Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1884477ybz; Thu, 30 Apr 2020 07:11:48 -0700 (PDT) X-Google-Smtp-Source: APiQypKaT8H8qA0SOe9M2L6sSbk+A5gyt8Xohc4OWah5hZrG5GYeR1ubc5aXxh51qqLaqZa4gM1u X-Received: by 2002:a05:6402:2d5:: with SMTP id b21mr2736971edx.291.1588255907908; Thu, 30 Apr 2020 07:11:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588255907; cv=none; d=google.com; s=arc-20160816; b=TlfwaTSTS3SLYMbcVrcMYHiXqVrKl23PIQRs/CkwclUiQHzeuhPvXeHfAcLp0EhVsa sX9p4FXuu0rZ60YG/UYynUeYf+pjlE/q+xO3/0PGk/x7lS3l4rlmhUkov+wDdEDtRqn6 tBmrMicf5J8+7r6gZz1Xz8TQjlh/1sCdffp+uQBJLfXvCqz+ldDt5X4Lg382hy/AUh8m KdgzgINMC/7P+e5DMJtfhZX17EeZi9evBQUDp8t+qqxX0PJWinpzwaF+wkvYChZIjYTz PQ/4L02LC/rLG+12cFNWY2WPFekf5MfD5W29Ha5YmHsUEv5ivDfpJS/Yf7gCl2pmp4Dd m9Sw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=C8CPLfI5s91DxCk7kcgm4thUgwN4enEwVLMIAvHwa3U=; b=KUcKeaG8EiJ9P5B4cMd1Oeh72DXDia2eWnbvWh5q3Zj0kmcmqC87YN/gqtbH9mvjNZ ZGs5jjEose9p12Hdgr2ZrpF2V0JNG+cl7HjjtOUAXKLhSniTRzVP/Xk+YocQeNWNVgWt CXY0v/X6eDFpQyscNiktZFDtnApa9HEylSTPsvdZVko7tFwJfkztpfwIXMm7I62QvYQS Th8MXEDDWRbiq7hA2qmGHzosL0KErM4o3IiFjzftYPJzTw8qaS1IGKvFNx0eg8is0Lvq 2ZhslUmfWYLk6eU8nKQSO/q1Mf8PC0k88R4XxRQBlDlZJT/eghUITr3WUxbJDBrAhkWl Xjkw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=NIRc9vRO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p90si1229458edd.215.2020.04.30.07.11.23; Thu, 30 Apr 2020 07:11:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=NIRc9vRO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729428AbgD3OJm (ORCPT + 99 others); Thu, 30 Apr 2020 10:09:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:60366 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728175AbgD3Nvp (ORCPT ); Thu, 30 Apr 2020 09:51:45 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BEFF22137B; Thu, 30 Apr 2020 13:51:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588254704; bh=VH3MrWqeXNoY1d7dlhcKWGe+53MwSL9WYC83oj3Q7Vs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=NIRc9vROXwziewuaw2YYCtauBArTxuYe6CcxZbBgWIFKjU/7GkkOfdWPYwh7LPvVk OAqRmYAHbAAEZU7u+RBaY3XDM4rEhN0VCVKHZWArvQwZWog8FEoBeI/DdChiW5nug2 RleAP0CS0i0mmLz3Ytqz0K5ijwcLk42+2gAdfh6A= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Jann Horn , Alexei Starovoitov , Sasha Levin , netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.6 53/79] bpf: Fix handling of XADD on BTF memory Date: Thu, 30 Apr 2020 09:50:17 -0400 Message-Id: <20200430135043.19851-53-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200430135043.19851-1-sashal@kernel.org> References: <20200430135043.19851-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jann Horn [ Upstream commit 8ff3571f7e1bf3f293cc5e3dc14f2943f4fa7fcf ] check_xadd() can cause check_ptr_to_btf_access() to be executed with atype==BPF_READ and value_regno==-1 (meaning "just check whether the access is okay, don't tell me what type it will result in"). Handle that case properly and skip writing type information, instead of indexing into the registers at index -1 and writing into out-of-bounds memory. Note that at least at the moment, you can't actually write through a BTF pointer, so check_xadd() will reject the program after calling check_ptr_to_btf_access with atype==BPF_WRITE; but that's after the verifier has already corrupted memory. This patch assumes that BTF pointers are not available in unprivileged programs. Fixes: 9e15db66136a ("bpf: Implement accurate raw_tp context access via BTF") Signed-off-by: Jann Horn Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200417000007.10734-2-jannh@google.com Signed-off-by: Sasha Levin --- kernel/bpf/verifier.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index e4357a301fb8f..1381913cb10ba 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2885,7 +2885,7 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env, if (ret < 0) return ret; - if (atype == BPF_READ) { + if (atype == BPF_READ && value_regno >= 0) { if (ret == SCALAR_VALUE) { mark_reg_unknown(env, regs, value_regno); return 0; -- 2.20.1