From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Xu Yu <xuyu@linux.alibaba.com>,
Daniel Borkmann <daniel@iogearbox.net>
Subject: [PATCH 4.14 87/92] bpf: do not restore dst_reg when cur_state is freed
Date: Thu, 18 Apr 2019 19:57:45 +0200 [thread overview]
Message-ID: <20190418160438.102407405@linuxfoundation.org> (raw)
In-Reply-To: <20190418160430.325165109@linuxfoundation.org>
From: Xu Yu <xuyu@linux.alibaba.com>
commit 0803278b0b4d8eeb2b461fb698785df65a725d9e upstream.
Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug.
Call trace:
dump_stack+0xbf/0x12e
print_address_description+0x6a/0x280
kasan_report+0x237/0x360
sanitize_ptr_alu+0x85a/0x8d0
adjust_ptr_min_max_vals+0x8f2/0x1ca0
adjust_reg_min_max_vals+0x8ed/0x22e0
do_check+0x1ca6/0x5d00
bpf_check+0x9ca/0x2570
bpf_prog_load+0xc91/0x1030
__se_sys_bpf+0x61e/0x1f00
do_syscall_64+0xc8/0x550
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fault injection trace:
kfree+0xea/0x290
free_func_state+0x4a/0x60
free_verifier_state+0x61/0xe0
push_stack+0x216/0x2f0 <- inject failslab
sanitize_ptr_alu+0x2b1/0x8d0
adjust_ptr_min_max_vals+0x8f2/0x1ca0
adjust_reg_min_max_vals+0x8ed/0x22e0
do_check+0x1ca6/0x5d00
bpf_check+0x9ca/0x2570
bpf_prog_load+0xc91/0x1030
__se_sys_bpf+0x61e/0x1f00
do_syscall_64+0xc8/0x550
entry_SYSCALL_64_after_hwframe+0x49/0xbe
When kzalloc() fails in push_stack(), free_verifier_state() will free
current verifier state. As push_stack() returns, dst_reg was restored
if ptr_is_dst_reg is false. However, as member of the cur_state,
dst_reg is also freed, and error occurs when dereferencing dst_reg.
Simply fix it by testing ret of push_stack() before restoring dst_reg.
Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic")
Signed-off-by: Xu Yu <xuyu@linux.alibaba.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2118,7 +2118,7 @@ do_sim:
*dst_reg = *ptr_reg;
}
ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
- if (!ptr_is_dst_reg)
+ if (!ptr_is_dst_reg && ret)
*dst_reg = tmp;
return !ret ? -EFAULT : 0;
}
next prev parent reply other threads:[~2019-04-18 18:23 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-18 17:56 [PATCH 4.14 00/92] 4.14.113-stable review Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 01/92] ARC: u-boot args: check that magic number is correct Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 02/92] arc: hsdk_defconfig: Enable CONFIG_BLK_DEV_RAM Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 03/92] perf/core: Restore mmap record type correctly Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 04/92] ext4: add missing brelse() in add_new_gdb_meta_bg() Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 05/92] ext4: report real fs size after failed resize Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 06/92] ALSA: echoaudio: add a check for ioremap_nocache Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 07/92] ALSA: sb8: add a check for request_region Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 08/92] auxdisplay: hd44780: Fix memory leak on ->remove() Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 09/92] IB/mlx4: Fix race condition between catas error reset and aliasguid flows Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 10/92] mmc: davinci: remove extraneous __init annotation Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 11/92] ALSA: opl3: fix mismatch between snd_opl3_drum_switch definition and declaration Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 12/92] thermal/intel_powerclamp: fix __percpu declaration of worker_data Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 13/92] thermal: bcm2835: Fix crash in bcm2835_thermal_debugfs Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 14/92] thermal/int340x_thermal: Add additional UUIDs Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 15/92] thermal/int340x_thermal: fix mode setting Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 16/92] thermal/intel_powerclamp: fix truncated kthread name Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 17/92] scsi: iscsi: flush running unbind operations when removing a session Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 18/92] x86/mm: Dont leak kernel addresses Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 19/92] tools/power turbostat: return the exit status of a command Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 20/92] perf list: Dont forget to drop the reference to the allocated thread_map Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 21/92] perf config: Fix an error in the config template documentation Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 22/92] perf config: Fix a memory leak in collect_config() Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 23/92] perf build-id: Fix memory leak in print_sdt_events() Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 24/92] perf top: Fix error handling in cmd_top() Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 25/92] perf hist: Add missing map__put() in error case Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 26/92] perf evsel: Free evsel->counts in perf_evsel__exit() Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 27/92] perf tests: Fix a memory leak of cpu_map object in the openat_syscall_event_on_all_cpus test Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 28/92] perf tests: Fix memory leak by expr__find_other() in test__expr() Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 29/92] perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test() Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 30/92] irqchip/mbigen: Dont clear eventid when freeing an MSI Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 31/92] x86/hpet: Prevent potential NULL pointer dereference Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 32/92] x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 33/92] drm/nouveau/debugfs: Fix check of pm_runtime_get_sync failure Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 34/92] iommu/vt-d: Check capability before disabling protected memory Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 35/92] x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse() return an error Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 36/92] fix incorrect error code mapping for OBJECTID_NOT_FOUND Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 37/92] ext4: prohibit fstrim in norecovery mode Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 38/92] gpio: pxa: handle corner case of unprobed device Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 39/92] rsi: improve kernel thread handling to fix kernel panic Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 40/92] 9p: do not trust pdu content for stat item size Greg Kroah-Hartman
