public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed
From: Kees Cook <kees@kernel.org>
To: Stanislav Fomichev <sdf@google.com>, Hyunwoo Kim <v4bel@theori.io>
Cc: keescook@chromium.org, ast@kernel.org, daniel@iogearbox.net,
	john.fastabend@gmail.com, andrii@kernel.org,
	martin.lau@linux.dev,
	syzbot+b1e1f7feb407b56d0355@syzkaller.appspotmail.com,
	bpf@vger.kernel.org
Subject: Re: [report] OOB in bpf_load_prog() flow
Date: Tue, 20 Dec 2022 11:08:11 -0800	[thread overview]
Message-ID: <AA40C8DF-45F6-4BFB-8A2D-F4714B754479@kernel.org> (raw)
In-Reply-To: <CAKH8qBuerUeU7M2x5cfjJUuSjNTZj84Hd5s+rLZ+h-XHG_a4GA@mail.gmail.com>

On December 20, 2022 9:32:51 AM PST, Stanislav Fomichev <sdf@google.com> wrote:
>On Tue, Dec 20, 2022 at 3:37 AM Hyunwoo Kim <v4bel@theori.io> wrote:
>>
>> On Mon, Dec 19, 2022 at 11:02:32AM -0800, sdf@google.com wrote:
>> > On 12/19, Hyunwoo Kim wrote:
>> > > Dear,
>> >
>> > > This slab-out-of-bounds occurs in the bpf_prog_load() flow:
>> > > https://syzkaller.appspot.com/text?tag=CrashLog&x=172e2510480000
>> >
>> > > I was able to trigger KASAN using this syz reproduce code:
[...]
>> >
>> > > IMHO, the root cause of this seems to be commit
>> > > ceb35b666d42c2e91b1f94aeca95bb5eb0943268.
>> >
>> > > Also, a user with permission to load a BPF program can use this OOB to
>> > > execute the desired code with kernel privileges.
>> >
>> > Let's CC Kees if you suspect the commit above. Maybe we can run
>> > with/without it to confirm?
>>
>> I built and tested each commit of 'kernel/bpf/verifier.c' that caused
>> OOB, but I couldn't find the commit that caused OOB.
>>
>> So, starting from upstream, I reversed commits one by one and
>> found the commit that triggers KASAN.
>>
>> As a result of testing, OOB is triggered from commit
>> 8fa590bf344816c925810331eea8387627bbeb40.
>>
>> However, this commit seems to be a kvm related patch,
>> not directly related to the bpf subsystem.
>>
>> IMHO, the cause of this seems to be one of these:
>> 1. I ran this KASAN test on a nested guest in L2. That is,
>> there is a problem with the kvm patch 8fa590bf34481.
>>
>> 2. Previously, the BPF subsystem had a patch that triggers KASAN,
>> and KASAN is induced when kvm is patched.
>>
>> 3. There was confusion in the .config I tested, so the wrong
>> patch was derived as a test result.
>>
>> I haven't been able to pinpoint what the root cause is yet.
>> So I didn't add a CC for 8fa590bf34481 commit.
>
>Thanks for the details! Even if this particular one is unrelated,
>there are a couple of reports which still somewhat look like they are
>related to commit ceb35b666d42 ("bpf/verifier: Use
>kmalloc_size_roundup() to match ksize() usage") ?
>
>https://lore.kernel.org/bpf/000000000000ab724705ee87e321@google.com/
>https://lore.kernel.org/bpf/000000000000269f9a05f02be9d8@google.com/

I suspect something is hitting array_resize() that wasn't maximal-bucket-size allocated. Does reverting 38931d8989b5760b0bd17c9ec99e81986258e4cb make it go away?


-- 
Kees Cook

  reply	other threads:[~2022-12-20 19:08 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-19 13:59 [report] OOB in bpf_load_prog() flow Hyunwoo Kim
2022-12-19 19:02 ` sdf
2022-12-20 11:37   ` Hyunwoo Kim
2022-12-20 17:32     ` Stanislav Fomichev
2022-12-20 19:08       ` Kees Cook [this message]
2022-12-20 21:03         ` Stanislav Fomichev
2022-12-23  9:45           ` Hyunwoo Kim
2022-12-23 18:31             ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=AA40C8DF-45F6-4BFB-8A2D-F4714B754479@kernel.org \
    --to=kees@kernel.org \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=john.fastabend@gmail.com \
    --cc=keescook@chromium.org \
    --cc=martin.lau@linux.dev \
    --cc=sdf@google.com \
    --cc=syzbot+b1e1f7feb407b56d0355@syzkaller.appspotmail.com \
    --cc=v4bel@theori.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox