Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3514371pxv; Mon, 19 Jul 2021 02:00:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxmJZ/KNUcHij9G3YNpIVAJylHGh60N2+bBdHxlDcYB+f29aGgpEd52/7eBo2jTFN2mTVza X-Received: by 2002:a5d:858a:: with SMTP id f10mr17876086ioj.92.1626685226068; Mon, 19 Jul 2021 02:00:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626685226; cv=none; d=google.com; s=arc-20160816; b=0Bxa6q/NviEnqLcw9g2OHVZYSz+W65BUrbYxj9htz42Qm/QQskz7I0UPp27dc5wAmw Fv+VbfWWc27iQEPCaqahFY/eciQNCYw7dYH90Gn4stRjbxfAo+M75CBu+S2dhe16jj+0 XaCiKR96s7sEB4tvsnPA+4lgDMGlCEXVRMfrBZbnQjVMVZhx9X751gBkhjmqVIbfABiD QBbuNqahuTdSKSqwE2tx3scTIF0AH0t+RK8rSHF9zm/kCyBw5E6ZabBzQGK53qFgkoBE mEIOt+hJzAFyePakjbSwgrg/+TPmMBaCZZr6GtGsMcQxj6EQQYIJntuOmMJ/GivaIz55 xh6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=NxO5u2m/WVWG39hgIbDJ0ZUbjUb2aBaNDMtLZUWAtSE=; b=Iv+4DQasJwpXrTw0N9dQftp0e5bsSZkDL1SInxKDgeMLzXY3UqCpWMhYbN6CfFBfKI BpFG3JRdMy1nAjH97z/6vGMHLtBOtJzydxsR+tyJFnQfB4BOQtbzgPEhT3AgtmumbPrq cPGG7117e1H2TEIWUTjCeGALNwL+cZV08hXgqu8fN6aJt7UfTpJq6/EyPXHDmFiWyfu+ HuZ4jY3T9nVRc4/PAxzL1tIEk04vt2Sa8uHTwE5kJsbO3DTKed1Knn2X1/BRcpdQuYzn 4nhUeS3dYaTmhUUPsLGNmbM4hINafQAcjMPM3cAUZiwIjLC7TJW9lAsgVmreMBckdGT1 9U+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=zEq+wT3E; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y9si10854789ilv.11.2021.07.19.02.00.14; Mon, 19 Jul 2021 02:00:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=zEq+wT3E; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235576AbhGSISg (ORCPT + 99 others); Mon, 19 Jul 2021 04:18:36 -0400 Received: from mail-wm1-f53.google.com ([209.85.128.53]:43808 "EHLO mail-wm1-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235512AbhGSISf (ORCPT ); Mon, 19 Jul 2021 04:18:35 -0400 Received: by mail-wm1-f53.google.com with SMTP id q18-20020a1ce9120000b02901f259f3a250so9988145wmc.2 for ; Mon, 19 Jul 2021 01:59:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=NxO5u2m/WVWG39hgIbDJ0ZUbjUb2aBaNDMtLZUWAtSE=; b=zEq+wT3EN0r60MoQF4ywKFoXQfty/1PcTdDVXUsST7Y52y/FRB4+4ivyI+celySiBP FyujFSndPF96XRaAXUb2SPPhj6Op97PPzEZ8YRG44JPTworVmaBAYrX4eKX/EJFq9cTR YzMiSb8LFfujoOsWxIT1JvFl0GBAExIrdntSQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=NxO5u2m/WVWG39hgIbDJ0ZUbjUb2aBaNDMtLZUWAtSE=; b=ZH7fHk4k8xhtdzlLMFdjSRLkhD/4w0oTYPN33HLbf75PuvDG3wXmyhhTpqaf458Url vLzQ2Au65nxJztjr/dXe+Yq8wGheMSsrHUWWMdwmhOoJsiTfYr7lkK82Myct3J+vO8d8 JIe6XoVzkeQIe9KlndDfvFFDbv2BKLdrwXa/Qodtt/xFr2zix3xnaVq/iu05fc/F1blg 09vROVAzofQzN/4rY8TwE7nzQ3OxT4YeVzHEJY29RTj32qq1anGgdvDMH+MPIskGdhTi wykedigEeeDTWrOsxrOgnXhsSR3j3xlZKib4yGaL7dxVrF9INueiMBgPurlRUhgKdhS8 3ZLQ== X-Gm-Message-State: AOAM5320ZRUGgx56BfwF9m7yTNsf7XapvbyguI0iCIVolHdvwOwLizn7 aK8bHKAiF1jG7zhx3rklzX1WjNnchbsmyw== X-Received: by 2002:a05:600c:3b93:: with SMTP id n19mr30885778wms.3.1626684714205; Mon, 19 Jul 2021 01:51:54 -0700 (PDT) Received: from antares.. (8.5.4.3.6.6.4.c.b.0.4.b.8.b.e.4.f.f.6.2.a.5.a.7.0.b.8.0.1.0.0.2.ip6.arpa. [2001:8b0:7a5a:26ff:4eb8:b40b:c466:3458]) by smtp.gmail.com with ESMTPSA id 12sm20079763wme.28.2021.07.19.01.51.