From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
Hao Luo <haoluo@google.com>, Alexei Starovoitov <ast@kernel.org>
Subject: [PATCH 5.15 11/33] bpf: Fix crash due to out of bounds access into reg2btf_ids.
Date: Fri, 29 Apr 2022 12:41:58 +0200 [thread overview]
Message-ID: <20220429104052.672989921@linuxfoundation.org> (raw)
In-Reply-To: <20220429104052.345760505@linuxfoundation.org>
From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
commit 45ce4b4f9009102cd9f581196d480a59208690c1 upstream
When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added
kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier
reg type to the appropriate btf_vmlinux BTF ID, however
commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after
the base register types, and defined other variants using type flag
composition. However, now, the direct usage of reg->type to index into
reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to
out of bounds access and kernel crash on dereference of bad pointer.
[backport note: commit 3363bd0cfbb80 ("bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM
argument support") was introduced after 5.15 and contains an out of bound
reg2btf_ids access. Since that commit hasn't been backported, this patch
doesn't include fix to that access. If we backport that commit in future,
we need to fix its faulting access as well.]
Fixes: c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Hao Luo <haoluo@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220216201943.624869-1-memxor@gmail.com
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/btf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -5510,9 +5510,9 @@ static int btf_check_func_arg_match(stru
if (reg->type == PTR_TO_BTF_ID) {
reg_btf = reg->btf;
reg_ref_id = reg->btf_id;
- } else if (reg2btf_ids[reg->type]) {
+ } else if (reg2btf_ids[base_type(reg->type)]) {
reg_btf = btf_vmlinux;
- reg_ref_id = *reg2btf_ids[reg->type];
+ reg_ref_id = *reg2btf_ids[base_type(reg->type)];
} else {
bpf_log(log, "kernel function %s args#%d expected pointer to %s %s but R%d is not a pointer to btf_id\n",
func_name, i,
next prev parent reply other threads:[~2022-04-29 10:43 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-29 10:41 [PATCH 5.15 00/33] 5.15.37-rc1 review Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 5.15 01/33] floppy: disable FDRAWCMD by default Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 5.15 02/33] bpf: Introduce composable reg, ret and arg types Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 5.15 03/33] bpf: Replace ARG_XXX_OR_NULL with ARG_XXX | PTR_MAYBE_NULL Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 5.15 04/33] bpf: Replace RET_XXX_OR_NULL with RET_XXX " Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 5.15 05/33] bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX " Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 5.15 06/33] bpf: Introduce MEM_RDONLY flag Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 5.15 07/33] bpf: Convert PTR_TO_MEM_OR_NULL to composable types Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 5.15 08/33] bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 5.15 09/33] bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem Greg Kroah-Hartman
2022-04-29 10:41 ` [PATCH 5.15 10/33] bpf/selftests: Test PTR_TO_RDONLY_MEM Greg Kroah-Hartman
2022-04-29 10:41 ` Greg Kroah-Hartman [this message]
2022-04-29 10:41 ` [PATCH 5.15 12/33] spi: cadence-quadspi: fix write completion support Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 13/33] ARM: dts: socfpga: change qspi to "intel,socfpga-qspi" Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 14/33] mm: kfence: fix objcgs vector allocation Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 15/33] gup: Turn fault_in_pages_{readable,writeable} into fault_in_{readable,writeable} Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 16/33] iov_iter: Turn iov_iter_fault_in_readable into fault_in_iov_iter_readable Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 17/33] iov_iter: Introduce fault_in_iov_iter_writeable Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 18/33] gfs2: Add wrapper for iomap_file_buffered_write Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 19/33] gfs2: Clean up function may_grant Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 20/33] gfs2: Introduce flag for glock holder auto-demotion Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 21/33] gfs2: Move the inode glock locking to gfs2_file_buffered_write Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 22/33] gfs2: Eliminate ip->i_gh Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 23/33] gfs2: Fix mmap + page fault deadlocks for buffered I/O Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 24/33] iomap: Fix iomap_dio_rw return value for user copies Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 25/33] iomap: Support partial direct I/O on user copy failures Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 26/33] iomap: Add done_before argument to iomap_dio_rw Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 27/33] gup: Introduce FOLL_NOFAULT flag to disable page faults Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 28/33] iov_iter: Introduce nofault " Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 29/33] gfs2: Fix mmap + page fault deadlocks for direct I/O Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 30/33] btrfs: fix deadlock due to page faults during direct IO reads and writes Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 31/33] btrfs: fallback to blocking mode when doing async dio over multiple extents Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 32/33] mm: gup: make fault_in_safe_writeable() use fixup_user_fault() Greg Kroah-Hartman
2022-04-29 10:42 ` [PATCH 5.15 33/33] selftests/bpf: Add test for reg2btf_ids out of bounds access Greg Kroah-Hartman
2022-06-24 10:33 ` Po-Hsu Lin
2022-06-24 11:09 ` Greg Kroah-Hartman
2022-07-01 12:51 ` Po-Hsu Lin
2022-04-29 16:39 ` [PATCH 5.15 00/33] 5.15.37-rc1 review Florian Fainelli
2022-04-29 18:36 ` Shuah Khan
2022-04-29 21:14 ` Naresh Kamboju
2022-04-29 23:47 ` Guenter Roeck
2022-04-29 23:54 ` Ron Economos
2022-04-30 10:17 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220429104052.672989921@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=haoluo@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=memxor@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).