Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp487015img; Thu, 21 Mar 2019 02:30:06 -0700 (PDT) X-Google-Smtp-Source: APXvYqyVF1oNM6kbIdPo+pVcgT/0OXTcsooNloOJJZ3tc1rn/mGMfZL0aKXZrRO62Nde4yJh74ZN X-Received: by 2002:aa7:82d9:: with SMTP id f25mr2324674pfn.45.1553160606273; Thu, 21 Mar 2019 02:30:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553160606; cv=none; d=google.com; s=arc-20160816; b=jI6DmAv4zhNL2HP7rK2kPlpT6IHPiVK9zRtXtcrybAXvSFIvUkrguASB3Z7z8roXFZ tbdFLd+ukyngfFvHaFNSoaB2FJ6NcPM7foyOl+0knVirX7DrfJJl36scitThMfCKN8u+ +Xfy8gyJdcVdCVg6DP4ANvOvIvU/8UY4cACG837HB4yAbDXdZDDlKbjDcbo/Rlj3rYLM cBGTr4xrLBYrr8YxMhZlQxIIToUW8gQohqCeUFyDgZDUi1jT6dqZcozT16ttIukxePYQ kBZKYizowd4LSwwz/GHVW8MWVMRg+d9H/pk3etz2Sq5UNKdCavjVdVWgDan7IV3M+0Zr 1Qsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject; bh=aHD0pehSm0ujkNBPIMjS0b2sdCmV4YrOrBeChM4rKEE=; b=qkLGohG1jT03OC/KwUtJ5AQFovFbfgituG5GZskr/SzsOfDMWB6KCGpIV49SMStzUJ ayLaHzqr/syjcQbCXR9ZH95MJeb3frgUSYIdTZLqnGq9Lx8aVQA5S1PmWMo+o2Xb/bPr Bn10KHNWUQMLDWdnwo406sgtUPB2CKPoTg3nXszGMT+nluYQxLKjNUVI/zUhSh98FCg/ lNLwC+lCnDPoMnE9G2sF2amnaq4K/2PqZ1CH3eKxdYcRCI4d8RQxozDMhNWqKXIt/QlU /9C53TNnOe//11RFPs9GjCDW1/ESP928Qw85Tdd0VX/YNfCF2XpqpvaQYT8Efo8IrN4m AKrA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p88si3816623pfi.142.2019.03.21.02.29.51; Thu, 21 Mar 2019 02:30:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728142AbfCUJ26 (ORCPT + 99 others); Thu, 21 Mar 2019 05:28:58 -0400 Received: from out30-130.freemail.mail.aliyun.com ([115.124.30.130]:55345 "EHLO out30-130.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728022AbfCUJ25 (ORCPT ); Thu, 21 Mar 2019 05:28:57 -0400 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R101e4;CH=green;DM=||false|;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01f04389;MF=xuyu@linux.alibaba.com;NM=1;PH=DS;RN=3;SR=0;TI=SMTPD_---0TNGmJqv_1553160524; Received: from ali-6c96cfe0d157.local(mailfrom:xuyu@linux.alibaba.com fp:SMTPD_---0TNGmJqv_1553160524) by smtp.aliyun-inc.com(127.0.0.1); Thu, 21 Mar 2019 17:28:54 +0800 Subject: Re: [PATCH] bpf: do not restore dst_reg when cur_state is freed To: Daniel Borkmann , bpf@vger.kernel.org, linux-kernel@vger.kernel.org References: From: Yu Xu Message-ID: Date: Thu, 21 Mar 2019 17:28:41 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/21/19 4:50 PM, Daniel Borkmann wrote: > On 03/21/2019 09:31 AM, Xu Yu wrote: >> Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug. >> Call trace: >> dump_stack+0xbf/0x12e >> print_address_description+0x6a/0x280 >> kasan_report+0x237/0x360 >> sanitize_ptr_alu+0x85a/0x8d0 >> adjust_ptr_min_max_vals+0x8f2/0x1ca0 >> adjust_reg_min_max_vals+0x8ed/0x22e0 >> do_check+0x1ca6/0x5d00 >> bpf_check+0x9ca/0x2570 >> bpf_prog_load+0xc91/0x1030 >> __se_sys_bpf+0x61e/0x1f00 >> do_syscall_64+0xc8/0x550 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe >> Fault injection trace: >>  kfree+0xea/0x290 >>  free_func_state+0x4a/0x60 >>  free_verifier_state+0x61/0xe0 >>  push_stack+0x216/0x2f0 <- inject failslab >>  sanitize_ptr_alu+0x2b1/0x8d0 >>  adjust_ptr_min_max_vals+0x8f2/0x1ca0 >>  adjust_reg_min_max_vals+0x8ed/0x22e0 >>  do_check+0x1ca6/0x5d00 >>  bpf_check+0x9ca/0x2570 >>  bpf_prog_load+0xc91/0x1030 >>  __se_sys_bpf+0x61e/0x1f00 >>  do_syscall_64+0xc8/0x550 >>  entry_SYSCALL_64_after_hwframe+0x49/0xbe >> >> When kzalloc() fails in push_stack(), free_verifier_state() will free >> current verifier state. As push_stack() returns, dst_reg was restored >> if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg >> is also freed, and error occurs when dereferencing dst_reg. >> >> Simply fix it by checking whether cur_state is NULL before retoring >> dst_reg. >> >> Signed-off-by: Xu Yu >> --- >> kernel/bpf/verifier.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c >> index ce166a0..018ce4f 100644 >> --- a/kernel/bpf/verifier.c >> +++ b/kernel/bpf/verifier.c >> @@ -3368,7 +3368,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, >> *dst_reg = *ptr_reg; >> } >> ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); >> - if (!ptr_is_dst_reg) >> + if (!ptr_is_dst_reg && env->cur_state) >> *dst_reg = tmp; > > Good catch, test should be more obvious rewritten as: > > if (!ptr_is_dst_reg && ret) > > Could you resubmit with that? sure, will send patch v2 later. thanks, Yu > >> return !ret ? -EFAULT : 0; >> } >> > > Thanks, > Daniel >