From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Daniel Borkmann <daniel@iogearbox.net>,
John Fastabend <john.fastabend@gmail.com>,
Alexei Starovoitov <ast@kernel.org>,
Edward Liaw <edliaw@google.com>,
tr3e.wang@gmail.com
Subject: [PATCH 5.15 10/71] bpf: Fix out of bounds access for ringbuf helpers
Date: Tue, 23 Apr 2024 14:39:23 -0700 [thread overview]
Message-ID: <20240423213844.477417680@linuxfoundation.org> (raw)
In-Reply-To: <20240423213844.122920086@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
commit 64620e0a1e712a778095bd35cbb277dc2259281f upstream.
Both bpf_ringbuf_submit() and bpf_ringbuf_discard() have ARG_PTR_TO_ALLOC_MEM
in their bpf_func_proto definition as their first argument. They both expect
the result from a prior bpf_ringbuf_reserve() call which has a return type of
RET_PTR_TO_ALLOC_MEM_OR_NULL.
Meaning, after a NULL check in the code, the verifier will promote the register
type in the non-NULL branch to a PTR_TO_MEM and in the NULL branch to a known
zero scalar. Generally, pointer arithmetic on PTR_TO_MEM is allowed, so the
latter could have an offset.
The ARG_PTR_TO_ALLOC_MEM expects a PTR_TO_MEM register type. However, the non-
zero result from bpf_ringbuf_reserve() must be fed into either bpf_ringbuf_submit()
or bpf_ringbuf_discard() but with the original offset given it will then read
out the struct bpf_ringbuf_hdr mapping.
The verifier missed to enforce a zero offset, so that out of bounds access
can be triggered which could be used to escalate privileges if unprivileged
BPF was enabled (disabled by default in kernel).
Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
Reported-by: <tr3e.wang@gmail.com> (SecCoder Security Lab)
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Edward Liaw <edliaw@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5340,9 +5340,15 @@ static int check_func_arg(struct bpf_ver
case PTR_TO_BUF:
case PTR_TO_BUF | MEM_RDONLY:
case PTR_TO_STACK:
+ /* Some of the argument types nevertheless require a
+ * zero register offset.
+ */
+ if (arg_type == ARG_PTR_TO_ALLOC_MEM)
+ goto force_off_check;
break;
/* All the rest must be rejected: */
default:
+force_off_check:
err = __check_ptr_off_reg(env, reg, regno,
type == PTR_TO_BTF_ID);
if (err < 0)
next prev parent reply other threads:[~2024-04-23 21:46 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-23 21:39 [PATCH 5.15 00/71] 5.15.157-rc1 review Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 01/71] ksmbd: dont send oplock break if rename fails Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 02/71] ksmbd: validate payload size in ipc response Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 03/71] ksmbd: do not set SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1 Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 04/71] btrfs: record delayed inode root in transaction Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 05/71] SUNRPC: Fix rpcgss_context trace event acceptor field Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 06/71] selftests/ftrace: Limit length in subsystem-enable tests Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 07/71] bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM argument support Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 08/71] bpf: Generalize check_ctx_reg for reuse with other types Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 09/71] bpf: Generally fix helper register offset check Greg Kroah-Hartman
2024-04-23 21:39 ` Greg Kroah-Hartman [this message]
2024-04-23 21:39 ` [PATCH 5.15 11/71] bpf: Fix ringbuf memory type confusion when passing to helpers Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 12/71] kprobes: Fix possible use-after-free issue on kprobe registration Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 13/71] Revert "tracing/trigger: Fix to return error if failed to alloc snapshot" Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 14/71] Revert "lockd: introduce safe async lock op" Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 15/71] netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 16/71] netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 17/71] netfilter: br_netfilter: skip conntrack input hook for promisc packets Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 18/71] netfilter: nft_set_pipapo: do not free live element Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 19/71] netfilter: nf_flow_table: count pending offload workqueue tasks Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 20/71] netfilter: flowtable: validate pppoe header Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 21/71] netfilter: flowtable: incorrect pppoe tuple Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 22/71] af_unix: Call manage_oob() for every skb in unix_stream_read_generic() Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 23/71] af_unix: Dont peek OOB data without MSG_OOB Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 24/71] tun: limit printing rate when illegal packet received by tun dev Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 25/71] net: dsa: mt7530: fix mirroring frames received on local port Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 26/71] net: ethernet: ti: am65-cpsw-nuss: cleanup DMA Channels before using them Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 27/71] RDMA/rxe: Fix the problem "mutex_destroy missing" Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 28/71] RDMA/cm: Print the old state when cm_destroy_id gets