From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Shubham Bansal <illusionist.neo@gmail.com>,
Daniel Borkmann <daniel@iogearbox.net>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.11 008/115] bpf, arm64: fix faulty emission of map access in tail calls
Date: Mon, 5 Jun 2017 18:16:41 +0200 [thread overview]
Message-ID: <20170605153057.066493462@linuxfoundation.org> (raw)
In-Reply-To: <20170605153056.650217313@linuxfoundation.org>
4.11-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit d8b54110ee944de522ccd3531191f39986ec20f9 ]
Shubham was recently asking on netdev why in arm64 JIT we don't multiply
the index for accessing the tail call map by 8. That led me into testing
out arm64 JIT wrt tail calls and it turned out I got a NULL pointer
dereference on the tail call.
The buggy access is at:
prog = array->ptrs[index];
if (prog == NULL)
goto out;
[...]
00000060: d2800e0a mov x10, #0x70 // #112
00000064: f86a682a ldr x10, [x1,x10]
00000068: f862694b ldr x11, [x10,x2]
0000006c: b40000ab cbz x11, 0x00000080
[...]
The code triggering the crash is f862694b. x1 at the time contains the
address of the bpf array, x10 offsetof(struct bpf_array, ptrs). Meaning,
above we load the pointer to the program at map slot 0 into x10. x10
can then be NULL if the slot is not occupied, which we later on try to
access with a user given offset in x2 that is the map index.
Fix this by emitting the following instead:
[...]
00000060: d2800e0a mov x10, #0x70 // #112
00000064: 8b0a002a add x10, x1, x10
00000068: d37df04b lsl x11, x2, #3
0000006c: f86b694b ldr x11, [x10,x11]
00000070: b40000ab cbz x11, 0x00000084
[...]
This basically adds the offset to ptrs to the base address of the bpf
array we got and we later on access the map with an index * 8 offset
relative to that. The tail call map itself is basically one large area
with meta data at the head followed by the array of prog pointers.
This makes tail calls working again, tested on Cavium ThunderX ARMv8.
Fixes: ddb55992b04d ("arm64: bpf: implement bpf_tail_call() helper")
Reported-by: Shubham Bansal <illusionist.neo@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/net/bpf_jit_comp.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -252,8 +252,9 @@ static int emit_bpf_tail_call(struct jit
*/
off = offsetof(struct bpf_array, ptrs);
emit_a64_mov_i64(tmp, off, ctx);
- emit(A64_LDR64(tmp, r2, tmp), ctx);
- emit(A64_LDR64(prg, tmp, r3), ctx);
+ emit(A64_ADD(1, tmp, r2, tmp), ctx);
+ emit(A64_LSL(1, prg, r3, 3), ctx);
+ emit(A64_LDR64(prg, tmp, prg), ctx);
emit(A64_CBZ(1, prg, jmp_offset), ctx);
/* goto *(prog->bpf_func + prologue_size); */
next prev parent reply other threads:[~2017-06-05 16:28 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-05 16:16 [PATCH 4.11 000/115] 4.11.4-stable review Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 001/115] dccp/tcp: do not inherit mc_list from parent Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 002/115] driver: vrf: Fix one possible use-after-free issue Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 003/115] ipv6/dccp: do not inherit ipv6_mc_list from parent Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 004/115] s390/qeth: handle sysfs error during initialization Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 005/115] s390/qeth: unbreak OSM and OSN support Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 006/115] s390/qeth: avoid null pointer dereference on OSN Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 007/115] s390/qeth: add missing hash table initializations Greg Kroah-Hartman
2017-06-05 16:16 ` Greg Kroah-Hartman [this message]
2017-06-05 16:16 ` [PATCH 4.11 009/115] netem: fix skb_orphan_partial() Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 011/115] tcp: avoid fragmenting peculiar skbs in SACK Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 012/115] tipc: make macro tipc_wait_for_cond() smp safe Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 013/115] sctp: fix src address selection if using secondary addresses for ipv6 Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 014/115] sctp: do not inherit ipv6_{mc|ac|fl}_list from parent Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 015/115] net/packet: fix missing net_device reference release Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 016/115] net/mlx5e: Use the correct pause values for ethtool advertising Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 017/115] net/mlx5e: Fix ethtool pause support and advertise reporting Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 018/115] tcp: eliminate negative reordering in tcp_clean_rtx_queue Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 019/115] smc: switch to usage of IB_PD_UNSAFE_GLOBAL_RKEY Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 020/115] net/smc: Add warning about remote memory exposure Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 021/115] net: Improve handling of failures on link and route dumps Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 022/115] ipv6: Prevent overrun when parsing v6 header options Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 023/115] ipv6: Check ip6_find_1stfragopt() return value