From: Kurt Manucredo <fuzzybritches0@gmail.com> To: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com Cc: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org, daniel@iogearbox.net, davem@davemloft.net, hawk@kernel.org, john.fastabend@gmail.com, kafai@fb.com, kpsingh@kernel.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, songliubraving@fb.com, syzkaller-bugs@googlegroups.com, yhs@fb.com, nathan@kernel.org, ndesaulniers@google.com, clang-built-linux@googlegroups.com, linux-kernel-mentees@lists.linuxfoundation.org, skhan@linuxfoundation.org, gregkh@linuxfoundation.org, Kurt Manucredo <fuzzybritches0@gmail.com> Subject: [PATCH v3] bpf: core: fix shift-out-of-bounds in ___bpf_prog_run Date: Wed, 2 Jun 2021 21:27:26 +0000 [thread overview] Message-ID: <20210602212726.7-1-fuzzybritches0@gmail.com> (raw) In-Reply-To: <000000000000c2987605be907e41@google.com> UBSAN: shift-out-of-bounds in kernel/bpf/core.c:1414:2 shift exponent 248 is too large for 32-bit type 'unsigned int' Reported-and-tested-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com Signed-off-by: Kurt Manucredo <fuzzybritches0@gmail.com> --- https://syzkaller.appspot.com/bug?id=edb51be4c9a320186328893287bb30d5eed09231 Changelog: ---------- v3 - Make it clearer what the fix is for. v2 - Fix shift-out-of-bounds in ___bpf_prog_run() by adding boundary check in check_alu_op() in verifier.c. v1 - Fix shift-out-of-bounds in ___bpf_prog_run() by adding boundary check in ___bpf_prog_run(). Hi everyone, I hope this fixes it! kind regards kernel/bpf/verifier.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 94ba5163d4c5..04e3bf344ecd 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -7880,13 +7880,25 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) return -EINVAL; } - if ((opcode == BPF_LSH || opcode == BPF_RSH || - opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) { + if (opcode == BPF_LSH || opcode == BPF_RSH || + opcode == BPF_ARSH) { int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32; - if (insn->imm < 0 || insn->imm >= size) { - verbose(env, "invalid shift %d\n", insn->imm); - return -EINVAL; + if (BPF_SRC(insn->code) == BPF_K) { + if (insn->imm < 0 || insn->imm >= size) { + verbose(env, "invalid shift %d\n", insn->imm); + return -EINVAL; + } + } + if (BPF_SRC(insn->code) == BPF_X) { + struct bpf_reg_state *src_reg; + + src_reg = ®s[insn->src_reg]; + if (src_reg->umax_value >= size) { + verbose(env, "invalid shift %lld\n", + src_reg->umax_value); + return -EINVAL; + } } } -- 2.30.2
WARNING: multiple messages have this Message-ID (diff)
From: Kurt Manucredo <fuzzybritches0@gmail.com> To: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com Cc: songliubraving@fb.com, ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com, andrii@kernel.org, clang-built-linux@googlegroups.com, yhs@fb.com, linux-kernel-mentees@lists.linuxfoundation.org, hawk@kernel.org, syzkaller-bugs@googlegroups.com, kpsingh@kernel.org, nathan@kernel.org, kuba@kernel.org, ndesaulniers@google.com, linux-kernel@vger.kernel.org, davem@davemloft.net, netdev@vger.kernel.org, bpf@vger.kernel.org, kafai@fb.com Subject: [PATCH v3] bpf: core: fix shift-out-of-bounds in ___bpf_prog_run Date: Wed, 2 Jun 2021 21:27:26 +0000 [thread overview] Message-ID: <20210602212726.7-1-fuzzybritches0@gmail.com> (raw) In-Reply-To: <000000000000c2987605be907e41@google.com> UBSAN: shift-out-of-bounds in kernel/bpf/core.c:1414:2 shift exponent 248 is too large for 32-bit type 'unsigned int' Reported-and-tested-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com Signed-off-by: Kurt Manucredo <fuzzybritches0@gmail.com> --- https://syzkaller.appspot.com/bug?id=edb51be4c9a320186328893287bb30d5eed09231 Changelog: ---------- v3 - Make it clearer what the fix is for. v2 - Fix shift-out-of-bounds in ___bpf_prog_run() by adding boundary check in check_alu_op() in verifier.c. v1 - Fix shift-out-of-bounds in ___bpf_prog_run() by adding boundary check in ___bpf_prog_run(). Hi everyone, I hope this fixes it! kind regards kernel/bpf/verifier.