timeout Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 29/71] RDMA/mlx5: Fix port number for counter query in multi-port configuration Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 30/71] s390/qdio: handle deferred cc1 Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 31/71] s390/cio: fix race condition during online processing Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 32/71] drm: nv04: Fix out of bounds access Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 33/71] drm/panel: visionox-rm69299: dont unregister DSI device Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 34/71] clk: Remove prepare_lock hold assertion in __clk_release() Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 35/71] clk: Mark all_lists as const Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 36/71] clk: remove extra empty line Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 37/71] clk: Print an info line before disabling unused clocks Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 38/71] clk: Initialize struct clk_core kref earlier Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 39/71] clk: Get runtime PM before walking tree during disable_unused Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 40/71] x86/bugs: Fix BHI retpoline check Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 41/71] x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 42/71] thunderbolt: Avoid notify PM core about runtime PM resume Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 43/71] thunderbolt: Fix wake configurations after device unplug Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 44/71] comedi: vmk80xx: fix incomplete endpoint checking Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 45/71] serial/pmac_zilog: Remove flawed mitigation for rx irq flood Greg Kroah-Hartman
2024-04-23 21:39 ` [PATCH 5.15 46/71] USB: serial: option: add Fibocom FM135-GL variants Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 47/71] USB: serial: option: add support for Fibocom FM650/FG650 Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 48/71] USB: serial: option: add Lonsung U8300/U9300 product Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 49/71] USB: serial: option: support Quectel EM060K sub-models Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 50/71] USB: serial: option: add Rolling RW101-GL and RW135-GL support Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 51/71] USB: serial: option: add Telit FN920C04 rmnet compositions Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 52/71] Revert "usb: cdc-wdm: close race between read and workqueue" Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 53/71] usb: dwc2: host: Fix dereference issue in DDMA completion flow Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 54/71] usb: Disable USB3 LPM at shutdown Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 55/71] usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 56/71] mei: me: disable RPL-S on SPS and IGN firmwares Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 57/71] speakup: Avoid crash on very long word Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 58/71] fs: sysfs: Fix reference leak in sysfs_break_active_protection() Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 59/71] KVM: x86: Snapshot if a vCPUs vendor model is AMD vs. Intel compatible Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 60/71] KVM: x86/pmu: Do not mask LVTPC when handling a PMI on AMD platforms Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 61/71] arm64: hibernate: Fix level3 translation fault in swsusp_save() Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 62/71] init/main.c: Fix potential static_command_line memory overflow Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 63/71] binder: check offset alignment in binder_get_object() Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 64/71] drm/amdgpu: validate the parameters of bo mapping operations more clearly Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 65/71] drm/vmwgfx: Sort primary plane formats by order of preference Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 66/71] nouveau: fix instmem race condition around ptr stores Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 67/71] nilfs2: fix OOB in nilfs_set_de_type Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 68/71] net: dsa: mt7530: set all CPU ports in MT7531_CPU_PMAP Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 69/71] net: dsa: introduce preferred_default_local_cpu_port and use on MT7530 Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 70/71] net: dsa: mt7530: fix improper frames on all 25MHz and 40MHz XTAL MT7530 Greg Kroah-Hartman
2024-04-23 21:40 ` [PATCH 5.15 71/71] net: dsa: mt7530: fix enabling EEE on MT7531 switch on all boards Greg Kroah-Hartman
2024-04-23 23:00 ` [PATCH 5.15 00/71] 5.15.157-rc1 review SeongJae Park
2024-04-23 23:32 ` Florian Fainelli
2024-04-24 7:25 ` Pavel Machek
2024-04-24 7:32 ` Pavel Machek
2024-04-24 7:57 ` Naresh Kamboju
2024-04-24 9:21 ` Peter Oberparleiter
2024-04-27 14:26 ` Greg Kroah-Hartman
2024-04-24 8:28 ` Ron Economos
2024-04-24 9:30 ` Harshit Mogalapalli
2024-04-25 8:59 ` Jon Hunter
2024-04-25 20:19 ` Shreeya Patel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240423213844.477417680@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=edliaw@google.com \
--cc=john.fastabend@gmail.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=tr3e.wang@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox