],"Message-ID":"<59FB9A93.5090904@iogearbox.net>","Date":"Thu, 02 Nov 2017 23:22:11 +0100","From":"Daniel Borkmann ","User-Agent":"Mozilla/5.0 (X11; Linux x86_64;\n\trv:31.0) Gecko/20100101 Thunderbird/31.7.0","MIME-Version":"1.0","To":"Craig Gallek , Alexei Starovoitov ,\n\t\"David S . Miller\" ","CC":"netdev@vger.kernel.org","Subject":"Re: [PATCH net-next v2] bpf: fix verifier NULL pointer dereference","References":"<20171102142119.13894-1-kraigatgoog@gmail.com>\n\t<20171102151801.24500-1-kraigatgoog@gmail.com>","In-Reply-To":"<20171102151801.24500-1-kraigatgoog@gmail.com>","Content-Type":"text/plain; charset=windows-1252; format=flowed","Content-Transfer-Encoding":"7bit","X-Authenticated-Sender":"daniel@iogearbox.net","X-Virus-Scanned":"Clear (ClamAV 0.99.2/24010/Thu Nov 2 13:07:00 2017)","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netdev@vger.kernel.org"}},{"id":1798435,"web_url":"http://patchwork.ozlabs.org/comment/1798435/","msgid":"<20171103.155016.1716862120175860397.davem@davemloft.net>","list_archive_url":null,"date":"2017-11-03T06:50:16","subject":"Re: [PATCH net-next v2] bpf: fix verifier NULL pointer dereference","submitter":{"id":15,"url":"http://patchwork.ozlabs.org/api/people/15/","name":"David Miller","email":"davem@davemloft.net"},"content":"From: Craig Gallek \nDate: Thu, 2 Nov 2017 11:18:01 -0400\n\n> From: Craig Gallek \n> \n> do_check() can fail early without allocating env->cur_state under\n> memory pressure. Syzkaller found the stack below on the linux-next\n> tree because of this.\n ...\n> Fixes: 638f5b90d460 (\"bpf: reduce verifier memory consumption\")\n> Fixes: 1969db47f8d0 (\"bpf: fix verifier memory leaks\")\n> Signed-off-by: Craig Gallek \n\nApplied, thanks Craig.","headers":{"Return-Path":"","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3ySsz21z11z9sBd\n\tfor ;\n\tFri, 3 Nov 2017 17:50:22 +1100 (AEDT)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1754004AbdKCGuU (ORCPT );\n\tFri, 3 Nov 2017 02:50:20 -0400","from shards.monkeyblade.net ([184.105.139.130]:36686 \"EHLO\n\tshards.monkeyblade.net\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1752309AbdKCGuT (ORCPT\n\t); Fri, 3 Nov 2017 02:50:19 -0400","from localhost (unknown [61.40.109.130])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(Client did not present a certificate)\n\t(Authenticated sender: davem-davemloft)\n\tby shards.monkeyblade.net (Postfix) with ESMTPSA id 59737103F5181;\n\tThu, 2 Nov 2017 23:50:18 -0700 (PDT)"],"Date":"Fri, 03 Nov 2017 15:50:16 +0900 (KST)","Message-Id":"<20171103.155016.1716862120175860397.davem@davemloft.net>","To":"kraigatgoog@gmail.com","Cc":"ast@fb.com, netdev@vger.kernel.org","Subject":"Re: [PATCH net-next v2] bpf: fix verifier NULL pointer dereference","From":"David Miller ","In-Reply-To":"<20171102151801.24500-1-kraigatgoog@gmail.com>","References":"<20171102142119.13894-1-kraigatgoog@gmail.com>\n\t<20171102151801.24500-1-kraigatgoog@gmail.com>","X-Mailer":"Mew version 6.7 on Emacs 25.3 / Mule 6.0 (HANACHIRUSATO)","Mime-Version":"1.0","Content-Type":"Text/Plain; charset=us-ascii","Content-Transfer-Encoding":"7bit","X-Greylist":"Sender succeeded SMTP AUTH, not delayed by\n\tmilter-greylist-4.5.12 (shards.monkeyblade.net\n\t[149.20.54.216]); Thu, 02 Nov 2017 23:50:19 -0700 (PDT)","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netdev@vger.kernel.org"}}]