2019-04-18 17:56 ` [PATCH 4.14 41/92] 9p locks: add mount option for lock retry interval Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 42/92] f2fs: fix to do sanity check with current segment number Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 43/92] netfilter: xt_cgroup: shrink size of v2 path Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 44/92] serial: uartps: console_setup() cant be placed to init section Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 45/92] powerpc/pseries: Remove prrn_work workqueue Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 46/92] media: au0828: cannot kfree dev before usb disconnect Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 47/92] HID: i2c-hid: override HID descriptors for certain devices Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 48/92] ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 49/92] usbip: fix vhci_hcd controller counting Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 50/92] ACPI / SBS: Fix GPE storm on recent MacBookPros Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 51/92] KVM: nVMX: restore host state in nested_vmx_vmexit for VMFail Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 52/92] compiler.h: update definition of unreachable() Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 53/92] cifs: fallback to older infolevels on findfirst queryinfo retry Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 54/92] kernel: hung_task.c: disable on suspend Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 55/92] crypto: sha256/arm - fix crash bug in Thumb2 build Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 56/92] crypto: sha512/arm " Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 57/92] iommu/dmar: Fix buffer overflow during PCI bus notification Greg Kroah-Hartman
2019-04-18 18:14 ` Gustavo A. R. Silva
2019-04-18 17:57 ` [PATCH 4.14 58/92] soc/tegra: pmc: Drop locking from tegra_powergate_is_powered() Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 59/92] lkdtm: Print real addresses Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 60/92] lkdtm: Add tests for NULL pointer dereference Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 61/92] drm/panel: panel-innolux: set display off in innolux_panel_unprepare Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 62/92] crypto: axis - fix for recursive locking from bottom half Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 63/92] Revert "ACPI / EC: Remove old CLEAR_ON_RESUME quirk" Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 64/92] coresight: cpu-debug: Support for CA73 CPUs Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 65/92] drm/nouveau/volt/gf117: fix speedo readout register Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 66/92] ARM: 8839/1: kprobe: make patch_lock a raw_spinlock_t Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 67/92] drm/amdkfd: use init_mqd function to allocate object for hid_mqd (CI) Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 68/92] appletalk: Fix use-after-free in atalk_proc_exit Greg Kroah-Hartman
2019-04-18 20:14 ` Sudip Mukherjee
2019-04-19 13:39 ` Sasha Levin
2019-04-18 17:57 ` [PATCH 4.14 69/92] lib/div64.c: off by one in shift Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 70/92] include/linux/swap.h: use offsetof() instead of custom __swapoffset macro Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 71/92] bpf: fix use after free in bpf_evict_inode Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 72/92] dm: disable CRYPTO_TFM_REQ_MAY_SLEEP to fix a GFP_KERNEL recursion deadlock Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 73/92] bpf: reduce verifier memory consumption Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 74/92] bpf: fix verifier memory leaks Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 75/92] bpf: fix verifier NULL pointer dereference Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 76/92] bpf: fix stack state printing in verifier log Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 77/92] bpf: move {prev_,}insn_idx into verifier env Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 78/92] bpf: move tmp variable into ax register in interpreter Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 79/92] bpf: enable access to ax register also from verifier rewrite Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 80/92] bpf: restrict map value pointer arithmetic for unprivileged Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 81/92] bpf: restrict stack " Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 82/92] bpf: restrict unknown scalars of mixed signed bounds " Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 83/92] bpf: fix check_map_access smin_value test when pointer contains offset Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 84/92] bpf: prevent out of bounds speculation on pointer arithmetic Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 85/92] bpf: fix sanitation of alu op with pointer / scalar type from different paths Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 86/92] bpf: fix inner map masking to prevent oob under speculation Greg Kroah-Hartman
2019-04-18 17:57 ` Greg Kroah-Hartman [this message]
2019-04-18 17:57 ` [PATCH 4.14 88/92] bpf: fix sanitation rewrite in case of non-pointers Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 89/92] bpf: Fix selftests are changes for CVE 2019-7308 Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 90/92] tools include: Adopt linux/bits.h Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 91/92] net: stmmac: Set dma ring length before enabling the DMA Greg Kroah-Hartman
2019-04-18 17:57 ` [PATCH 4.14 92/92] [PATCH 4.19.y 2/2] mm: hide incomplete nr_indirectly_reclaimable in sysfs Greg Kroah-Hartman
2019-04-19 7:00 ` [PATCH 4.14 00/92] 4.14.113-stable review Naresh Kamboju
2019-04-19 10:08 ` Jon Hunter
2019-04-19 14:23 ` shuah
2019-04-19 19:39 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190418160438.102407405@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xuyu@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).