From: Eduard Zingerman <eddyz87@gmail.com>
To: Yonghong Song <yonghong.song@linux.dev>, bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
kernel-team@fb.com, Martin KaFai Lau <martin.lau@kernel.org>,
syzbot+ad9ec60c8eaf69e6f99c@syzkaller.appspotmail.com
Subject: Re: [PATCH bpf-next 1/2] bpf: Fail verification for sign-extension of packet data/data_end/data_meta
Date: Tue, 16 Jul 2024 12:49:56 -0700 [thread overview]
Message-ID: <593057cafca45b6c11a7aed7b459a2b0677d4f0d.camel@gmail.com> (raw)
In-Reply-To: <20240715201828.3235796-1-yonghong.song@linux.dev>
On Mon, 2024-07-15 at 13:18 -0700, Yonghong Song wrote:
> syzbot reported a kernel crash due to
> commit 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses").
> The reason is due to sign-extension of 32-bit load for
> packet data/data_end/data_meta uapi field.
>
> The original code looks like:
> r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */
> r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */
> r0 = r2
> r0 += 8
> if r3 > r0 goto +1
> ...
> Note that __sk_buff->data load has 32-bit sign extension.
[...]
> To fix this issue for case
> r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */
> this patch added additional checking in is_valid_access() callback
> function for packet data/data_end/data_meta access. If those accesses
> are with sign-extenstion, the verification will fail.
>
> [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/
>
> Reported-by: syzbot+ad9ec60c8eaf69e6f99c@syzkaller.appspotmail.com
> Fixes: 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses")
> Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
> ---
I looked through all context types and seems like only two types
identified in this patch use u32 values to obtain pointers:
- struct xdp_md fields: data, data_end, data_meta
- struct __sk_buff fields: data, data_end, data_meta
Double checked all locations where access to the above fields is
verified, every location is covered by is_ldsx check.
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
prev parent reply other threads:[~2024-07-16 19:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-15 20:18 [PATCH bpf-next 1/2] bpf: Fail verification for sign-extension of packet data/data_end/data_meta Yonghong Song
2024-07-15 20:18 ` [PATCH bpf-next 2/2] selftests/bpf: Add tests for ldsx of pkt data/data_end/data_meta accesses Yonghong Song
2024-07-16 19:54 ` Eduard Zingerman
2024-07-16 22:32 ` Yonghong Song
2024-07-16 19:49 ` Eduard Zingerman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=593057cafca45b6c11a7aed7b459a2b0677d4f0d.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@fb.com \
--cc=martin.lau@kernel.org \
--cc=syzbot+ad9ec60c8eaf69e6f99c@syzkaller.appspotmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox