From: Craig Gallek <kraigatgoog@gmail.com>
To: Alexei Starovoitov <ast@fb.com>,
"David S . Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org
Subject: [PATCH net-next v2] bpf: fix verifier NULL pointer dereference
Date: Thu, 2 Nov 2017 11:18:01 -0400 [thread overview]
Message-ID: <20171102151801.24500-1-kraigatgoog@gmail.com> (raw)
In-Reply-To: <20171102142119.13894-1-kraigatgoog@gmail.com>
From: Craig Gallek <kraig@google.com>
do_check() can fail early without allocating env->cur_state under
memory pressure. Syzkaller found the stack below on the linux-next
tree because of this.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801c2c74700 task.stack: ffff8801c3e28000
RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]
RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533
RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000
RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380
RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f
R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28
R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20
FS: 00007f311079b700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166
SYSC_bpf kernel/bpf/syscall.c:1690 [inline]
SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452869
RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869
RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005
RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550
R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000
Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26
RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: ffff8801c3e2f5c8
RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: ffff8801c3e2f5c8
---[ end trace c8d37f339dc64004 ]---
Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption")
Fixes: 1969db47f8d0 ("bpf: fix verifier memory leaks")
Signed-off-by: Craig Gallek <kraig@google.com>
---
kernel/bpf/verifier.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
v2:
Forgot second spot for the same bug in bpf_analyzer (from Alexei).
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 530b68550fd2..624aee966ab5 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4530,8 +4530,10 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)
env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
ret = do_check(env);
- free_verifier_state(env->cur_state, true);
- env->cur_state = NULL;
+ if (env->cur_state) {
+ free_verifier_state(env->cur_state, true);
+ env->cur_state = NULL;
+ }
skip_full_check:
while (!pop_stack(env, NULL, NULL));
@@ -4637,8 +4639,10 @@ int bpf_analyzer(struct bpf_prog *prog, const struct bpf_ext_analyzer_ops *ops,
env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
ret = do_check(env);
- free_verifier_state(env->cur_state, true);
- env->cur_state = NULL;
+ if (env->cur_state) {
+ free_verifier_state(env->cur_state, true);
+ env->cur_state = NULL;
+ }
skip_full_check:
while (!pop_stack(env, NULL, NULL));
--
2.15.0.403.gc27cc4dac6-goog
next prev parent reply other threads:[~2017-11-02 15:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-02 14:21 [PATCH net-next] bpf: fix verifier NULL pointer dereference Craig Gallek
2017-11-02 15:07 ` Alexei Starovoitov
2017-11-02 15:12 ` Craig Gallek
2017-11-02 15:18 ` Craig Gallek [this message]
2017-11-02 15:28 ` [PATCH net-next v2] " Alexei Starovoitov
2017-11-02 22:22 ` Daniel Borkmann
2017-11-03 6:50 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171102151801.24500-1-kraigatgoog@gmail.com \
--to=kraigatgoog@gmail.com \
--cc=ast@fb.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).