* [PATCH bpf-next] bpf: fix verifier GPF in kmalloc failure path
@ 2018-01-08 15:51 Alexei Starovoitov
2018-01-08 17:33 ` Daniel Borkmann
0 siblings, 1 reply; 3+ messages in thread
From: Alexei Starovoitov @ 2018-01-08 15:51 UTC (permalink / raw)
To: davem; +Cc: daniel, netdev, kernel-team
From: Alexei Starovoitov <ast@fb.com>
syzbot reported the following panic in the verifier triggered
by kmalloc error injection:
kasan: GPF could be caused by NULL-ptr deref or user memory access
RIP: 0010:copy_func_state kernel/bpf/verifier.c:403 [inline]
RIP: 0010:copy_verifier_state+0x364/0x590 kernel/bpf/verifier.c:431
Call Trace:
pop_stack+0x8c/0x270 kernel/bpf/verifier.c:449
push_stack kernel/bpf/verifier.c:491 [inline]
check_cond_jmp_op kernel/bpf/verifier.c:3598 [inline]
do_check+0x4b60/0xa050 kernel/bpf/verifier.c:4731
bpf_check+0x3296/0x58c0 kernel/bpf/verifier.c:5489
bpf_prog_load+0xa2a/0x1b00 kernel/bpf/syscall.c:1198
SYSC_bpf kernel/bpf/syscall.c:1807 [inline]
SyS_bpf+0x1044/0x4420 kernel/bpf/syscall.c:1769
when copy_verifier_state() aborts in the middle due to kmalloc failure
some of the frames could have been partially copied while
current free_verifier_state() loop
for (i = 0; i <= state->curframe; i++)
assumed that all frames are non-null.
Simply fix it by adding 'if (!state)' to free_func_state().
Also avoid stressing copy frame logic more if kzalloc fails
in push_stack() free env->cur_state right away.
Reported-by: syzbot+32ac5a3e473f2e01cfc7@syzkaller.appspotmail.com
Reported-by: syzbot+fa99e24f3c29d269a7d5@syzkaller.appspotmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
kernel/bpf/verifier.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a2b211262c25..d921ab387b0b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -375,6 +375,8 @@ static int realloc_func_state(struct bpf_func_state *state, int size,
static void free_func_state(struct bpf_func_state *state)
{
+ if (!state)
+ return;
kfree(state->stack);
kfree(state);
}
@@ -487,6 +489,8 @@ static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
}
return &elem->st;
err:
+ free_verifier_state(env->cur_state, true);
+ env->cur_state = NULL;
/* pop all elements and return */
while (!pop_stack(env, NULL, NULL));
return NULL;
--
2.9.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH bpf-next] bpf: fix verifier GPF in kmalloc failure path
2018-01-08 15:51 [PATCH bpf-next] bpf: fix verifier GPF in kmalloc failure path Alexei Starovoitov
@ 2018-01-08 17:33 ` Daniel Borkmann
0 siblings, 0 replies; 3+ messages in thread
From: Daniel Borkmann @ 2018-01-08 17:33 UTC (permalink / raw)
To: Alexei Starovoitov, davem; +Cc: netdev, kernel-team
On 01/08/2018 04:51 PM, Alexei Starovoitov wrote:
> From: Alexei Starovoitov <ast@fb.com>
>
> syzbot reported the following panic in the verifier triggered
> by kmalloc error injection:
>
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> RIP: 0010:copy_func_state kernel/bpf/verifier.c:403 [inline]
> RIP: 0010:copy_verifier_state+0x364/0x590 kernel/bpf/verifier.c:431
> Call Trace:
> pop_stack+0x8c/0x270 kernel/bpf/verifier.c:449
> push_stack kernel/bpf/verifier.c:491 [inline]
> check_cond_jmp_op kernel/bpf/verifier.c:3598 [inline]
> do_check+0x4b60/0xa050 kernel/bpf/verifier.c:4731
> bpf_check+0x3296/0x58c0 kernel/bpf/verifier.c:5489
> bpf_prog_load+0xa2a/0x1b00 kernel/bpf/syscall.c:1198
> SYSC_bpf kernel/bpf/syscall.c:1807 [inline]
> SyS_bpf+0x1044/0x4420 kernel/bpf/syscall.c:1769
>
> when copy_verifier_state() aborts in the middle due to kmalloc failure
> some of the frames could have been partially copied while
> current free_verifier_state() loop
> for (i = 0; i <= state->curframe; i++)
> assumed that all frames are non-null.
> Simply fix it by adding 'if (!state)' to free_func_state().
> Also avoid stressing copy frame logic more if kzalloc fails
> in push_stack() free env->cur_state right away.
>
> Reported-by: syzbot+32ac5a3e473f2e01cfc7@syzkaller.appspotmail.com
> Reported-by: syzbot+fa99e24f3c29d269a7d5@syzkaller.appspotmail.com
> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Applied to bpf-next with Fixes tags, thanks Alexei!
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH bpf-next] bpf: fix verifier GPF in kmalloc failure path
@ 2018-01-05 20:57 Alexei Starovoitov
0 siblings, 0 replies; 3+ messages in thread
From: Alexei Starovoitov @ 2018-01-05 20:57 UTC (permalink / raw)
To: David S . Miller; +Cc: Daniel Borkmann, netdev
syzbot reported the following panic in the verifier triggered
by kmalloc error injection:
kasan: GPF could be caused by NULL-ptr deref or user memory access
RIP: 0010:copy_func_state kernel/bpf/verifier.c:403 [inline]
RIP: 0010:copy_verifier_state+0x364/0x590 kernel/bpf/verifier.c:431
Call Trace:
pop_stack+0x8c/0x270 kernel/bpf/verifier.c:449
push_stack kernel/bpf/verifier.c:491 [inline]
check_cond_jmp_op kernel/bpf/verifier.c:3598 [inline]
do_check+0x4b60/0xa050 kernel/bpf/verifier.c:4731
bpf_check+0x3296/0x58c0 kernel/bpf/verifier.c:5489
bpf_prog_load+0xa2a/0x1b00 kernel/bpf/syscall.c:1198
SYSC_bpf kernel/bpf/syscall.c:1807 [inline]
SyS_bpf+0x1044/0x4420 kernel/bpf/syscall.c:1769
when copy_verifier_state() aborts in the middle due to kmalloc failure
some of the frames could have been partially copied while
current free_verifier_state() loop
for (i = 0; i <= state->curframe; i++)
assumed that all frames are non-null.
Simply fix it by adding 'if (!state)' to free_func_state().
Also avoid stressing copy frame logic more if kzalloc fails
in push_stack() free env->cur_state right away.
Reported-by: syzbot+32ac5a3e473f2e01cfc7@syzkaller.appspotmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
kernel/bpf/verifier.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a2b211262c25..d921ab387b0b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -375,6 +375,8 @@ static int realloc_func_state(struct bpf_func_state *state, int size,
static void free_func_state(struct bpf_func_state *state)
{
+ if (!state)
+ return;
kfree(state->stack);
kfree(state);
}
@@ -487,6 +489,8 @@ static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
}
return &elem->st;
err:
+ free_verifier_state(env->cur_state, true);
+ env->cur_state = NULL;
/* pop all elements and return */
while (!pop_stack(env, NULL, NULL));
return NULL;
--
2.9.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-01-08 17:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-08 15:51 [PATCH bpf-next] bpf: fix verifier GPF in kmalloc failure path Alexei Starovoitov
2018-01-08 17:33 ` Daniel Borkmann
-- strict thread matches above, loose matches on Subject: below --
2018-01-05 20:57 Alexei Starovoitov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.