From: Yu Xu <xuyu@linux.alibaba.com>
To: Daniel Borkmann <daniel@iogearbox.net>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] bpf: do not restore dst_reg when cur_state is freed
Date: Thu, 21 Mar 2019 17:28:41 +0800 [thread overview]
Message-ID: <b51889f6-6696-4e51-d63f-e5c70e109710@linux.alibaba.com> (raw)
In-Reply-To: <fe7367c5-b172-709f-1ba2-61136a74081e@iogearbox.net>
On 3/21/19 4:50 PM, Daniel Borkmann wrote:
> On 03/21/2019 09:31 AM, Xu Yu wrote:
>> Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug.
>> Call trace:
>> dump_stack+0xbf/0x12e
>> print_address_description+0x6a/0x280
>> kasan_report+0x237/0x360
>> sanitize_ptr_alu+0x85a/0x8d0
>> adjust_ptr_min_max_vals+0x8f2/0x1ca0
>> adjust_reg_min_max_vals+0x8ed/0x22e0
>> do_check+0x1ca6/0x5d00
>> bpf_check+0x9ca/0x2570
>> bpf_prog_load+0xc91/0x1030
>> __se_sys_bpf+0x61e/0x1f00
>> do_syscall_64+0xc8/0x550
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> Fault injection trace:
>> kfree+0xea/0x290
>> free_func_state+0x4a/0x60
>> free_verifier_state+0x61/0xe0
>> push_stack+0x216/0x2f0 <- inject failslab
>> sanitize_ptr_alu+0x2b1/0x8d0
>> adjust_ptr_min_max_vals+0x8f2/0x1ca0
>> adjust_reg_min_max_vals+0x8ed/0x22e0
>> do_check+0x1ca6/0x5d00
>> bpf_check+0x9ca/0x2570
>> bpf_prog_load+0xc91/0x1030
>> __se_sys_bpf+0x61e/0x1f00
>> do_syscall_64+0xc8/0x550
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> When kzalloc() fails in push_stack(), free_verifier_state() will free
>> current verifier state. As push_stack() returns, dst_reg was restored
>> if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg
>> is also freed, and error occurs when dereferencing dst_reg.
>>
>> Simply fix it by checking whether cur_state is NULL before retoring
>> dst_reg.
>>
>> Signed-off-by: Xu Yu <xuyu@linux.alibaba.com>
>> ---
>> kernel/bpf/verifier.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index ce166a0..018ce4f 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -3368,7 +3368,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
>> *dst_reg = *ptr_reg;
>> }
>> ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
>> - if (!ptr_is_dst_reg)
>> + if (!ptr_is_dst_reg && env->cur_state)
>> *dst_reg = tmp;
>
> Good catch, test should be more obvious rewritten as:
>
> if (!ptr_is_dst_reg && ret)
>
> Could you resubmit with that?
sure, will send patch v2 later.
thanks,
Yu
>
>> return !ret ? -EFAULT : 0;
>> }
>>
>
> Thanks,
> Daniel
>
next prev parent reply other threads:[~2019-03-21 9:28 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-21 8:31 [PATCH] bpf: do not restore dst_reg when cur_state is freed Xu Yu
2019-03-21 8:50 ` Daniel Borkmann
2019-03-21 9:28 ` Yu Xu [this message]
2019-03-21 10:00 ` [PATCH v2] " Xu Yu
2019-03-21 11:21 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b51889f6-6696-4e51-d63f-e5c70e109710@linux.alibaba.com \
--to=xuyu@linux.alibaba.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.