Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug.
Call trace:
dump_stack+0xbf/0x12e
print_address_description+0x6a/0x280
kasan_report+0x237/0x360
sanitize_ptr_alu+0x85a/0x8d0
adjust_ptr_min_max_vals+0x8f2/0x1ca0
adjust_reg_min_max_vals+0x8ed/0x22e0
do_check+0x1ca6/0x5d00
bpf_check+0x9ca/0x2570
bpf_prog_load+0xc91/0x1030
__se_sys_bpf+0x61e/0x1f00
do_syscall_64+0xc8/0x550
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fault injection trace:
kfree+0xea/0x290
free_func_state+0x4a/0x60
free_verifier_state+0x61/0xe0
push_stack+0x216/0x2f0 <- inject failslab
sanitize_ptr_alu+0x2b1/0x8d0
adjust_ptr_min_max_vals+0x8f2/0x1ca0
adjust_reg_min_max_vals+0x8ed/0x22e0
do_check+0x1ca6/0x5d00
bpf_check+0x9ca/0x2570
bpf_prog_load+0xc91/0x1030
__se_sys_bpf+0x61e/0x1f00
do_syscall_64+0xc8/0x550
entry_SYSCALL_64_after_hwframe+0x49/0xbe
When kzalloc() fails in push_stack(), free_verifier_state() will free
current verifier state. As push_stack() returns, dst_reg was restored
if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg
is also freed, and error occurs when dereferencing dst_reg.
Simply fix it by checking whether cur_state is NULL before retoring
dst_reg.
Signed-off-by: Xu Yu <[email protected]>
---
kernel/bpf/verifier.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ce166a0..018ce4f 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3368,7 +3368,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
*dst_reg = *ptr_reg;
}
ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
- if (!ptr_is_dst_reg)
+ if (!ptr_is_dst_reg && env->cur_state)
*dst_reg = tmp;
return !ret ? -EFAULT : 0;
}
--
1.8.3.1
On 03/21/2019 09:31 AM, Xu Yu wrote:
> Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug.
> Call trace:
> dump_stack+0xbf/0x12e
> print_address_description+0x6a/0x280
> kasan_report+0x237/0x360
> sanitize_ptr_alu+0x85a/0x8d0
> adjust_ptr_min_max_vals+0x8f2/0x1ca0
> adjust_reg_min_max_vals+0x8ed/0x22e0
> do_check+0x1ca6/0x5d00
> bpf_check+0x9ca/0x2570
> bpf_prog_load+0xc91/0x1030
> __se_sys_bpf+0x61e/0x1f00
> do_syscall_64+0xc8/0x550
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> Fault injection trace:
> kfree+0xea/0x290
> free_func_state+0x4a/0x60
> free_verifier_state+0x61/0xe0
> push_stack+0x216/0x2f0 <- inject failslab
> sanitize_ptr_alu+0x2b1/0x8d0
> adjust_ptr_min_max_vals+0x8f2/0x1ca0
> adjust_reg_min_max_vals+0x8ed/0x22e0
> do_check+0x1ca6/0x5d00
> bpf_check+0x9ca/0x2570
> bpf_prog_load+0xc91/0x1030
> __se_sys_bpf+0x61e/0x1f00
> do_syscall_64+0xc8/0x550
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> When kzalloc() fails in push_stack(), free_verifier_state() will free
> current verifier state. As push_stack() returns, dst_reg was restored
> if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg
> is also freed, and error occurs when dereferencing dst_reg.
>
> Simply fix it by checking whether cur_state is NULL before retoring
> dst_reg.
>
> Signed-off-by: Xu Yu <[email protected]>
> ---
> kernel/bpf/verifier.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index ce166a0..018ce4f 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -3368,7 +3368,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
> *dst_reg = *ptr_reg;
> }
> ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
> - if (!ptr_is_dst_reg)
> + if (!ptr_is_dst_reg && env->cur_state)
> *dst_reg = tmp;
Good catch, test should be more obvious rewritten as:
if (!ptr_is_dst_reg && ret)
Could you resubmit with that?
> return !ret ? -EFAULT : 0;
> }
>
Thanks,
Daniel
On 3/21/19 4:50 PM, Daniel Borkmann wrote:
> On 03/21/2019 09:31 AM, Xu Yu wrote:
>> Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug.
>> Call trace:
>> dump_stack+0xbf/0x12e
>> print_address_description+0x6a/0x280
>> kasan_report+0x237/0x360
>> sanitize_ptr_alu+0x85a/0x8d0
>> adjust_ptr_min_max_vals+0x8f2/0x1ca0
>> adjust_reg_min_max_vals+0x8ed/0x22e0
>> do_check+0x1ca6/0x5d00
>> bpf_check+0x9ca/0x2570
>> bpf_prog_load+0xc91/0x1030
>> __se_sys_bpf+0x61e/0x1f00
>> do_syscall_64+0xc8/0x550
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> Fault injection trace:
>> kfree+0xea/0x290
>> free_func_state+0x4a/0x60
>> free_verifier_state+0x61/0xe0
>> push_stack+0x216/0x2f0 <- inject failslab
>> sanitize_ptr_alu+0x2b1/0x8d0
>> adjust_ptr_min_max_vals+0x8f2/0x1ca0
>> adjust_reg_min_max_vals+0x8ed/0x22e0
>> do_check+0x1ca6/0x5d00
>> bpf_check+0x9ca/0x2570
>> bpf_prog_load+0xc91/0x1030
>> __se_sys_bpf+0x61e/0x1f00
>> do_syscall_64+0xc8/0x550
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> When kzalloc() fails in push_stack(), free_verifier_state() will free
>> current verifier state. As push_stack() returns, dst_reg was restored
>> if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg
>> is also freed, and error occurs when dereferencing dst_reg.
