Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp556127pxv; Fri, 9 Jul 2021 04:12:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwnY7PVx72MeP/q3SV7IlxFRZOmfKAaTfyRUHyzGB3lwxrgbVfnu6zZ+T1qZ1P4/UOWFKEj X-Received: by 2002:a17:907:97d2:: with SMTP id js18mr30775125ejc.517.1625829178025; Fri, 09 Jul 2021 04:12:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625829178; cv=none; d=google.com; s=arc-20160816; b=YKFNxDxtc6ixG4QGwgkHX1AXvNBVQyCbG9cRlYdYxOdDswl4ymh552RR1VGfLXZ1jD vyOWQuHU6hf1snmewmmRxBG1jVbeXhYYfcFUuYECp9Hh3xIZr6S3nSVi9q3MHIRoTvgv yURaBKzhe+y31/FIZp7Cy+koJDL82G2TwvHOdY/Yu/L7mtaxvFMclxuUzCSAM3D7bYV6 0jjPMVIfyDWyKWNZpSPdP7qC65fd6Wt/og4oHPLpjk+PBHAugwRizD7pz02rvlf1w1ls lI7BUL1a8Kms74aJfXDyRNaJ4bdxSq4Fm79Et2eCmk5OCg+0t8AVWLu5U7dnRNCMTy4t mLUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=CfOju/ZP7rMZNb/Xtden2S6ojaoRKQ2g/6K/NqGrhGk=; b=VvHqQrlNBTKEpElK/LuISsjheq0MJl84xY1JdXEGHmzsWSckzbkRaUAx8rqydrjea3 s84JqRTTj/CMf0ix5F1P35pQWBBEtPr3/oHbcTCVKietLkEINsLp0sk4WCBTSTC0VsLV 6mtz6HKUZ/z1pC+/WCPVlZN4egjxewzticDUrBmkaZ6enQH7ybG1s3lP/ncdCZRSGF4G VbDpKn91Xvh64e2i98XpEKEvi1xMWhf5HN7zTsElAAjmkZB7ChK4KrKAWjVDjYDY9Z3Q UEkjZlVQCgd5P7PyaC0vFqcteNCI2yeTDwcrqA9Hr8JwnyrYKv4rPpf23Cn2LOV6ScQZ we8g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f4si6487739ejl.218.2021.07.09.04.12.33; Fri, 09 Jul 2021 04:12:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230343AbhGILOM (ORCPT + 99 others); Fri, 9 Jul 2021 07:14:12 -0400 Received: from szxga01-in.huawei.com ([45.249.212.187]:14060 "EHLO szxga01-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229861AbhGILOL (ORCPT ); Fri, 9 Jul 2021 07:14:11 -0400 Received: from dggeme751-chm.china.huawei.com (unknown [172.30.72.55]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4GLr4D5kNPzbbbL; Fri, 9 Jul 2021 19:08:12 +0800 (CST) Received: from [10.67.110.55] (10.67.110.55) by dggeme751-chm.china.huawei.com (10.3.19.97) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2176.2; Fri, 9 Jul 2021 19:11:26 +0800 Subject: Re: [bpf-next 3/3] bpf: Fix a use after free in bpf_check() To: Alexei Starovoitov CC: Song Liu , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , "David S . Miller" , Jakub Kicinski , Networking , bpf , open list References: <20210707043811.5349-1-hefengqing@huawei.com> <20210707043811.5349-4-hefengqing@huawei.com> <1c5b393d-6848-3d10-30cf-7063a331f76c@huawei.com> From: He Fengqing Message-ID: Date: Fri, 9 Jul 2021 19:11:25 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.67.110.55] X-ClientProxiedBy: dggeme702-chm.china.huawei.com (10.1.199.98) To dggeme751-chm.china.huawei.com (10.3.19.97) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2021/7/8 11:09, Alexei Starovoitov 写道: > On Wed, Jul 7, 2021 at 8:00 PM He Fengqing wrote: >> >> Ok, I will change this in next version. > > before you spam the list with the next version > please explain why any of these changes are needed? > I don't see an explanation in the patches and I don't see a bug in the code. > Did you check what is the prog clone ? > When is it constructed? Why verifier has anything to do with it? > . > I'm sorry, I didn't describe these errors clearly. bpf_check(bpf_verifier_env) | |->do_misc_fixups(env) | | | |->bpf_patch_insn_data(env) | | | | | |->bpf_patch_insn_single(env->prog) | | | | | | | |->bpf_prog_realloc(env->prog) | | | | | | | | | |->construct new_prog | | | | | free old_prog(env->prog) | | | | | | | | | |->return new_prog; | | | | | | | |->return new_prog; | | | | | |->adjust_insn_aux_data | | | | | | | |->return ENOMEM; | | | | | |->return NULL; | | | |->return ENOMEM; bpf_verifier_env->prog had been freed in bpf_prog_realloc function. There are two errors here, the first is memleak in the bpf_patch_insn_data function, and the second is use after free in the bpf_check function. memleak in bpf_patch_insn_data: Look at the call chain above, if adjust_insn_aux_data function return ENOMEM, bpf_patch_insn_data will return NULL, but we do not free the new_prog. So in the patch 2, before bpf_patch_insn_data return NULL, we free the new_prog. use after free in bpf_check: If bpf_patch_insn_data function return NULL, we will not assign new_prog to the bpf_verifier_env->prog, but bpf_verifier_env->prog has been freed in the bpf_prog_realloc function. Then in bpf_check function, we will use bpf_verifier_env->prog after do_misc_fixups function. In the patch 3, I added a free_old parameter to bpf_prog_realloc, in this scenario we don't free old_prog. Instead, we free it in the do_misc_fixups function when bpf_patch_insn_data return a valid new_prog. Thanks for your reviews.