Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp2603654pxv; Sun, 11 Jul 2021 19:45:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzp/1OS42hqacn1tlHE3ac8iJ6RqyFHlqm4VNGmhBBDXGB/Qyv7UzAnH6NT1YCM/RMp17zX X-Received: by 2002:a17:906:698a:: with SMTP id i10mr50102974ejr.499.1626057903371; Sun, 11 Jul 2021 19:45:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626057903; cv=none; d=google.com; s=arc-20160816; b=loPeUTG36qnWxMNTUezATf4hy7yeUYrlYOuwAgMN20OtwnVqG2Kz/vZJ0psEryd2Fh 4ds/ial/tBLPp3nR6zRxz5Fzw3CZ5UsxF8BZLKDO6jK7ypMBfFWm1l1Bji81qckq30/1 C66+el1riaREUGqLpb9HsNFNGF+fmq5TcS+aBwhkI3aoJjSWOF4Hp0Il0RiyptwF0lvZ 2AWvpF6TjFinWy8u7HC+l2G+MU0Tzx4OQwZe9tfLyEyZWco6C5y0xF015DlXT2Qogoay 14TVRCQ/CDkmLUYKjVz1jIZ3etpM+izf+p8AJT5nCFOiMbJRS8wIILwXwznM8N54fdOZ +EdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=t2PkKkx8E3rNZTNLkJAjDpwOZVYLr53HhY/XF+/mjHQ=; b=eDbyDvK2JHoVsSFUrF/qICN/1hP+/R6/6TLTJHIFeetSqM7xAe4eQ9cHyJWctvzE+q DqzVrexJKPmXji+j+cXR7xNUYqNHrePzIUXOxynR7A6qanhuiDOW4XW5G+kEYwJbZGhQ uLFkXEBRVkmIju2TS+GZL5dKUT2SZG+jmWGWGVD9/Cv3WPovjEyOkjje7s61+5D9Lgva xquSsTgzzYQYmUaoHMI/rBdorWY3QNsIr/h36mirc1gtxJHQtTiPdOFUQGbF02kdxh+u 7hY6U/yss8jFKHM9gsMVzRhzPx2A7CL5820MplqV+iePUQTDtcJda2xIj1TBPNzIv1/3 y+6w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 18si795210ejc.508.2021.07.11.19.44.30; Sun, 11 Jul 2021 19:45:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231981AbhGLCpF (ORCPT + 99 others); Sun, 11 Jul 2021 22:45:05 -0400 Received: from szxga03-in.huawei.com ([45.249.212.189]:10353 "EHLO szxga03-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229818AbhGLCpF (ORCPT ); Sun, 11 Jul 2021 22:45:05 -0400 Received: from dggeme751-chm.china.huawei.com (unknown [172.30.72.55]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4GNS3Y4bSdz78P9; Mon, 12 Jul 2021 10:13:13 +0800 (CST) Received: from [10.67.110.55] (10.67.110.55) by dggeme751-chm.china.huawei.com (10.3.19.97) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2176.2; Mon, 12 Jul 2021 10:17:39 +0800 Subject: Re: [bpf-next 3/3] bpf: Fix a use after free in bpf_check() To: Alexei Starovoitov CC: Song Liu , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , "David S . Miller" , Jakub Kicinski , Networking , bpf , open list References: <20210707043811.5349-1-hefengqing@huawei.com> <20210707043811.5349-4-hefengqing@huawei.com> <1c5b393d-6848-3d10-30cf-7063a331f76c@huawei.com> From: He Fengqing Message-ID: <21d8cd9e-487e-411f-1cfd-67cebc86b221@huawei.com> Date: Mon, 12 Jul 2021 10:17:39 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.67.110.55] X-ClientProxiedBy: dggeme720-chm.china.huawei.com (10.1.199.116) To dggeme751-chm.china.huawei.com (10.3.19.97) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2021/7/9 23:12, Alexei Starovoitov 写道: > On Fri, Jul 9, 2021 at 4:11 AM He Fengqing wrote: >> >> >> >> 在 2021/7/8 11:09, Alexei Starovoitov 写道: >>> On Wed, Jul 7, 2021 at 8:00 PM He Fengqing wrote: >>>> >>>> Ok, I will change this in next version. >>> >>> before you spam the list with the next version >>> please explain why any of these changes are needed? >>> I don't see an explanation in the patches and I don't see a bug in the code. >>> Did you check what is the prog clone ? >>> When is it constructed? Why verifier has anything to do with it? >>> . >>> >> >> >> I'm sorry, I didn't describe these errors clearly. >> >> bpf_check(bpf_verifier_env) >> | >> |->do_misc_fixups(env) >> | | >> | |->bpf_patch_insn_data(env) >> | | | >> | | |->bpf_patch_insn_single(env->prog) >> | | | | >> | | | |->bpf_prog_realloc(env->prog) >> | | | | | >> | | | | |->construct new_prog >> | | | | | free old_prog(env->prog) >> | | | | | >> | | | | |->return new_prog; >> | | | | >> | | | |->return new_prog; >> | | | >> | | |->adjust_insn_aux_data >> | | | | >> | | | |->return ENOMEM; >> | | | >> | | |->return NULL; >> | | >> | |->return ENOMEM; >> >> bpf_verifier_env->prog had been freed in bpf_prog_realloc function. >> >> >> There are two errors here, the first is memleak in the >> bpf_patch_insn_data function, and the second is use after free in the >> bpf_check function. >> >> memleak in bpf_patch_insn_data: >> >> Look at the call chain above, if adjust_insn_aux_data function return >> ENOMEM, bpf_patch_insn_data will return NULL, but we do not free the >> new_prog. >> >> So in the patch 2, before bpf_patch_insn_data return NULL, we free the >> new_prog. >> >> use after free in bpf_check: >> >> If bpf_patch_insn_data function return NULL, we will not assign new_prog >> to the bpf_verifier_env->prog, but bpf_verifier_env->prog has been freed >> in the bpf_prog_realloc function. Then in bpf_check function, we will >> use bpf_verifier_env->prog after do_misc_fixups function. >> >> In the patch 3, I added a free_old parameter to bpf_prog_realloc, in >> this scenario we don't free old_prog. Instead, we free it in the >> do_misc_fixups function when bpf_patch_insn_data return a valid new_prog. > > Thanks for explaining. > Why not to make adjust_insn_aux_data() in bpf_patch_insn_data() first then? > Just changing the order will resolve both issues, no? > . > adjust_insn_aux_data() need the new constructed new_prog as an input parameter, so we must call bpf_patch_insn_single() before adjust_insn_aux_data(). But we can make adjust_insn_aux_data() never return ENOMEM. In bpf_patch_insn_data(), first we pre-malloc memory for new aux_data, then call bpf_patch_insn_single() to constructed the new_prog, at last call adjust_insn_aux_data() functin. In this way, adjust_insn_aux_data() never fails. bpf_patch_insn_data(env) { struct bpf_insn_aux_data *new_data = vzalloc(); struct bpf_prog *new_prog; if (new_data == NULL) return NULL; new_prog = bpf_patch_insn_single(env->prog); if (new_prog == NULL) { vfree(new_data); return NULL; } adjust_insn_aux_data(new_prog, new_data); return new_prog; } What do you think about it?