From: Kurt Manucredo <fuzzybritches0@gmail.com>
To: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com
Cc: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
daniel@iogearbox.net, davem@davemloft.net, hawk@kernel.org,
john.fastabend@gmail.com, kafai@fb.com, kpsingh@kernel.org,
kuba@kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, songliubraving@fb.com,
syzkaller-bugs@googlegroups.com, yhs@fb.com, nathan@kernel.org,
ndesaulniers@google.com, clang-built-linux@googlegroups.com,
linux-kernel-mentees@lists.linuxfoundation.org,
skhan@linuxfoundation.org, gregkh@linuxfoundation.org,
Kurt Manucredo <fuzzybritches0@gmail.com>
Subject: [PATCH v3] bpf: core: fix shift-out-of-bounds in ___bpf_prog_run
Date: Wed, 2 Jun 2021 21:27:26 +0000 [thread overview]
Message-ID: <20210602212726.7-1-fuzzybritches0@gmail.com> (raw)
In-Reply-To: <000000000000c2987605be907e41@google.com>
UBSAN: shift-out-of-bounds in kernel/bpf/core.c:1414:2
shift exponent 248 is too large for 32-bit type 'unsigned int'
Reported-and-tested-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com
Signed-off-by: Kurt Manucredo <fuzzybritches0@gmail.com>
---
https://syzkaller.appspot.com/bug?id=edb51be4c9a320186328893287bb30d5eed09231
Changelog:
----------
v3 - Make it clearer what the fix is for.
v2 - Fix shift-out-of-bounds in ___bpf_prog_run() by adding boundary
check in check_alu_op() in verifier.c.
v1 - Fix shift-out-of-bounds in ___bpf_prog_run() by adding boundary
check in ___bpf_prog_run().
Hi everyone,
I hope this fixes it!
kind regards
kernel/bpf/verifier.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 94ba5163d4c5..04e3bf344ecd 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7880,13 +7880,25 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
return -EINVAL;
}
- if ((opcode == BPF_LSH || opcode == BPF_RSH ||
- opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
+ if (opcode == BPF_LSH || opcode == BPF_RSH ||
+ opcode == BPF_ARSH) {
int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
- if (insn->imm < 0 || insn->imm >= size) {
- verbose(env, "invalid shift %d\n", insn->imm);
- return -EINVAL;
+ if (BPF_SRC(insn->code) == BPF_K) {
+ if (insn->imm < 0 || insn->imm >= size) {
+ verbose(env, "invalid shift %d\n", insn->imm);
+ return -EINVAL;
+ }
+ }
+ if (BPF_SRC(insn->code) == BPF_X) {
+ struct bpf_reg_state *src_reg;
+
+ src_reg = ®s[insn->src_reg];
+ if (src_reg->umax_value >= size) {
+ verbose(env, "invalid shift %lld\n",
+ src_reg->umax_value);
+ return -EINVAL;
+ }
}
}
--
2.30.2
WARNING: multiple messages have this Message-ID (diff)
From: Kurt Manucredo <fuzzybritches0@gmail.com>
To: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com
Cc: songliubraving@fb.com, ast@kernel.org, daniel@iogearbox.net,
john.fastabend@gmail.com, andrii@kernel.org,
clang-built-linux@googlegroups.com, yhs@fb.com,
linux-kernel-mentees@lists.linuxfoundation.org, hawk@kernel.org,
syzkaller-bugs@googlegroups.com, kpsingh@kernel.org,
nathan@kernel.org, kuba@kernel.org, ndesaulniers@google.com,
linux-kernel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org, bpf@vger.kernel.org, kafai@fb.com
Subject: [PATCH v3] bpf: core: fix shift-out-of-bounds in ___bpf_prog_run
Date: Wed, 2 Jun 2021 21:27:26 +0000 [thread overview]
Message-ID: <20210602212726.7-1-fuzzybritches0@gmail.com> (raw)
In-Reply-To: <000000000000c2987605be907e41@google.com>
UBSAN: shift-out-of-bounds in kernel/bpf/core.c:1414:2
shift exponent 248 is too large for 32-bit type 'unsigned int'
Reported-and-tested-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com
Signed-off-by: Kurt Manucredo <fuzzybritches0@gmail.com>
---
https://syzkaller.appspot.com/bug?id=edb51be4c9a320186328893287bb30d5eed09231
Changelog:
----------
v3 - Make it clearer what the fix is for.
v2 - Fix shift-out-of-bounds in ___bpf_prog_run() by adding boundary
check in check_alu_op() in verifier.c.
v1 - Fix shift-out-of-bounds in ___bpf_prog_run() by adding boundary
check in ___bpf_prog_run().
