All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH net-next] bpf: fix verifier NULL pointer dereference
@ 2017-11-02 14:21 Craig Gallek
  2017-11-02 15:07 ` Alexei Starovoitov
  2017-11-02 15:18 ` [PATCH net-next v2] " Craig Gallek
  0 siblings, 2 replies; 7+ messages in thread
From: Craig Gallek @ 2017-11-02 14:21 UTC (permalink / raw)
  To: Alexei Starovoitov, David S . Miller; +Cc: netdev

From: Craig Gallek <kraig@google.com>

do_check() can fail early without allocating env->cur_state under
memory pressure.  Syzkaller found the stack below on the linux-next
tree because of this.

  kasan: CONFIG_KASAN_INLINE enabled
  kasan: GPF could be caused by NULL-ptr deref or user memory access
  general protection fault: 0000 [#1] SMP KASAN
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Modules linked in:
  CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  task: ffff8801c2c74700 task.stack: ffff8801c3e28000
  RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]
  RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533
  RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202
  RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000
  RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380
  RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f
  R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28
  R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20
  FS:  00007f311079b700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166
   SYSC_bpf kernel/bpf/syscall.c:1690 [inline]
   SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652
   entry_SYSCALL_64_fastpath+0x1f/0xbe
  RIP: 0033:0x452869
  RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
  RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869
  RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005
  RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550
  R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000
  Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26
  RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: ffff8801c3e2f5c8
  RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: ffff8801c3e2f5c8
  ---[ end trace c8d37f339dc64004 ]---

Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption")
Fixes: 1969db47f8d0 ("bpf: fix verifier memory leaks")
Signed-off-by: Craig Gallek <kraig@google.com>
---
 kernel/bpf/verifier.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 530b68550fd2..199ae7ccb2b7 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4530,8 +4530,10 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)
 	env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
 
 	ret = do_check(env);
-	free_verifier_state(env->cur_state, true);
-	env->cur_state = NULL;
+	if (env->cur_state) {
+		free_verifier_state(env->cur_state, true);
+		env->cur_state = NULL;
+	}
 
 skip_full_check:
 	while (!pop_stack(env, NULL, NULL));
-- 
2.15.0.403.gc27cc4dac6-goog

^ permalink raw reply related	[flat|nested] 7+ messages in thread
* Re: [PATCH net-next] bpf: fix verifier NULL pointer dereference
  2017-11-02 14:21 [PATCH net-next] bpf: fix verifier NULL pointer dereference Craig Gallek
@ 2017-11-02 15:07 ` Alexei Starovoitov
  2017-11-02 15:12   ` Craig Gallek
  2017-11-02 15:18 ` [PATCH net-next v2] " Craig Gallek
  1 sibling, 1 reply; 7+ messages in thread
From: Alexei Starovoitov @ 2017-11-02 15:07 UTC (permalink / raw)
  To: Craig Gallek, David S . Miller; +Cc: netdev

On 11/2/17 7:21 AM, Craig Gallek wrote:
> From: Craig Gallek <kraig@google.com>
>
> do_check() can fail early without allocating env->cur_state under
> memory pressure.  Syzkaller found the stack below on the linux-next
> tree because of this.
>
>   kasan: CONFIG_KASAN_INLINE enabled
>   kasan: GPF could be caused by NULL-ptr deref or user memory access
>   general protection fault: 0000 [#1] SMP KASAN
>   Dumping ftrace buffer:
>      (ftrace buffer empty)
>   Modules linked in:
>   CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106
>   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>   task: ffff8801c2c74700 task.stack: ffff8801c3e28000
>   RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]
>   RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533
>   RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202
>   RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000
>   RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380
>   RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f
>   R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28
>   R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20
>   FS:  00007f311079b700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>   CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0
>   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>   Call Trace:
>    bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166
>    SYSC_bpf kernel/bpf/syscall.c:1690 [inline]
>    SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652
>    entry_SYSCALL_64_fastpath+0x1f/0xbe
>   RIP: 0033:0x452869
>   RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
>   RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869
>   RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005
>   RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000
>   R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550
>   R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000
>   Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26
>   RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: ffff8801c3e2f5c8
>   RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: ffff8801c3e2f5c8
>   ---[ end trace c8d37f339dc64004 ]---
>
> Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption")
> Fixes: 1969db47f8d0 ("bpf: fix verifier memory leaks")
> Signed-off-by: Craig Gallek <kraig@google.com>
> ---
>  kernel/bpf/verifier.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 530b68550fd2..199ae7ccb2b7 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -4530,8 +4530,10 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)
>  	env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
>
>  	ret = do_check(env);
> -	free_verifier_state(env->cur_state, true);
> -	env->cur_state = NULL;
> +	if (env->cur_state) {
> +		free_verifier_state(env->cur_state, true);
> +		env->cur_state = NULL;
> +	}

right. good catch. similar fix needed in bpf_analyzer()
Can you respin with fix for both?

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH net-next] bpf: fix verifier NULL pointer dereference
  2017-11-02 15:07 ` Alexei Starovoitov
@ 2017-11-02 15:12   ` Craig Gallek
  0 siblings, 0 replies; 7+ messages in thread
From: Craig Gallek @ 2017-11-02 15:12 UTC (permalink / raw)
  To: Alexei Starovoitov; +Cc: David S . Miller, netdev

On Thu, Nov 2, 2017 at 11:07 AM, Alexei Starovoitov <ast@fb.com> wrote:
> On 11/2/17 7:21 AM, Craig Gallek wrote:
>>
>> From: Craig Gallek <kraig@google.com>
>>
>> do_check() can fail early without allocating env->cur_state under
>> memory pressure.  Syzkaller found the stack below on the linux-next
>> tree because of this.
>>
>>   kasan: CONFIG_KASAN_INLINE enabled
>>   kasan: GPF could be caused by NULL-ptr deref or user memory access
>>   general protection fault: 0000 [#1] SMP KASAN
>>   Dumping ftrace buffer:
>>      (ftrace buffer empty)
>>   Modules linked in:
>>   CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106
>>   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>>   task: ffff8801c2c74700 task.stack: ffff8801c3e28000
>>   RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]
>>   RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533
>>   RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202
>>   RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000
>>   RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380
>>   RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f
>>   R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28
>>   R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20
>>   FS:  00007f311079b700(0000) GS:ffff8801db300000(0000)
>> knlGS:0000000000000000
>>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>   CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0
>>   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>>   Call Trace:
>>    bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166
>>    SYSC_bpf kernel/bpf/syscall.c:1690 [inline]
>>    SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652
>>    entry_SYSCALL_64_fastpath+0x1f/0xbe
>>   RIP: 0033:0x452869
>>   RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
>>   RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869
>>   RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005
>>   RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000
>>   R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550
>>   R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000
>>   Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00
>> 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00
>> 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26
>>   RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP:
>> ffff8801c3e2f5c8
>>   RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP:
>> ffff8801c3e2f5c8
>>   ---[ end trace c8d37f339dc64004 ]---
>>
>> Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption")
>> Fixes: 1969db47f8d0 ("bpf: fix verifier memory leaks")
>> Signed-off-by: Craig Gallek <kraig@google.com>
>> ---
>>  kernel/bpf/verifier.c | 6 ++++--
>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index 530b68550fd2..199ae7ccb2b7 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -4530,8 +4530,10 @@ int bpf_check(struct bpf_prog **prog, union
>> bpf_attr *attr)
>>         env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
>>
>>         ret = do_check(env);
>> -       free_verifier_state(env->cur_state, true);
>> -       env->cur_state = NULL;
>> +       if (env->cur_state) {
>> +               free_verifier_state(env->cur_state, true);
>> +               env->cur_state = NULL;
>> +       }
>
>
> right. good catch. similar fix needed in bpf_analyzer()
> Can you respin with fix for both?

I swear I had that in my test tree ;)  Sending now...

