| Message ID | 20171102142119.13894-1-kraigatgoog@gmail.com |
|---|---|
| State | Superseded, archived |
| Delegated to: | David Miller |
| Headers | show |
| Series | [net-next] bpf: fix verifier NULL pointer dereference | expand |
On 11/2/17 7:21 AM, Craig Gallek wrote: > From: Craig Gallek <kraig@google.com> > > do_check() can fail early without allocating env->cur_state under > memory pressure. Syzkaller found the stack below on the linux-next > tree because of this. > > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: 0000 [#1] SMP KASAN > Dumping ftrace buffer: > (ftrace buffer empty) > Modules linked in: > CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > task: ffff8801c2c74700 task.stack: ffff8801c3e28000 > RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline] > RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 > RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202 > RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000 > RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380 > RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f > R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28 > R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20 > FS: 00007f311079b700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166 > SYSC_bpf kernel/bpf/syscall.c:1690 [inline] > SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652 > entry_SYSCALL_64_fastpath+0x1f/0xbe > RIP: 0033:0x452869 > RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141 > RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869 > RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005 > RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550 > R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000 > Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26 > RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: ffff8801c3e2f5c8 > RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: ffff8801c3e2f5c8 > ---[ end trace c8d37f339dc64004 ]--- > > Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption") > Fixes: 1969db47f8d0 ("bpf: fix verifier memory leaks") > Signed-off-by: Craig Gallek <kraig@google.com> > --- > kernel/bpf/verifier.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 530b68550fd2..199ae7ccb2b7 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -4530,8 +4530,10 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) > env->allow_ptr_leaks = capable(CAP_SYS_ADMIN); > > ret = do_check(env); > - free_verifier_state(env->cur_state, true); > - env->cur_state = NULL; > + if (env->cur_state) { > + free_verifier_state(env->cur_state, true); > + env->cur_state = NULL; > + } right. good catch. similar fix needed in bpf_analyzer() Can you respin with fix for both?
On Thu, Nov 2, 2017 at 11:07 AM, Alexei Starovoitov <ast@fb.com> wrote: > On 11/2/17 7:21 AM, Craig Gallek wrote: >> >> From: Craig Gallek <kraig@google.com> >> >> do_check() can fail early without allocating env->cur_state under >> memory pressure. Syzkaller found the stack below on the linux-next >> tree because of this. >> >> kasan: CONFIG_KASAN_INLINE enabled >> kasan: GPF could be caused by NULL-ptr deref or user memory access >> general protection fault: 0000 [#1] SMP KASAN >> Dumping ftrace buffer: >> (ftrace buffer empty) >> Modules linked in: >> CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >> Google 01/01/2011 >> task: ffff8801c2c74700 task.stack: ffff8801c3e28000 >> RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline] >> RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 >> RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202 >> RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000 >> RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380 >> RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f >> R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28 >> R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20 >> FS: 00007f311079b700(0000) GS:ffff8801db300000(0000) >> knlGS:0000000000000000 >> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0 >> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 >> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 >> Call Trace: >> bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166 >> SYSC_bpf kernel/bpf/syscall.c:1690 [inline] >> SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652 >> entry_SYSCALL_64_fastpath+0x1f/0xbe >> RIP: 0033:0x452869 >> RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141 >> RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869 >> RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005 >> RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000 >> R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550 >> R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000 >> Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 >> 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 >> 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26 >> RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: >> ffff8801c3e2f5c8 >> RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: >> ffff8801c3e2f5c8 >> ---[ end trace c8d37f339dc64004 ]--- >> >> Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption") >> Fixes: 1969db47f8d0 ("bpf: fix verifier memory leaks") >> Signed-off-by: Craig Gallek <kraig@google.com> >> --- >> kernel/bpf/verifier.c | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c >> index 530b68550fd2..199ae7ccb2b7 100644 >> --- a/kernel/bpf/verifier.c >> +++ b/kernel/bpf/verifier.c >> @@ -4530,8 +4530,10 @@ int bpf_check(struct bpf_prog **prog, union >> bpf_attr *attr) >> env->allow_ptr_leaks = capable(CAP_SYS_ADMIN); >> >> ret = do_check(env); >> - free_verifier_state(env->cur_state, true); >> - env->cur_state = NULL; >> + if (env->cur_state) { >> + free_verifier_state(env->cur_state, true); >> + env->cur_state = NULL; >> + } > > > right. good catch. similar fix needed in bpf_analyzer() > Can you respin with fix for both? I swear I had that in my test tree ;) Sending now...
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 530b68550fd2..199ae7ccb2b7 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -4530,8 +4530,10 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) env->allow_ptr_leaks = capable(CAP_SYS_ADMIN); ret = do_check(env); - free_verifier_state(env->cur_state, true); - env->cur_state = NULL; + if (env->cur_state) { + free_verifier_state(env->cur_state, true); + env->cur_state = NULL; + } skip_full_check: while (!pop_stack(env, NULL, NULL));