From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-182.mta0.migadu.com (out-182.mta0.migadu.com [91.218.175.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 72DF92570 for ; Tue, 9 Apr 2024 00:10:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712621461; cv=none; b=Et6pz03HnyZN+RGLJVIHozLQhhuDwnYGfR/9HP6rEIQOSTgdL1/Rk0EqIR2MdKA1VEBhS2b3ey5W2kY/4nyEAQdAnPAY1Pu1lMDk9FPty8fIrX1WuWGWfkc0NWRDee+llNofHJ/9rVMDPIB9bXZRYf46d9nzPGi5/v875aa+Rbc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712621461; c=relaxed/simple; bh=jHhcISfvM5hw7cGoH7GmgOSBwsHp6ACYR2aJyOjpY8g=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=Fa+DvZkVa3BtGL1YliOQKlCGjEfXGjkMddSB2MgNbdfIA3iiZXNnX+MDN+9yJwnn0qvtLp+1Wcbdrj76hQR1Ep/26eAz1TLIUfdyHSLMt8uSJDZM5wVvpNOOblbdof3vjT9HnOiU3LISlbVw3Zpd0n9OzVR6VyY41HFVtTdro74= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=LlkLyyHX; arc=none smtp.client-ip=91.218.175.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="LlkLyyHX" Message-ID: <737ae55d-3cd0-40fb-b3e9-3b676f1f735f@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1712621457; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Sjp5f9oGLEoLkHdn8mA9hv760wrE2Mtc0mHWY7INqz8=; b=LlkLyyHXayvJ2oLUWrzshr7bf5ZTEEuDnUEiflTdRU6YK2A8fJZjfrRUB941Uh3Kbm7m8d Mr0BddGphdRLxPPg0PvAWC5py9I3f4EJ27htGz7irp1grKnHhVR2ILg1xXbsg0rJvvjT+J 26y6vC662TUE6I6neMclRoL6ja/jbm4= Date: Mon, 8 Apr 2024 17:10:48 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH] bpf: dereference of null in __cgroup_bpf_query() function To: Mikhail Lobanov Cc: Alexei Starovoitov , Andrii Nakryiko , Song Liu , Roman Gushchin , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org References: <20240406151457.4774-1-m.lobanov@rosalinux.ru> Content-Language: en-US X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Martin KaFai Lau In-Reply-To: <20240406151457.4774-1-m.lobanov@rosalinux.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT On 4/6/24 8:14 AM, Mikhail Lobanov wrote: > In the __cgroup_bpf_query() function, it is possible to dereference > the null pointer in the line id = prog->aux->id; since there is no > check for a non-zero value of the variable prog. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: af6eea57437a ("bpf: Implement bpf_link-based cgroup BPF program attachment") > Cc: stable@vger.kernel.org > Signed-off-by: Mikhail Lobanov > --- > kernel/bpf/cgroup.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c > index 491d20038cbe..7f2db96f0c6a 100644 > --- a/kernel/bpf/cgroup.c > +++ b/kernel/bpf/cgroup.c > @@ -1092,6 +1092,8 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr, > i = 0; > hlist_for_each_entry(pl, progs, node) { > prog = prog_list_prog(pl); > + if (!prog_list_prog(pl)) prog cannot be null. It is under cgroup_lock(). > + continue; > id = prog->aux->id; > if (copy_to_user(prog_ids + i, &id, sizeof(id))) > return -EFAULT;