properly Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 024/115] bridge: netlink: check vlan_default_pvid range Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.11 026/115] bridge: start hello_timer when enabling KERNEL_STP in br_stp_start Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 027/115] ipv6: fix out of bound writes in __ip6_append_data() Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 028/115] bonding: fix accounting of active ports in 3ad Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 029/115] net/mlx5: Avoid using pending command interface slots Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 030/115] net: phy: marvell: Limit errata to 88m1101 Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 031/115] vlan: Fix tcp checksum offloads in Q-in-Q vlans Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 032/115] be2net: Fix offload features for Q-in-Q packets Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 033/115] virtio-net: enable TSO/checksum offloads for Q-in-Q vlans Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 034/115] geneve: fix fill_info when using collect_metadata Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 035/115] tcp: avoid fastopen API to be used on AF_UNSPEC Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 036/115] sctp: fix ICMP processing if skb is non-linear Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 037/115] ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 038/115] ipv4: add reference counting to metrics Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 039/115] bpf: add bpf_clone_redirect to bpf_helper_changes_pkt_data Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 040/115] bpf: fix wrong exposure of map_flags into fdinfo for lpm Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 041/115] bpf: adjust verifier heuristics Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 042/115] sparc64: Fix mapping of 64k pages with MAP_FIXED Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 043/115] sparc: Fix -Wstringop-overflow warning Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 044/115] sparc/ftrace: Fix ftrace graph time measurement Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 045/115] fs/ufs: Set UFS default maximum bytes per file Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 046/115] powerpc: Fix booting P9 hash with CONFIG_PPC_RADIX_MMU=N Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 047/115] powerpc/spufs: Fix hash faults for kernel regions Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 048/115] Revert "tty_port: register tty ports with serdev bus" Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 049/115] serdev: fix tty-port client deregistration Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 050/115] drivers/tty: 8250: only call fintek_8250_probe when doing port I/O Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 051/115] i2c: i2c-tiny-usb: fix buffer not being DMA capable Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 052/115] crypto: skcipher - Add missing API setkey checks Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 053/115] Revert "ACPI / button: Remove lid_init_state=method mode" Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 054/115] x86/MCE: Export memory_error() Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 055/115] acpi, nfit: Fix the memory error check in nfit_handle_mce() Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 056/115] ACPI / sysfs: fix acpi_get_table() leak / acpi-sysfs denial of service Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 057/115] ACPICA: Tables: Fix regression introduced by a too early mechanism enabling Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 058/115] Revert "ACPI / button: Change default behavior to lid_init_state=open" Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 059/115] mmc: sdhci-iproc: suppress spurious interrupt with Multiblock read Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 060/115] scsi: zero per-cmd private driver data for each MQ I/O Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 061/115] iscsi-target: Always wait for kthread_should_stop() before kthread exit Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 062/115] iscsi-target: Fix initial login PDU asynchronous socket close OOPs Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 063/115] scsi: scsi_dh_rdac: Use ctlr directly in rdac_failover_get() Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 064/115] ibmvscsis: Clear left-over abort_cmd pointers Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 065/115] ibmvscsis: Fix the incorrect req_lim_delta Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 066/115] HID: wacom: Have wacom_tpc_irq guard against possible NULL dereference Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 067/115] nvme-rdma: support devices with queue size < 32 Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 068/115] nvme: use blk_mq_start_hw_queues() in nvme_kill_queues() Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 069/115] nvme: avoid to use blk_mq_abort_requeue_list() Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 074/115] pcmcia: remove left-over %Z format Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 075/115] ALSA: hda - No loopback on ALC299 codec Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 076/115] ALSA: hda - apply STAC_9200_DELL_M22 quirk for Dell Latitude D430 Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 077/115] Revert "ALSA: usb-audio: purge needless variable length array" Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 078/115] ALSA: usb: Fix a typo in Tascam US-16x08 mixer element Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 079/115] mm/page_alloc.c: make sure OOM victim can try allocations with no watermarks once Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 080/115] mm: avoid spurious bad pmd warning messages Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 081/115] dax: fix race between colliding PMD & PTE entries Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 082/115] mm/migrate: fix refcount handling when !hugepage_migration_supported() Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 083/115] mlock: fix mlock count can not decrease in race condition Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 084/115] mm/hugetlb: report -EHWPOISON not -EFAULT when FOLL_HWPOISON is specified Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 085/115] mm: consider memblock reservations for deferred memory initialization sizing Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.11 086/115] RDMA/srp: Fix NULL deref at srp_destroy_qp() Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 087/115] RDMA/qib,hfi1: Fix MR reference count leak on write with immediate Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 088/115] PCI/PM: Add needs_resume flag to avoid suspend complete optimization Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 089/115] x86/boot: Use CROSS_COMPILE prefix for readelf Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 090/115] ksm: prevent crash after write_protect_page fails Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 091/115] slub/memcg: cure the brainless abuse of sysfs attributes Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 092/115] drm/gma500/psb: Actually use VBT mode when it is found Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 093/115] xfs: Fix missed holes in SEEK_HOLE implementation Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 094/115] xfs: use ->b_state to fix buffer I/O accounting release race Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 095/115] xfs: fix off-by-one on max nr_pages in xfs_find_get_desired_pgoff() Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 096/115] xfs: use dedicated log worker wq to avoid deadlock with cil wq Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 097/115] xfs: fix over-copying of getbmap parameters from userspace Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 098/115] xfs: actually report xattr extents via iomap Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 099/115] xfs: drop iolock from reclaim context to appease lockdep Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 100/115] xfs: fix integer truncation in xfs_bmap_remap_alloc Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 101/115] xfs: handle array index overrun in xfs_dir2_leaf_readbuf() Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 102/115] xfs: prevent multi-fsb dir readahead from reading random blocks Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 103/115] xfs: fix up quotacheck buffer list error handling Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 104/115] xfs: support ability to wait on new inodes Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 105/115] xfs: update ag iterator to support " Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 106/115] xfs: wait on new inodes during quotaoff dquot release Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 107/115] xfs: reserve enough blocks to handle btree splits when remapping Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 108/115] xfs: fix use-after-free in xfs_finish_page_writeback Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 109/115] xfs: fix indlen accounting error on partial delalloc conversion Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 110/115] xfs: BMAPX shouldnt barf on inline-format directories Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 111/115] xfs: bad assertion for delalloc an extent that start at i_size Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 112/115] xfs: xfs_trans_alloc_empty Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 113/115] xfs: avoid mount-time deadlock in CoW extent recovery Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 114/115] xfs: fix unaligned access in xfs_btree_visit_blocks Greg Kroah-Hartman
2017-06-05 16:18 ` [PATCH 4.11 115/115] xfs: Fix off-by-in in loop termination in xfs_find_get_desired_pgoff() Greg Kroah-Hartman
2017-06-05 20:33 ` [PATCH 4.11 000/115] 4.11.4-stable review Shuah Khan
2017-06-06 7:20 ` Greg Kroah-Hartman
2017-06-05 22:26 ` Guenter Roeck
2017-06-06 7:20 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170605153057.066493462@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=illusionist.neo@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.