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 94ba5163d4c5..04e3bf344ecd 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -7880,13 +7880,25 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) return -EINVAL; } - if ((opcode == BPF_LSH || opcode == BPF_RSH || - opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) { + if (opcode == BPF_LSH || opcode == BPF_RSH || + opcode == BPF_ARSH) { int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32; - if (insn->imm < 0 || insn->imm >= size) { - verbose(env, "invalid shift %d\n", insn->imm); - return -EINVAL; + if (BPF_SRC(insn->code) == BPF_K) { + if (insn->imm < 0 || insn->imm >= size) { + verbose(env, "invalid shift %d\n", insn->imm); + return -EINVAL; + } + } + if (BPF_SRC(insn->code) == BPF_X) { + struct bpf_reg_state *src_reg; + + src_reg = ®s[insn->src_reg]; + if (src_reg->umax_value >= size) { + verbose(env, "invalid shift %lld\n", + src_reg->umax_value); + return -EINVAL; + } } } -- 2.30.2 _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next prev parent reply other threads:[~2021-06-02 21:30 UTC|newest] Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-03-10 16:05 [syzbot] UBSAN: shift-out-of-bounds in ___bpf_prog_run syzbot 2021-03-28 3:38 ` syzbot 2021-06-02 21:27 ` Kurt Manucredo [this message] 2021-06-02 21:27 ` [PATCH v3] bpf: core: fix " Kurt Manucredo 2021-06-03 4:43 ` Greg KH 2021-06-03 4:43 ` Greg KH 2021-06-05 15:01 ` [PATCH v4] " Kurt Manucredo 2021-06-05 15:01 ` Kurt Manucredo 2021-06-05 17:55 ` Yonghong Song 2021-06-05 17:55 ` Yonghong Song via Linux-kernel-mentees 2021-06-05 19:10 ` Alexei Starovoitov 2021-06-05 19:10 ` Alexei Starovoitov 2021-06-05 21:39 ` Yonghong Song 2021-06-05 21:39 ` Yonghong Song via Linux-kernel-mentees 2021-06-06 19:44 ` Kurt Manucredo 2021-06-06 19:44 ` Kurt Manucredo 2021-06-07 7:38 ` Dmitry Vyukov 2021-06-07 7:38 ` Dmitry Vyukov 2021-06-07 7:38 ` Dmitry Vyukov via Linux-kernel-mentees 2021-06-09 18:20 ` Kees Cook 2021-06-09 18:20 ` Kees Cook 2021-06-09 23:40 ` Yonghong Song 2021-06-09 23:40 ` Yonghong Song via Linux-kernel-mentees 2021-06-10 5:32 ` Dmitry Vyukov 2021-06-10 5:32 ` Dmitry Vyukov 2021-06-10 5:32 ` Dmitry Vyukov via Linux-kernel-mentees 2021-06-10 6:06 ` Yonghong Song 2021-06-10 6:06 ` Yonghong Song via Linux-kernel-mentees 2021-06-10 17:06 ` Kees Cook 2021-06-10 17:06 ` Kees Cook 2021-06-10 17:52 ` Alexei Starovoitov 2021-06-10 17:52 ` Alexei Starovoitov 2021-06-10 17:52 ` Alexei Starovoitov 2021-06-10 20:00 ` Eric Biggers 2021-06-10 20:00 ` Eric Biggers 2021-06-15 16:42 ` [PATCH v5] " Kurt Manucredo 2021-06-15 18:51 ` Edward Cree 2021-06-15 19:33 ` Eric Biggers 2021-06-15 21:08 ` Daniel Borkmann 2021-06-15 21:32 ` Eric Biggers 2021-06-15 21:38 ` Eric Biggers 2021-06-15 21:54 ` Daniel Borkmann 2021-06-15 22:07 ` Eric Biggers 2021-06-15 22:31 ` Kurt Manucredo 2021-06-17 10:09 ` Daniel Borkmann 2021-06-06 19:15 ` [PATCH v4] " Kurt Manucredo 2021-06-06 19:15 ` Kurt Manucredo
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210602212726.7-1-fuzzybritches0@gmail.com \ --to=fuzzybritches0@gmail.com \ --cc=andrii@kernel.org \ --cc=ast@kernel.org \ --cc=bpf@vger.kernel.org \ --cc=clang-built-linux@googlegroups.com \ --cc=daniel@iogearbox.net \ --cc=davem@davemloft.net \ --cc=gregkh@linuxfoundation.org \ --cc=hawk@kernel.org \ --cc=john.fastabend@gmail.com \ --cc=kafai@fb.com \ --cc=kpsingh@kernel.org \ --cc=kuba@kernel.org \ --cc=linux-kernel-mentees@lists.linuxfoundation.org \ --cc=linux-kernel@vger.kernel.org \ --cc=nathan@kernel.org \ --cc=ndesaulniers@google.com \ --cc=netdev@vger.kernel.org \ --cc=skhan@linuxfoundation.org \ --cc=songliubraving@fb.com \ --cc=syzbot+bed360704c521841c85d@syzkaller.appspotmail.com \ --cc=syzkaller-bugs@googlegroups.com \ --cc=yhs@fb.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.