| Message ID | eec7905a71d207f7612e9d86e1bf59c43efc65a4.1553156792.git.xuyu@linux.alibaba.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | bpf: do not restore dst_reg when cur_state is freed | expand |
On 03/21/2019 09:31 AM, Xu Yu wrote: > Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug. > Call trace: > dump_stack+0xbf/0x12e > print_address_description+0x6a/0x280 > kasan_report+0x237/0x360 > sanitize_ptr_alu+0x85a/0x8d0 > adjust_ptr_min_max_vals+0x8f2/0x1ca0 > adjust_reg_min_max_vals+0x8ed/0x22e0 > do_check+0x1ca6/0x5d00 > bpf_check+0x9ca/0x2570 > bpf_prog_load+0xc91/0x1030 > __se_sys_bpf+0x61e/0x1f00 > do_syscall_64+0xc8/0x550 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > Fault injection trace: > kfree+0xea/0x290 > free_func_state+0x4a/0x60 > free_verifier_state+0x61/0xe0 > push_stack+0x216/0x2f0 <- inject failslab > sanitize_ptr_alu+0x2b1/0x8d0 > adjust_ptr_min_max_vals+0x8f2/0x1ca0 > adjust_reg_min_max_vals+0x8ed/0x22e0 > do_check+0x1ca6/0x5d00 > bpf_check+0x9ca/0x2570 > bpf_prog_load+0xc91/0x1030 > __se_sys_bpf+0x61e/0x1f00 > do_syscall_64+0xc8/0x550 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > When kzalloc() fails in push_stack(), free_verifier_state() will free > current verifier state. As push_stack() returns, dst_reg was restored > if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg > is also freed, and error occurs when dereferencing dst_reg. > > Simply fix it by checking whether cur_state is NULL before retoring > dst_reg. > > Signed-off-by: Xu Yu <xuyu@linux.alibaba.com> > --- > kernel/bpf/verifier.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index ce166a0..018ce4f 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -3368,7 +3368,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, > *dst_reg = *ptr_reg; > } > ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); > - if (!ptr_is_dst_reg) > + if (!ptr_is_dst_reg && env->cur_state) > *dst_reg = tmp; Good catch, test should be more obvious rewritten as: if (!ptr_is_dst_reg && ret) Could you resubmit with that? > return !ret ? -EFAULT : 0; > } > Thanks, Daniel
On 3/21/19 4:50 PM, Daniel Borkmann wrote: > On 03/21/2019 09:31 AM, Xu Yu wrote: >> Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug. >> Call trace: >> dump_stack+0xbf/0x12e >> print_address_description+0x6a/0x280 >> kasan_report+0x237/0x360 >> sanitize_ptr_alu+0x85a/0x8d0 >> adjust_ptr_min_max_vals+0x8f2/0x1ca0 >> adjust_reg_min_max_vals+0x8ed/0x22e0 >> do_check+0x1ca6/0x5d00 >> bpf_check+0x9ca/0x2570 >> bpf_prog_load+0xc91/0x1030 >> __se_sys_bpf+0x61e/0x1f00 >> do_syscall_64+0xc8/0x550 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe >> Fault injection trace: >> kfree+0xea/0x290 >> free_func_state+0x4a/0x60 >> free_verifier_state+0x61/0xe0 >> push_stack+0x216/0x2f0 <- inject failslab >> sanitize_ptr_alu+0x2b1/0x8d0 >> adjust_ptr_min_max_vals+0x8f2/0x1ca0 >> adjust_reg_min_max_vals+0x8ed/0x22e0 >> do_check+0x1ca6/0x5d00 >> bpf_check+0x9ca/0x2570 >> bpf_prog_load+0xc91/0x1030 >> __se_sys_bpf+0x61e/0x1f00 >> do_syscall_64+0xc8/0x550 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe >> >> When kzalloc() fails in push_stack(), free_verifier_state() will free >> current verifier state. As push_stack() returns, dst_reg was restored >> if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg >> is also freed, and error occurs when dereferencing dst_reg. >> >> Simply fix it by checking whether cur_state is NULL before retoring >> dst_reg. >> >> Signed-off-by: Xu Yu <xuyu@linux.alibaba.com> >> --- >> kernel/bpf/verifier.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c >> index ce166a0..018ce4f 100644 >> --- a/kernel/bpf/verifier.c >> +++ b/kernel/bpf/verifier.c >> @@ -3368,7 +3368,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, >> *dst_reg = *ptr_reg; >> } >> ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); >> - if (!ptr_is_dst_reg) >> + if (!ptr_is_dst_reg && env->cur_state) >> *dst_reg = tmp; > > Good catch, test should be more obvious rewritten as: > > if (!ptr_is_dst_reg && ret) > > Could you resubmit with that? sure, will send patch v2 later. thanks, Yu > >> return !ret ? -EFAULT : 0; >> } >> > > Thanks, > Daniel >
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index ce166a0..018ce4f 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -3368,7 +3368,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, *dst_reg = *ptr_reg; } ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); - if (!ptr_is_dst_reg) + if (!ptr_is_dst_reg && env->cur_state) *dst_reg = tmp; return !ret ? -EFAULT : 0; }
Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug. Call trace: dump_stack+0xbf/0x12e print_address_description+0x6a/0x280 kasan_report+0x237/0x360 sanitize_ptr_alu+0x85a/0x8d0 adjust_ptr_min_max_vals+0x8f2/0x1ca0 adjust_reg_min_max_vals+0x8ed/0x22e0 do_check+0x1ca6/0x5d00 bpf_check+0x9ca/0x2570 bpf_prog_load+0xc91/0x1030 __se_sys_bpf+0x61e/0x1f00 do_syscall_64+0xc8/0x550 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fault injection trace: kfree+0xea/0x290 free_func_state+0x4a/0x60 free_verifier_state+0x61/0xe0 push_stack+0x216/0x2f0 <- inject failslab sanitize_ptr_alu+0x2b1/0x8d0 adjust_ptr_min_max_vals+0x8f2/0x1ca0 adjust_reg_min_max_vals+0x8ed/0x22e0 do_check+0x1ca6/0x5d00 bpf_check+0x9ca/0x2570 bpf_prog_load+0xc91/0x1030 __se_sys_bpf+0x61e/0x1f00 do_syscall_64+0xc8/0x550 entry_SYSCALL_64_after_hwframe+0x49/0xbe When kzalloc() fails in push_stack(), free_verifier_state() will free current verifier state. As push_stack() returns, dst_reg was restored if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg is also freed, and error occurs when dereferencing dst_reg. Simply fix it by checking whether cur_state is NULL before retoring dst_reg. Signed-off-by: Xu Yu <xuyu@linux.alibaba.com> --- kernel/bpf/verifier.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)