>>
>> Simply fix it by checking whether cur_state is NULL before retoring
>> dst_reg.
>>
>> Signed-off-by: Xu Yu <[email protected]>
>> ---
>> kernel/bpf/verifier.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index ce166a0..018ce4f 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -3368,7 +3368,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
>> *dst_reg = *ptr_reg;
>> }
>> ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
>> - if (!ptr_is_dst_reg)
>> + if (!ptr_is_dst_reg && env->cur_state)
>> *dst_reg = tmp;
>
> Good catch, test should be more obvious rewritten as:
>
> if (!ptr_is_dst_reg && ret)
>
> Could you resubmit with that?
sure, will send patch v2 later.
thanks,
Yu
>
>> return !ret ? -EFAULT : 0;
>> }
>>
>
> Thanks,
> Daniel
>
Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug.
Call trace:
dump_stack+0xbf/0x12e
print_address_description+0x6a/0x280
kasan_report+0x237/0x360
sanitize_ptr_alu+0x85a/0x8d0
adjust_ptr_min_max_vals+0x8f2/0x1ca0
adjust_reg_min_max_vals+0x8ed/0x22e0
do_check+0x1ca6/0x5d00
bpf_check+0x9ca/0x2570
bpf_prog_load+0xc91/0x1030
__se_sys_bpf+0x61e/0x1f00
do_syscall_64+0xc8/0x550
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fault injection trace:
kfree+0xea/0x290
free_func_state+0x4a/0x60
free_verifier_state+0x61/0xe0
push_stack+0x216/0x2f0 <- inject failslab
sanitize_ptr_alu+0x2b1/0x8d0
adjust_ptr_min_max_vals+0x8f2/0x1ca0
adjust_reg_min_max_vals+0x8ed/0x22e0
do_check+0x1ca6/0x5d00
bpf_check+0x9ca/0x2570
bpf_prog_load+0xc91/0x1030
__se_sys_bpf+0x61e/0x1f00
do_syscall_64+0xc8/0x550
entry_SYSCALL_64_after_hwframe+0x49/0xbe
When kzalloc() fails in push_stack(), free_verifier_state() will free
current verifier state. As push_stack() returns, dst_reg was restored
if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg
is also freed, and error occurs when dereferencing dst_reg.
Simply fix it by testing ret of push_stack() before retoring dst_reg.
Signed-off-by: Xu Yu <[email protected]>
---
kernel/bpf/verifier.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ce166a0..cb1b874 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3368,7 +3368,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
*dst_reg = *ptr_reg;
}
ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
- if (!ptr_is_dst_reg)
+ if (!ptr_is_dst_reg && ret)
*dst_reg = tmp;
return !ret ? -EFAULT : 0;
}
--
1.8.3.1
On 03/21/2019 11:00 AM, Xu Yu wrote:
> Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug.
> Call trace:
> dump_stack+0xbf/0x12e
> print_address_description+0x6a/0x280
> kasan_report+0x237/0x360
> sanitize_ptr_alu+0x85a/0x8d0
> adjust_ptr_min_max_vals+0x8f2/0x1ca0
> adjust_reg_min_max_vals+0x8ed/0x22e0
> do_check+0x1ca6/0x5d00
> bpf_check+0x9ca/0x2570
> bpf_prog_load+0xc91/0x1030
> __se_sys_bpf+0x61e/0x1f00
> do_syscall_64+0xc8/0x550
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> Fault injection trace:
> kfree+0xea/0x290
> free_func_state+0x4a/0x60
> free_verifier_state+0x61/0xe0
> push_stack+0x216/0x2f0 <- inject failslab
> sanitize_ptr_alu+0x2b1/0x8d0
> adjust_ptr_min_max_vals+0x8f2/0x1ca0
> adjust_reg_min_max_vals+0x8ed/0x22e0
> do_check+0x1ca6/0x5d00
> bpf_check+0x9ca/0x2570
> bpf_prog_load+0xc91/0x1030
> __se_sys_bpf+0x61e/0x1f00
> do_syscall_64+0xc8/0x550
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> When kzalloc() fails in push_stack(), free_verifier_state() will free
> current verifier state. As push_stack() returns, dst_reg was restored
> if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg
> is also freed, and error occurs when dereferencing dst_reg.
>
> Simply fix it by testing ret of push_stack() before retoring dst_reg.
>
> Signed-off-by: Xu Yu <[email protected]>
Applied, thanks!