Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp752962pxv; Fri, 9 Jul 2021 08:14:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxJz/n0oQquR1VixYRxyURbfJ9WBYdwNEHM6imBaDm0Nrcl7pyrZK14n2jnVCAb08zOBKJg X-Received: by 2002:aa7:d982:: with SMTP id u2mr46569215eds.230.1625843693822; Fri, 09 Jul 2021 08:14:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625843693; cv=none; d=google.com; s=arc-20160816; b=WeWjyGv+hkGEtFfhVhpbupDJu3bZP3gLADRckqanr00u7DU0L3wA3x5FXB/YVOPxoQ ynIRx8suvuyD56OjFGYclDFhKiLDceMW1JhS9lj4cpgvebYAUeIW7eAE89dv7sxvqLY6 qPKoCHNtD0Gnjq/0V2ADaqXBCf+KTFXD4IIDL/7HY4dQRBddAd1nmkfgX3g/2yb4oV0L WJc1bMOK/1a3mPSUgmDJuUFekeLabeh9lSkyorZUVViJBTK4gvycDD1Z5TSrSHXvl9g9 5HJr22NqPvahSSJ7f29pK6FXatkkPXowcae6Lmh5h8/DL9EwoGQlRU4+T4XqRT84/wTT M1sg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=+55UwqLAyfgxZBZ1Kggno0sqWKaYls4/rhJTUFXZyOs=; b=WmT5zGpH885EYSM619wO3PU2yx6JXO8mN54F4+UhOgt/yD+OxQt89V7dhfKqMwc6wx WfqMKnJa5+mmjKKR9TzDNMfRjw5IqJn8OZuhJOckUpQnHkiUIQlXnBpBra/4QlMKlnzi t31jCtAAKEHpqrv1dNFy/wF95FtIAUIQU9pkGxuiyxNHKkob90xCUiVg0C/UVpJ6WuH5 RcPbpprAL8LoGprQXttyuOqmqigIMU3bZTjdvVzdRGFZ2DxXw8CsjRN2HfUg6HzfEaPs ejgI4bfPr27lmzlUGurdETORCUsnr/1uz1CXaJXIM0KtlCOVKEC9Azd3n4ZgS0MV4Kp9 p5Jg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=VnyDWFyL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id js21si7404829ejc.229.2021.07.09.08.14.12; Fri, 09 Jul 2021 08:14:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=VnyDWFyL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232304AbhGIPPz (ORCPT + 99 others); Fri, 9 Jul 2021 11:15:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232053AbhGIPPy (ORCPT ); Fri, 9 Jul 2021 11:15:54 -0400 Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3BA56C0613DD; Fri, 9 Jul 2021 08:13:10 -0700 (PDT) Received: by mail-lf1-x12d.google.com with SMTP id q18so23919295lfc.7; Fri, 09 Jul 2021 08:13:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=+55UwqLAyfgxZBZ1Kggno0sqWKaYls4/rhJTUFXZyOs=; b=VnyDWFyLsgBcqq7dw8b1LLLrF8WEwEUHgmVhHHNmrD7FmHlqiHR+zAeG1n04MHWUbQ MVhaNyJOUcZOpvorCUoIViNwyRk0dUS/6MkD8CQ6N3gwF0nVhC1LonNKwMxlazr2Q8OM V1aU+UUDI0Oseo0MX/8BfRXWliPXD3vd2ECezbZiFYObgGfsSTRTVmSLrpwuNJj5aItx yoxFHBwfiT70iylX2MF+QdsLUw3EMsVzV0VmLpDNLioYSVLqUXfC1/GRIVfDMZLwLTxX akGgqXEaMzLhcPqtoZLwk3GO9dii6ruKu2TGQykd+hYWazY33MnKYc0sNytca/9/R9vF 9FZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=+55UwqLAyfgxZBZ1Kggno0sqWKaYls4/rhJTUFXZyOs=; b=gPyYSTeA5wsi2yNmlpzQw9WJIl8jeVbaYgFt7YefykMy/D3pYmTtxQgMNM/Jh2zs0N zqPTNuM9ah2hMmiuNwM3p37szLEZgfIhOKtXHloHpoLo208M50ZJxcP25uoqk+xnj5xN AOmzFc3/XgPaD56RaFVlZH+vn6AsePhfkRJCMm8/xEvIKGsuHiyGwVqmqJxoAE3MMqTP aqf7aPYjemRWifmW+Ruk7BvEkovoY56q3t/I2m3Q36jbHZ7unClOutxz/Olpnwe22bF7 v7j4OeVaXhZ6rksByzstMBbyUMqU55HRnETUVQsFDyiYGqVtiaGipNJPW967SciVca2l CXDQ== X-Gm-Message-State: AOAM532dij0XqNyyVbOQ0AfYFpGKGvVQi3N3P5GN/yJwsfwrujq4ieii tFMED3/eaPP/sihZavNlRmSZxW/GzY8No14T1IM= X-Received: by 