* [PATCH] bpf, arm64: Fix address emission with tag-based KASAN enabled
@ 2024-10-18 22:16 Peter Collingbourne
2024-10-19 9:24 ` Xu Kuohai
2024-10-21 7:50 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Peter Collingbourne @ 2024-10-18 22:16 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
Puranjay Mohan, Xu Kuohai, Catalin Marinas, Will Deacon,
Jean-Philippe Brucker, bpf, linux-arm-kernel, linux-kernel
Cc: Peter Collingbourne, Alexander Potapenko, Andrey Konovalov,
stable
When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image
struct on the stack is passed during the size calculation pass and
an address on the heap is passed during code generation. This may
cause a heap buffer overflow if the heap address is tagged because
emit_a64_mov_i64() will emit longer code than it did during the size
calculation pass. The same problem could occur without tag-based
KASAN if one of the 16-bit words of the stack address happened to
be all-ones during the size calculation pass. Fix the problem by
assuming the worst case (4 instructions) when calculating the size
of the bpf_tramp_image address emission.
Fixes: 19d3c179a377 ("bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG")
Signed-off-by: Peter Collingbourne <pcc@google.com>
Link: https://linux-review.googlesource.com/id/I1496f2bc24fba7a1d492e16e2b94cf43714f2d3c
Cc: stable@vger.kernel.org
---
arch/arm64/net/bpf_jit_comp.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index 8bbd0b20136a8..5db82bfc9dc11 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -2220,7 +2220,11 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
emit(A64_STR64I(A64_R(20), A64_SP, regs_off + 8), ctx);
if (flags & BPF_TRAMP_F_CALL_ORIG) {
- emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
+ /* for the first pass, assume the worst case */
+ if (!ctx->image)
+ ctx->idx += 4;
+ else
+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
emit_call((const u64)__bpf_tramp_enter, ctx);
}
@@ -2264,7 +2268,11 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
if (flags & BPF_TRAMP_F_CALL_ORIG) {
im->ip_epilogue = ctx->ro_image + ctx->idx;
- emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
+ /* for the first pass, assume the worst case */
+ if (!ctx->image)
+ ctx->idx += 4;
+ else
+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
emit_call((const u64)__bpf_tramp_exit, ctx);
}
--
2.47.0.rc1.288.g06298d1525-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] bpf, arm64: Fix address emission with tag-based KASAN enabled
2024-10-18 22:16 [PATCH] bpf, arm64: Fix address emission with tag-based KASAN enabled Peter Collingbourne
@ 2024-10-19 9:24 ` Xu Kuohai
2024-10-21 7:50 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Xu Kuohai @ 2024-10-19 9:24 UTC (permalink / raw)
To: Peter Collingbourne, Alexei Starovoitov, Daniel Borkmann,
Andrii Nakryiko, Martin KaFai Lau, Eduard Zingerman, Song Liu,
Yonghong Song, John Fastabend, KP Singh, Stanislav Fomichev,
Hao Luo, Jiri Olsa, Puranjay Mohan, Xu Kuohai, Catalin Marinas,
Will Deacon, Jean-Philippe Brucker, bpf, linux-arm-kernel,
linux-kernel
Cc: Alexander Potapenko, Andrey Konovalov, stable
On 10/19/2024 6:16 AM, Peter Collingbourne wrote:
> When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image
> struct on the stack is passed during the size calculation pass and
> an address on the heap is passed during code generation. This may
> cause a heap buffer overflow if the heap address is tagged because
> emit_a64_mov_i64() will emit longer code than it did during the size
> calculation pass. The same problem could occur without tag-based
> KASAN if one of the 16-bit words of the stack address happened to
> be all-ones during the size calculation pass. Fix the problem by
> assuming the worst case (4 instructions) when calculating the size
> of the bpf_tramp_image address emission.
>
> Fixes: 19d3c179a377 ("bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG")
> Signed-off-by: Peter Collingbourne <pcc@google.com>
> Link: https://linux-review.googlesource.com/id/I1496f2bc24fba7a1d492e16e2b94cf43714f2d3c
> Cc: stable@vger.kernel.org
> ---
> arch/arm64/net/bpf_jit_comp.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
> index 8bbd0b20136a8..5db82bfc9dc11 100644
> --- a/arch/arm64/net/bpf_jit_comp.c
> +++ b/arch/arm64/net/bpf_jit_comp.c
> @@ -2220,7 +2220,11 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
> emit(A64_STR64I(A64_R(20), A64_SP, regs_off + 8), ctx);
>
> if (flags & BPF_TRAMP_F_CALL_ORIG) {
> - emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
> + /* for the first pass, assume the worst case */
> + if (!ctx->image)
> + ctx->idx += 4;
> + else
> + emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
> emit_call((const u64)__bpf_tramp_enter, ctx);
> }
>
> @@ -2264,7 +2268,11 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
>
> if (flags & BPF_TRAMP_F_CALL_ORIG) {
> im->ip_epilogue = ctx->ro_image + ctx->idx;
> - emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
> + /* for the first pass, assume the worst case */
> + if (!ctx->image)
> + ctx->idx += 4;
> + else
> + emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
> emit_call((const u64)__bpf_tramp_exit, ctx);
> }
>
Acked-by: Xu Kuohai <xukuohai@huawei.com>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] bpf, arm64: Fix address emission with tag-based KASAN enabled
2024-10-18 22:16 [PATCH] bpf, arm64: Fix address emission with tag-based KASAN enabled Peter Collingbourne
2024-10-19 9:24 ` Xu Kuohai
@ 2024-10-21 7:50 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-10-21 7:50 UTC (permalink / raw)
To: Peter Collingbourne
Cc: ast, daniel, andrii, martin.lau, eddyz87, song, yonghong.song,
john.fastabend, kpsingh, sdf, haoluo, jolsa, puranjay12, xukuohai,
catalin.marinas, will, jean-philippe, bpf, linux-arm-kernel,
linux-kernel, glider, andreyknvl, stable
Hello:
This patch was applied to bpf/bpf.git (master)
by Daniel Borkmann <daniel@iogearbox.net>:
On Fri, 18 Oct 2024 15:16:43 -0700 you wrote:
> When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image
> struct on the stack is passed during the size calculation pass and
> an address on the heap is passed during code generation. This may
> cause a heap buffer overflow if the heap address is tagged because
> emit_a64_mov_i64() will emit longer code than it did during the size
> calculation pass. The same problem could occur without tag-based
> KASAN if one of the 16-bit words of the stack address happened to
> be all-ones during the size calculation pass. Fix the problem by
> assuming the worst case (4 instructions) when calculating the size
> of the bpf_tramp_image address emission.
>
> [...]
Here is the summary with links:
- bpf, arm64: Fix address emission with tag-based KASAN enabled
https://git.kernel.org/bpf/bpf/c/a552e2ef5fd1
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-10-21 7:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-18 22:16 [PATCH] bpf, arm64: Fix address emission with tag-based KASAN enabled Peter Collingbourne
2024-10-19 9:24 ` Xu Kuohai
2024-10-21 7:50 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox