From: <gregkh@linuxfoundation.org>
To: daniel@iogearbox.net, ast@kernel.org, john.fastabend@gmail.com,
tr3e.wang@gmail.com
Cc: <stable@vger.kernel.org>
Subject: FAILED: patch "[PATCH] bpf: Fix out of bounds access for ringbuf helpers" failed to apply to 5.15-stable tree
Date: Mon, 24 Jan 2022 13:01:31 +0100 [thread overview]
Message-ID: <16430256912363@kroah.com> (raw)
The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 64620e0a1e712a778095bd35cbb277dc2259281f Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Tue, 11 Jan 2022 14:43:41 +0000
Subject: [PATCH] bpf: Fix out of bounds access for ringbuf helpers
Both bpf_ringbuf_submit() and bpf_ringbuf_discard() have ARG_PTR_TO_ALLOC_MEM
in their bpf_func_proto definition as their first argument. They both expect
the result from a prior bpf_ringbuf_reserve() call which has a return type of
RET_PTR_TO_ALLOC_MEM_OR_NULL.
Meaning, after a NULL check in the code, the verifier will promote the register
type in the non-NULL branch to a PTR_TO_MEM and in the NULL branch to a known
zero scalar. Generally, pointer arithmetic on PTR_TO_MEM is allowed, so the
latter could have an offset.
The ARG_PTR_TO_ALLOC_MEM expects a PTR_TO_MEM register type. However, the non-
zero result from bpf_ringbuf_reserve() must be fed into either bpf_ringbuf_submit()
or bpf_ringbuf_discard() but with the original offset given it will then read
out the struct bpf_ringbuf_hdr mapping.
The verifier missed to enforce a zero offset, so that out of bounds access
can be triggered which could be used to escalate privileges if unprivileged
BPF was enabled (disabled by default in kernel).
Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
Reported-by: <tr3e.wang@gmail.com> (SecCoder Security Lab)
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e0b3f4d683eb..c72c57a6684f 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5318,9 +5318,15 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
case PTR_TO_BUF:
case PTR_TO_BUF | MEM_RDONLY:
case PTR_TO_STACK:
+ /* Some of the argument types nevertheless require a
+ * zero register offset.
+ */
+ if (arg_type == ARG_PTR_TO_ALLOC_MEM)
+ goto force_off_check;
break;
/* All the rest must be rejected: */
default:
+force_off_check:
err = __check_ptr_off_reg(env, reg, regno,
type == PTR_TO_BTF_ID);
if (err < 0)
next reply other threads:[~2022-01-24 12:01 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-24 12:01 gregkh [this message]
2024-04-17 23:35 ` [PATCH 5.15.y 0/5] Backport bounds checks for bpf Edward Liaw
2024-04-17 23:35 ` [PATCH 5.15.y 1/5] bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM argument support Edward Liaw
2024-04-17 23:35 ` [PATCH 5.15.y 2/5] bpf: Generalize check_ctx_reg for reuse with other types Edward Liaw
2024-04-17 23:35 ` [PATCH 5.15.y 3/5] bpf: Generally fix helper register offset check Edward Liaw
2024-04-17 23:35 ` [PATCH 5.15.y 4/5] bpf: Fix out of bounds access for ringbuf helpers Edward Liaw
2024-04-17 23:35 ` [PATCH 5.15.y 5/5] bpf: Fix ringbuf memory type confusion when passing to helpers Edward Liaw
2024-04-18 1:07 ` [PATCH 5.15.y v2 0/5] Backport bounds checks for bpf Edward Liaw
2024-04-18 1:07 ` [PATCH 5.15.y v2 1/5] bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM argument support Edward Liaw
2024-04-18 1:07 ` [PATCH 5.15.y v2 2/5] bpf: Generalize check_ctx_reg for reuse with other types Edward Liaw
2024-04-18 1:07 ` [PATCH 5.15.y v2 3/5] bpf: Generally fix helper register offset check Edward Liaw
2024-04-18 1:07 ` [PATCH 5.15.y v2 4/5] bpf: Fix out of bounds access for ringbuf helpers Edward Liaw
2024-04-18 1:07 ` [PATCH 5.15.y v2 5/5] bpf: Fix ringbuf memory type confusion when passing to helpers Edward Liaw
2024-04-18 23:19 ` [PATCH 5.15.y v3 0/5] Backport bounds checks for bpf Edward Liaw
2024-04-18 23:19 ` [PATCH 5.15.y v3 1/5] bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM argument support Edward Liaw
2024-04-18 23:19 ` [PATCH 5.15.y v3 2/5] bpf: Generalize check_ctx_reg for reuse with other types Edward Liaw
2024-04-18 23:19 ` [PATCH 5.15.y v3 3/5] bpf: Generally fix helper register offset check Edward Liaw
2024-04-18 23:19 ` [PATCH 5.15.y v3 4/5] bpf: Fix out of bounds access for ringbuf helpers Edward Liaw
2024-04-18 23:19 ` [PATCH 5.15.y v3 5/5] bpf: Fix ringbuf memory type confusion when passing to helpers Edward Liaw
2024-04-19 11:09 ` [PATCH 5.15.y v3 0/5] Backport bounds checks for bpf Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=16430256912363@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=john.fastabend@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tr3e.wang@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.