Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1882823ybz; Thu, 30 Apr 2020 07:10:23 -0700 (PDT) X-Google-Smtp-Source: APiQypIFMbWVqumANKNruGSlcr+156s41zCUw3+F8goMxif4lP4ViBlmkPRUghVlu9xOHMEK9Aek X-Received: by 2002:a17:906:3048:: with SMTP id d8mr2828288ejd.97.1588255823076; Thu, 30 Apr 2020 07:10:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588255823; cv=none; d=google.com; s=arc-20160816; b=qEz/zH2RiM0kdH8VRQZiBj4JzGvpqNbnpf83VLo5v2rUW6yNJdFEbOq1nJ+Igl5e6k QQxFkB59NvDD3v6l37Y0yf8D4KY2KNU5nNyFR8kq51kGEDr9DBBF/E5QHL12iHnoBNMz BL6ROnwM7vloI0hBGiu1S6jiZ+xlx5b/ZtThgj7g+h7ZW2eb3izMzQ8GL4BasWIgkOYJ MUhPdfiMhupu5AkqQjlH5UGBuxpurRx1TJbOScmRxY58dSV5PXW7mZxOn9XaoVBNS1he IYW7088JgFrLvccHUyXAJpHTCbhRg3O4BTnUFYeGKgSHUYbmEWk4R4ydJhk2BtX6oMep j5aQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=GJSz7xQpgDixrvabPLMACrpJsnCjwgqDlkLldf/qVCA=; b=MeQ3g656CjBeN2z3ZP6i5IJKvifGwP3KlfcvVfbGfmfmtBtFbYJfrzzAFDExnRvXMp JXT2Yr2kz4cyQAfX0v7to3ENU9p+3k+S9t/8A3YVeRuBTr/2MVfAcKUL/dyOrISqaqWz 0/6xngZBJg4HhyKa4eBPR3G5LXkAflF2bnho/VHpv7E13mrolpdgIoUKlQLKNS6o/3Za o6ctyrokKn8R3lyLG5uhxFj4PX1KQ58lpj3pvinsVqJ3h2hM8lYs+wbsvn+R36sIwMpB 7lWw+QHBdDxZGoNpUDSgd2Rkk3Y+HW3pSKxhQQLFmrnYvMYZIE/YDpXQ2ir6IWmC76Kt 2DIQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kICHDVOm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q10si5383211edr.310.2020.04.30.07.09.53; Thu, 30 Apr 2020 07:10:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kICHDVOm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729121AbgD3OI0 (ORCPT + 99 others); Thu, 30 Apr 2020 10:08:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:33016 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728317AbgD3NwL (ORCPT ); Thu, 30 Apr 2020 09:52:11 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 141B021775; Thu, 30 Apr 2020 13:52:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588254730; bh=gBtNDQXdaXS05+OQzYYBgspwu9dzhN1yFmBlNEUpzzo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kICHDVOm8rbibokC1jHPF4nxF+L77tND3HsJtk2bTpqTw/sVXeOgoe9T+RUK/eqlh 3R+yu505R2WkX16gVvySSW7OiEJwIXyAsxaWz+FnvUgAyoO6UwxevBYFginXAKEmGB kSxe23qEF4kOr8nS79rBVqOoTBwwFYxP2ihAwzG4= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , Alexei Starovoitov , Sasha Levin , netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.6 77/79] bpf: Propagate expected_attach_type when verifying freplace programs Date: Thu, 30 Apr 2020 09:50:41 -0400 Message-Id: <20200430135043.19851-77-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200430135043.19851-1-sashal@kernel.org> References: <20200430135043.19851-1-sashal@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Toke Høiland-Jørgensen [ Upstream commit 03f87c0b45b177ba5f6b4a9bbe9f95e4aba31026 ] For some program types, the verifier relies on the expected_attach_type of the program being verified in the verification process. However, for freplace programs, the attach type was not propagated along with the verifier ops, so the expected_attach_type would always be zero for freplace programs. This in turn caused the verifier to sometimes make the wrong call for freplace programs. For all existing uses of expected_attach_type for this purpose, the result of this was only false negatives (i.e., freplace functions would be rejected by the verifier even though they were valid programs for the target they were replacing). However, should a false positive be introduced, this can lead to out-of-bounds accesses and/or crashes. The fix introduced in this patch is to propagate the expected_attach_type to the freplace program during verification, and reset it after that is done. Fixes: be8704ff07d2 ("bpf: Introduce dynamic program extensions") Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/158773526726.293902.13257293296560360508.stgit@toke.dk Signed-off-by: Sasha Levin --- kernel/bpf/verifier.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 1381913cb10ba..1c53ccbd5b5d6 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -9892,6 +9892,7 @@ static int check_attach_btf_id(struct bpf_verifier_env *env) return -EINVAL; } env->ops = bpf_verifier_ops[tgt_prog->type]; + prog->expected_attach_type = tgt_prog->expected_attach_type; } if (!tgt_prog->jited) { verbose(env, "Can attach to only JITed progs\n"); @@ -10225,6 +10226,13 @@ err_release_maps: * them now. Otherwise free_used_maps() will release them. */ release_maps(env); + + /* extension progs temporarily inherit the attach_type of their targets + for verification purposes, so set it back to zero before returning + */ + if (env->prog->type == BPF_PROG_TYPE_EXT) + env->prog->expected_attach_type = 0; + *prog = env->prog; err_unlock: if (!is_priv) -- 2.20.1