Hi everyone,
I hope this fixes it!
kind regards
kernel/bpf/verifier.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 94ba5163d4c5..04e3bf344ecd 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7880,13 +7880,25 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
return -EINVAL;
}
- if ((opcode == BPF_LSH || opcode == BPF_RSH ||
- opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
+ if (opcode == BPF_LSH || opcode == BPF_RSH ||
+ opcode == BPF_ARSH) {
int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
- if (insn->imm < 0 || insn->imm >= size) {
- verbose(env, "invalid shift %d\n", insn->imm);
- return -EINVAL;
+ if (BPF_SRC(insn->code) == BPF_K) {
+ if (insn->imm < 0 || insn->imm >= size) {
+ verbose(env, "invalid shift %d\n", insn->imm);
+ return -EINVAL;
+ }
+ }
+ if (BPF_SRC(insn->code) == BPF_X) {
+ struct bpf_reg_state *src_reg;
+
+ src_reg = ®s[insn->src_reg];
+ if (src_reg->umax_value >= size) {
+ verbose(env, "invalid shift %lld\n",
+ src_reg->umax_value);
+ return -EINVAL;
+ }
}
}
--
2.30.2
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next prev parent reply other threads:[~2021-06-02 21:30 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-10 16:05 [syzbot] UBSAN: shift-out-of-bounds in ___bpf_prog_run syzbot
2021-03-28 3:38 ` syzbot
2021-06-02 21:27 ` Kurt Manucredo [this message]
2021-06-02 21:27 ` [PATCH v3] bpf: core: fix " Kurt Manucredo
2021-06-03 4:43 ` Greg KH
2021-06-03 4:43 ` Greg KH
2021-06-05 15:01 ` [PATCH v4] " Kurt Manucredo
2021-06-05 15:01 ` Kurt Manucredo
2021-06-05 17:55 ` Yonghong Song
2021-06-05 17:55 ` Yonghong Song via Linux-kernel-mentees
2021-06-05 19:10 ` Alexei Starovoitov
2021-06-05 19:10 ` Alexei Starovoitov
2021-06-05 21:39 ` Yonghong Song
2021-06-05 21:39 ` Yonghong Song via Linux-kernel-mentees
2021-06-06 19:44 ` Kurt Manucredo
2021-06-06 19:44 ` Kurt Manucredo
2021-06-07 7:38 ` Dmitry Vyukov
2021-06-07 7:38 ` Dmitry Vyukov
2021-06-07 7:38 ` Dmitry Vyukov via Linux-kernel-mentees
2021-06-09 18:20 ` Kees Cook
2021-06-09 18:20 ` Kees Cook
2021-06-09 23:40 ` Yonghong Song
2021-06-09 23:40 ` Yonghong Song via Linux-kernel-mentees
2021-06-10 5:32 ` Dmitry Vyukov
2021-06-10 5:32 ` Dmitry Vyukov
2021-06-10 5:32 ` Dmitry Vyukov via Linux-kernel-mentees
2021-06-10 6:06 ` Yonghong Song
2021-06-10 6:06 ` Yonghong Song via Linux-kernel-mentees
2021-06-10 17:06 ` Kees Cook
2021-06-10 17:06 ` Kees Cook
2021-06-10 17:52 ` Alexei Starovoitov
2021-06-10 17:52 ` Alexei Starovoitov
2021-06-10 17:52 ` Alexei Starovoitov
2021-06-10 20:00 ` Eric Biggers
2021-06-10 20:00 ` Eric Biggers
2021-06-15 16:42 ` [PATCH v5] " Kurt Manucredo
2021-06-15 18:51 ` Edward Cree
2021-06-15 19:33 ` Eric Biggers
2021-06-15 21:08 ` Daniel Borkmann
2021-06-15 21:32 ` Eric Biggers
2021-06-15 21:38 ` Eric Biggers
2021-06-15 21:54 ` Daniel Borkmann
2021-06-15 22:07 ` Eric Biggers
2021-06-15 22:31 ` Kurt Manucredo
2021-06-17 10:09 ` Daniel Borkmann
2021-06-06 19:15 ` [PATCH v4] " Kurt Manucredo
2021-06-06 19:15 ` Kurt Manucredo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210602212726.7-1-fuzzybritches0@gmail.com \
--to=fuzzybritches0@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clang-built-linux@googlegroups.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=hawk@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=netdev@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=songliubraving@fb.com \
--cc=syzbot+bed360704c521841c85d@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.