2002:a05:6512:3f1a:: with SMTP id y26mr30033434lfa.540.1625843588459; Fri, 09 Jul 2021 08:13:08 -0700 (PDT) MIME-Version: 1.0 References: <20210707043811.5349-1-hefengqing@huawei.com> <20210707043811.5349-4-hefengqing@huawei.com> <1c5b393d-6848-3d10-30cf-7063a331f76c@huawei.com> In-Reply-To: From: Alexei Starovoitov Date: Fri, 9 Jul 2021 08:12:57 -0700 Message-ID: Subject: Re: [bpf-next 3/3] bpf: Fix a use after free in bpf_check() To: He Fengqing Cc: Song Liu , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , "David S . Miller" , Jakub Kicinski , Networking , bpf , open list Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 9, 2021 at 4:11 AM He Fengqing wrote: > > > > =E5=9C=A8 2021/7/8 11:09, Alexei Starovoitov =E5=86=99=E9=81=93: > > On Wed, Jul 7, 2021 at 8:00 PM He Fengqing wrot= e: > >> > >> Ok, I will change this in next version. > > > > before you spam the list with the next version > > please explain why any of these changes are needed? > > I don't see an explanation in the patches and I don't see a bug in the = code. > > Did you check what is the prog clone ? > > When is it constructed? Why verifier has anything to do with it? > > . > > > > > I'm sorry, I didn't describe these errors clearly. > > bpf_check(bpf_verifier_env) > | > |->do_misc_fixups(env) > | | > | |->bpf_patch_insn_data(env) > | | | > | | |->bpf_patch_insn_single(env->prog) > | | | | > | | | |->bpf_prog_realloc(env->prog) > | | | | | > | | | | |->construct new_prog > | | | | | free old_prog(env->prog) > | | | | | > | | | | |->return new_prog; > | | | | > | | | |->return new_prog; > | | | > | | |->adjust_insn_aux_data > | | | | > | | | |->return ENOMEM; > | | | > | | |->return NULL; > | | > | |->return ENOMEM; > > bpf_verifier_env->prog had been freed in bpf_prog_realloc function. > > > There are two errors here, the first is memleak in the > bpf_patch_insn_data function, and the second is use after free in the > bpf_check function. > > memleak in bpf_patch_insn_data: > > Look at the call chain above, if adjust_insn_aux_data function return > ENOMEM, bpf_patch_insn_data will return NULL, but we do not free the > new_prog. > > So in the patch 2, before bpf_patch_insn_data return NULL, we free the > new_prog. > > use after free in bpf_check: > > If bpf_patch_insn_data function return NULL, we will not assign new_prog > to the bpf_verifier_env->prog, but bpf_verifier_env->prog has been freed > in the bpf_prog_realloc function. Then in bpf_check function, we will > use bpf_verifier_env->prog after do_misc_fixups function. > > In the patch 3, I added a free_old parameter to bpf_prog_realloc, in > this scenario we don't free old_prog. Instead, we free it in the > do_misc_fixups function when bpf_patch_insn_data return a valid new_prog. Thanks for explaining. Why not to make adjust_insn_aux_data() in bpf_patch_insn_data() first then? Just changing the order will resolve both issues, no?