| Message ID | 20191205010606.177774-1-yhs@fb.com |
|---|---|
| State | Accepted |
| Delegated to: | BPF Maintainers |
| Headers | show |
| Series | fix a verifier bug in check_attach_btf_id() | expand |
On Wed, Dec 04, 2019 at 05:06:06PM -0800, Yonghong Song wrote: > For jited bpf program, if the subprogram count is 1, i.e., > there is no callees in the program, prog->aux->func will be NULL > and prog->bpf_func points to image address of the program. > > If there is more than one subprogram, prog->aux->func is populated, > and subprogram 0 can be accessed through either prog->bpf_func or > prog->aux->func[0]. Other subprograms should be accessed through > prog->aux->func[subprog_id]. > > This patch fixed a bug in check_attach_btf_id(), where > prog->aux->func[subprog_id] is used to access any subprogram which > caused a segfault like below: > [79162.619208] BUG: kernel NULL pointer dereference, address: > 0000000000000000 > ...... > [79162.634255] Call Trace: > [79162.634974] ? _cond_resched+0x15/0x30 > [79162.635686] ? kmem_cache_alloc_trace+0x162/0x220 > [79162.636398] ? selinux_bpf_prog_alloc+0x1f/0x60 > [79162.637111] bpf_prog_load+0x3de/0x690 > [79162.637809] __do_sys_bpf+0x105/0x1740 > [79162.638488] do_syscall_64+0x5b/0x180 > [79162.639147] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > ...... > > Fixes: 5b92a28aae4d ("bpf: Support attaching tracing BPF program to other BPF programs") > Reported-by: Eelco Chaudron <echaudro@redhat.com> > Signed-off-by: Yonghong Song <yhs@fb.com> > --- > kernel/bpf/verifier.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index a0482e1c4a77..034ef81f935b 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -9636,7 +9636,10 @@ static int check_attach_btf_id(struct bpf_verifier_env *env) > ret = -EINVAL; > goto out; > } > - addr = (long) tgt_prog->aux->func[subprog]->bpf_func; > + if (subprog == 0) > + addr = (long) tgt_prog->bpf_func; > + else > + addr = (long) tgt_prog->aux->func[subprog]->bpf_func; That is exactly the code I had while developing, but then decided to simplify it, since tgt_prog->aux->func[0]->bpf_func == tgt_prog->bpf_func. Oh well. Thanks for the fix!
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index a0482e1c4a77..034ef81f935b 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -9636,7 +9636,10 @@ static int check_attach_btf_id(struct bpf_verifier_env *env) ret = -EINVAL; goto out; } - addr = (long) tgt_prog->aux->func[subprog]->bpf_func; + if (subprog == 0) + addr = (long) tgt_prog->bpf_func; + else + addr = (long) tgt_prog->aux->func[subprog]->bpf_func; } else { addr = kallsyms_lookup_name(tname); if (!addr) {
For jited bpf program, if the subprogram count is 1, i.e., there is no callees in the program, prog->aux->func will be NULL and prog->bpf_func points to image address of the program. If there is more than one subprogram, prog->aux->func is populated, and subprogram 0 can be accessed through either prog->bpf_func or prog->aux->func[0]. Other subprograms should be accessed through prog->aux->func[subprog_id]. This patch fixed a bug in check_attach_btf_id(), where prog->aux->func[subprog_id] is used to access any subprogram which caused a segfault like below: [79162.619208] BUG: kernel NULL pointer dereference, address: 0000000000000000 ...... [79162.634255] Call Trace: [79162.634974] ? _cond_resched+0x15/0x30 [79162.635686] ? kmem_cache_alloc_trace+0x162/0x220 [79162.636398] ? selinux_bpf_prog_alloc+0x1f/0x60 [79162.637111] bpf_prog_load+0x3de/0x690 [79162.637809] __do_sys_bpf+0x105/0x1740 [79162.638488] do_syscall_64+0x5b/0x180 [79162.639147] entry_SYSCALL_64_after_hwframe+0x44/0xa9 ...... Fixes: 5b92a28aae4d ("bpf: Support attaching tracing BPF program to other BPF programs") Reported-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Yonghong Song <yhs@fb.com> --- kernel/bpf/verifier.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)