^ permalink raw reply	[flat|nested] 7+ messages in thread
* [PATCH net-next v2] bpf: fix verifier NULL pointer dereference
  2017-11-02 14:21 [PATCH net-next] bpf: fix verifier NULL pointer dereference Craig Gallek
  2017-11-02 15:07 ` Alexei Starovoitov
@ 2017-11-02 15:18 ` Craig Gallek
  2017-11-02 15:28   ` Alexei Starovoitov
                     ` (2 more replies)
  1 sibling, 3 replies; 7+ messages in thread
From: Craig Gallek @ 2017-11-02 15:18 UTC (permalink / raw)
  To: Alexei Starovoitov, David S . Miller; +Cc: netdev

From: Craig Gallek <kraig@google.com>

do_check() can fail early without allocating env->cur_state under
memory pressure.  Syzkaller found the stack below on the linux-next
tree because of this.

  kasan: CONFIG_KASAN_INLINE enabled
  kasan: GPF could be caused by NULL-ptr deref or user memory access
  general protection fault: 0000 [#1] SMP KASAN
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Modules linked in:
  CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  task: ffff8801c2c74700 task.stack: ffff8801c3e28000
  RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]
  RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533
  RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202
  RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000
  RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380
  RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f
  R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28
  R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20
  FS:  00007f311079b700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166
   SYSC_bpf kernel/bpf/syscall.c:1690 [inline]
   SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652
   entry_SYSCALL_64_fastpath+0x1f/0xbe
  RIP: 0033:0x452869
  RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
  RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869
  RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005
  RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550
  R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000
  Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26
  RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: ffff8801c3e2f5c8
  RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: ffff8801c3e2f5c8
  ---[ end trace c8d37f339dc64004 ]---

Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption")
Fixes: 1969db47f8d0 ("bpf: fix verifier memory leaks")
Signed-off-by: Craig Gallek <kraig@google.com>
---
 kernel/bpf/verifier.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

v2:
  Forgot second spot for the same bug in bpf_analyzer (from Alexei).

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 530b68550fd2..624aee966ab5 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4530,8 +4530,10 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)
 	env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
 
 	ret = do_check(env);
-	free_verifier_state(env->cur_state, true);
-	env->cur_state = NULL;
+	if (env->cur_state) {
+		free_verifier_state(env->cur_state, true);
+		env->cur_state = NULL;
+	}
 
 skip_full_check:
 	while (!pop_stack(env, NULL, NULL));
@@ -4637,8 +4639,10 @@ int bpf_analyzer(struct bpf_prog *prog, const struct bpf_ext_analyzer_ops *ops,
 	env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
 
 	ret = do_check(env);
-	free_verifier_state(env->cur_state, true);
-	env->cur_state = NULL;
+	if (env->cur_state) {
+		free_verifier_state(env->cur_state, true);
+		env->cur_state = NULL;
+	}
 
 skip_full_check:
 	while (!pop_stack(env, NULL, NULL));
-- 
2.15.0.403.gc27cc4dac6-goog

^ permalink raw reply related	[flat|nested] 7+ messages in thread
* Re: [PATCH net-next v2] bpf: fix verifier NULL pointer dereference
  2017-11-02 15:18 ` [PATCH net-next v2] " Craig Gallek
@ 2017-11-02 15:28   ` Alexei Starovoitov
  2017-11-02 22:22   ` Daniel Borkmann
  2017-11-03  6:50   ` David Miller
  2 siblings, 0 replies; 7+ messages in thread
From: Alexei Starovoitov @ 2017-11-02 15:28 UTC (permalink / raw)
  To: Craig Gallek, David S . Miller; +Cc: netdev

On 11/2/17 8:18 AM, Craig Gallek wrote:
> From: Craig Gallek <kraig@google.com>
>
> do_check() can fail early without allocating env->cur_state under
> memory pressure.  Syzkaller found the stack below on the linux-next
> tree because of this.
>
>   kasan: CONFIG_KASAN_INLINE enabled
>   kasan: GPF could be caused by NULL-ptr deref or user memory access
>   general protection fault: 0000 [#1] SMP KASAN
>   Dumping ftrace buffer:
>      (ftrace buffer empty)
>   Modules linked in:
>   CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106
>   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>   task: ffff8801c2c74700 task.stack: ffff8801c3e28000
>   RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]
>   RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533
>   RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202
>   RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000
>   RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380
>   RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f
>   R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28
>   R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20
>   FS:  00007f311079b700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>   CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0
>   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>   Call Trace:
>    bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166
>    SYSC_bpf kernel/bpf/syscall.c:1690 [inline]
>    SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652
>    entry_SYSCALL_64_fastpath+0x1f/0xbe
>   RIP: 0033:0x452869
>   RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
>   RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869
>   RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005
>   RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000
>   R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550
>   R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000
>   Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26
>   RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: ffff8801c3e2f5c8
>   RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: ffff8801c3e2f5c8
>   ---[ end trace c8d37f339dc64004 ]---
>
> Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption")
> Fixes: 1969db47f8d0 ("bpf: fix verifier memory leaks")
> Signed-off-by: Craig Gallek <kraig@google.com>

Acked-by: Alexei Starovoitov <ast@kernel.org>

Thanks!

