From: Hao Luo <haoluo@google.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
laura@labbott.name, Kumar Kartikeya Dwivedi <memxor@gmail.com>,
stable@vger.kernel.org, Hao Luo <haoluo@google.com>
Subject: [PATCH stable linux-5.15.y 10/10] bpf: Fix crash due to out of bounds access into reg2btf_ids.
Date: Thu, 28 Apr 2022 16:57:51 -0700 [thread overview]
Message-ID: <20220428235751.103203-11-haoluo@google.com> (raw)
In-Reply-To: <20220428235751.103203-1-haoluo@google.com>
From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
commit 45ce4b4f9009102cd9f581196d480a59208690c1 upstream
When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added
kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier
reg type to the appropriate btf_vmlinux BTF ID, however
commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after
the base register types, and defined other variants using type flag
composition. However, now, the direct usage of reg->type to index into
reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to
out of bounds access and kernel crash on dereference of bad pointer.
[backport note: commit 3363bd0cfbb80 ("bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM
argument support") was introduced after 5.15 and contains an out of bound
reg2btf_ids access. Since that commit hasn't been backported, this patch
doesn't include fix to that access. If we backport that commit in future,
we need to fix its faulting access as well.]
Fixes: c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Hao Luo <haoluo@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220216201943.624869-1-memxor@gmail.com
Cc: stable@vger.kernel.org # v5.15+
---
kernel/bpf/btf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index ba471f38bb4d..40df35088cdb 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -5510,9 +5510,9 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
if (reg->type == PTR_TO_BTF_ID) {
reg_btf = reg->btf;
reg_ref_id = reg->btf_id;
- } else if (reg2btf_ids[reg->type]) {
+ } else if (reg2btf_ids[base_type(reg->type)]) {
reg_btf = btf_vmlinux;
- reg_ref_id = *reg2btf_ids[reg->type];
+ reg_ref_id = *reg2btf_ids[base_type(reg->type)];
} else {
bpf_log(log, "kernel function %s args#%d expected pointer to %s %s but R%d is not a pointer to btf_id\n",
func_name, i,
--
2.36.0.464.gb9c8b46e94-goog
next prev parent reply other threads:[~2022-04-28 23:59 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-28 23:57 [PATCH stable linux-5.15.y 00/10] Fix bpf mem read/write vulnerability Hao Luo
2022-04-28 23:57 ` [PATCH stable linux-5.15.y 01/10] bpf: Introduce composable reg, ret and arg types Hao Luo
2022-04-28 23:57 ` [PATCH stable linux-5.15.y 02/10] bpf: Replace ARG_XXX_OR_NULL with ARG_XXX | PTR_MAYBE_NULL Hao Luo
2022-04-28 23:57 ` [PATCH stable linux-5.15.y 03/10] bpf: Replace RET_XXX_OR_NULL with RET_XXX " Hao Luo
2022-04-28 23:57 ` [PATCH stable linux-5.15.y 04/10] bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX " Hao Luo
2022-04-28 23:57 ` [PATCH stable linux-5.15.y 05/10] bpf: Introduce MEM_RDONLY flag Hao Luo
2022-04-28 23:57 ` [PATCH stable linux-5.15.y 06/10] bpf: Convert PTR_TO_MEM_OR_NULL to composable types Hao Luo
2022-04-28 23:57 ` [PATCH stable linux-5.15.y 07/10] bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM Hao Luo
2022-04-28 23:57 ` [PATCH stable linux-5.15.y 08/10] bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem Hao Luo
2022-04-28 23:57 ` [PATCH stable linux-5.15.y 09/10] bpf/selftests: Test PTR_TO_RDONLY_MEM Hao Luo
2022-04-28 23:57 ` Hao Luo [this message]
2022-04-29 9:01 ` [PATCH stable linux-5.15.y 00/10] Fix bpf mem read/write vulnerability Greg KH
2022-04-29 17:22 ` Hao Luo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220428235751.103203-11-haoluo@google.com \
--to=haoluo@google.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=gregkh@linuxfoundation.org \
--cc=laura@labbott.name \
--cc=memxor@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).