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jul 2021 01:51:53 -0700 (PDT) From: Lorenz Bauer To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , "David S. Miller" , Jakub Kicinski , Jesper Dangaard Brouer , John Fastabend Cc: kernel-team@cloudflare.com, Lorenz Bauer , Andrii Nakryiko , netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH bpf v2 1/1] bpf: fix OOB read when printing XDP link fdinfo Date: Mon, 19 Jul 2021 09:51:34 +0100 Message-Id: <20210719085134.43325-2-lmb@cloudflare.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210719085134.43325-1-lmb@cloudflare.com> References: <20210719085134.43325-1-lmb@cloudflare.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We got the following UBSAN report on one of our testing machines: ================================================================================ UBSAN: array-index-out-of-bounds in kernel/bpf/syscall.c:2389:24 index 6 is out of range for type 'char *[6]' CPU: 43 PID: 930921 Comm: systemd-coredum Tainted: G O 5.10.48-cloudflare-kasan-2021.7.0 #1 Hardware name: Call Trace: dump_stack+0x7d/0xa3 ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold+0x43/0x48 ? seq_printf+0x17d/0x250 bpf_link_show_fdinfo+0x329/0x380 ? bpf_map_value_size+0xe0/0xe0 ? put_files_struct+0x20/0x2d0 ? __kasan_kmalloc.constprop.0+0xc2/0xd0 seq_show+0x3f7/0x540 seq_read_iter+0x3f8/0x1040 seq_read+0x329/0x500 ? seq_read_iter+0x1040/0x1040 ? __fsnotify_parent+0x80/0x820 ? __fsnotify_update_child_dentry_flags+0x380/0x380 vfs_read+0x123/0x460 ksys_read+0xed/0x1c0 ? __x64_sys_pwrite64+0x1f0/0x1f0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 ================================================================================ ================================================================================ UBSAN: object-size-mismatch in kernel/bpf/syscall.c:2384:2 From the report, we can infer that some array access in bpf_link_show_fdinfo at index 6 is out of bounds. The obvious candidate is bpf_link_type_strs[BPF_LINK_TYPE_XDP] with BPF_LINK_TYPE_XDP == 6. It turns out that BPF_LINK_TYPE_XDP is missing from bpf_types.h and therefore doesn't have an entry in bpf_link_type_strs: pos: 0 flags: 02000000 mnt_id: 13 link_type: (null) link_id: 4 prog_tag: bcf7977d3b93787c prog_id: 4 ifindex: 1 Fixes: aa8d3a716b59 ("bpf, xdp: Add bpf_link-based XDP attachment API") Signed-off-by: Lorenz Bauer --- include/linux/bpf_types.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h index a9db1eae6796..ae3ac3a2018c 100644 --- a/include/linux/bpf_types.h +++ b/include/linux/bpf_types.h @@ -134,4 +134,5 @@ BPF_LINK_TYPE(BPF_LINK_TYPE_CGROUP, cgroup) BPF_LINK_TYPE(BPF_LINK_TYPE_ITER, iter) #ifdef CONFIG_NET BPF_LINK_TYPE(BPF_LINK_TYPE_NETNS, netns) +BPF_LINK_TYPE(BPF_LINK_TYPE_XDP, xdp) #endif -- 2.30.2