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH net-next v2] bpf: fix verifier NULL pointer dereference
  2017-11-02 15:18 ` [PATCH net-next v2] " Craig Gallek
  2017-11-02 15:28   ` Alexei Starovoitov
@ 2017-11-02 22:22   ` Daniel Borkmann
  2017-11-03  6:50   ` David Miller
  2 siblings, 0 replies; 7+ messages in thread
From: Daniel Borkmann @ 2017-11-02 22:22 UTC (permalink / raw)
  To: Craig Gallek, Alexei Starovoitov, David S . Miller; +Cc: netdev

On 11/02/2017 04:18 PM, Craig Gallek wrote:
> From: Craig Gallek <kraig@google.com>
>
> do_check() can fail early without allocating env->cur_state under
> memory pressure.  Syzkaller found the stack below on the linux-next
> tree because of this.
>
>    kasan: CONFIG_KASAN_INLINE enabled
>    kasan: GPF could be caused by NULL-ptr deref or user memory access
>    general protection fault: 0000 [#1] SMP KASAN
>    Dumping ftrace buffer:
>       (ftrace buffer empty)
>    Modules linked in:
>    CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106
>    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>    task: ffff8801c2c74700 task.stack: ffff8801c3e28000
>    RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]
>    RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533
>    RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202
>    RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000
>    RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380
>    RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f
>    R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28
>    R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20
>    FS:  00007f311079b700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
>    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>    CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0
>    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>    Call Trace:
>     bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166
>     SYSC_bpf kernel/bpf/syscall.c:1690 [inline]
>     SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652
>     entry_SYSCALL_64_fastpath+0x1f/0xbe
>    RIP: 0033:0x452869
>    RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
>    RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869
>    RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005
>    RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000
>    R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550
>    R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000
>    Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26
>    RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: ffff8801c3e2f5c8
>    RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: ffff8801c3e2f5c8
>    ---[ end trace c8d37f339dc64004 ]---
>
> Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption")
> Fixes: 1969db47f8d0 ("bpf: fix verifier memory leaks")
> Signed-off-by: Craig Gallek <kraig@google.com>

Acked-by: Daniel Borkmann <daniel@iogearbox.net>

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH net-next v2] bpf: fix verifier NULL pointer dereference
  2017-11-02 15:18 ` [PATCH net-next v2] " Craig Gallek
  2017-11-02 15:28   ` Alexei Starovoitov
  2017-11-02 22:22   ` Daniel Borkmann
@ 2017-11-03  6:50   ` David Miller
  2 siblings, 0 replies; 7+ messages in thread
From: David Miller @ 2017-11-03  6:50 UTC (permalink / raw)
  To: kraigatgoog; +Cc: ast, netdev

From: Craig Gallek <kraigatgoog@gmail.com>
Date: Thu,  2 Nov 2017 11:18:01 -0400

> From: Craig Gallek <kraig@google.com>
> 
> do_check() can fail early without allocating env->cur_state under
> memory pressure.  Syzkaller found the stack below on the linux-next
> tree because of this.
 ...
> Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption")
> Fixes: 1969db47f8d0 ("bpf: fix verifier memory leaks")
> Signed-off-by: Craig Gallek <kraig@google.com>

Applied, thanks Craig.

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-11-03  6:50 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-02 14:21 [PATCH net-next] bpf: fix verifier NULL pointer dereference Craig Gallek
2017-11-02 15:07 ` Alexei Starovoitov
2017-11-02 15:12   ` Craig Gallek
2017-11-02 15:18 ` [PATCH net-next v2] " Craig Gallek
2017-11-02 15:28   ` Alexei Starovoitov
2017-11-02 22:22   ` Daniel Borkmann
2017-11-03  6:50   ` David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.