Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp82938pxb; Mon, 13 Sep 2021 13:33:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzFV4Emgo21IabYMVUUMgBrNEmrPDSRaKvjaKe/E2NTMRSI8iCll3CrvKLUWpmy+RK+u37z X-Received: by 2002:a17:906:8517:: with SMTP id i23mr14121998ejx.367.1631565226687; Mon, 13 Sep 2021 13:33:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631565226; cv=none; d=google.com; s=arc-20160816; b=mCXlldziUPTDjwoq7nQoBDWuxRhzIFmf4kI5Me9Rt43d6CA+76JZhe23Alhv5pbJi1 3HucI9yiKzvJxjnYqeptRAEIok0VhbHhoT9Mf1sJJXEz23kbOoLilVyoXk9gMKNk+5zk J9araYWZS2lmr1MWkxEtViAs0BhZw1bga0IOo/RhMfJzRdsnIVhfocVWZt2uIjA21Syu 0Bk74IVomeKauA7LbArdHtL21BP1xEccfvDz1KtAfTNO4NbzjG1seYv3ttLMFgdis13n IBxhUAA4ZuwQ5oUdQ8b+6hkSCFCn6yOvkIm9v6rubBig07NE4gflYX7chORqaDhmeGxL Rx8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=+OuiJgaAy9rBbziLd3yLvbsg7SIpQbq5D+8YT9n/Xm4=; b=pmlKML4NZmtyY1cw7hwxbwpmPJHSqL5AnU8+nKGobE12DTumw9Cc/Ygi1EFjV7aNEl GQXM/sb8jPb379Pk5co+R0GIRhCPkZ4KQPr/a0a2oa+2y9IOjSKZ9f1cd41j2esLxEcG Z5xWtdbWubWLu5QTTjT2dcSlXQ9J5hQFm+P3DBzR48HIDTNCBoe5omhjWS4lDUZdWxGA F/eYo/2JdQqeeZaWJzEqm/dciVZMiw1M6OZ34vT6wIQE8ssmFqHFMKpwEFlhtMyMUeau 70qZLH0ZubTWox+eZChC0KGTXqxEVvw1+I7bUyb+rWKZ6zPPRrEQKFgVMH+NatmOQ4wI 6Bjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TAiHbgzh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n13si6563841edt.68.2021.09.13.13.33.23; Mon, 13 Sep 2021 13:33:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TAiHbgzh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241432AbhIMNic (ORCPT + 99 others); Mon, 13 Sep 2021 09:38:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:34434 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240592AbhIMNdg (ORCPT ); Mon, 13 Sep 2021 09:33:36 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0016B613A1; Mon, 13 Sep 2021 13:26:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631539575; bh=n0xECGA7Aa7dSr2TdWQ0gbsVXkxXFHey0L4XmPXWOKU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TAiHbgzh8s9ThaYAWK4jeohZ6NEsynt3bzDiMYJ1UjAL2K9F0I1YLAjjh7Gwh2awt AeKRSF6CQw4Ul8AvUUaS/QmE93avcc9Kr9nSpFvzD2z8nG9a32gKk2Ygqo66/ORzSZ AxLcSoHCZ/X8GIBuXBZfPs+V+vhLeAt9zjmkd3RE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, He Fengqing , Alexei Starovoitov , Song Liu , Sasha Levin Subject: [PATCH 5.10 078/236] bpf: Fix potential memleak and UAF in the verifier. Date: Mon, 13 Sep 2021 15:13:03 +0200 Message-Id: <20210913131103.013186287@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210913131100.316353015@linuxfoundation.org> References: <20210913131100.316353015@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: He Fengqing [ Upstream commit 75f0fc7b48ad45a2e5736bcf8de26c8872fe8695 ] In bpf_patch_insn_data(), we first use the bpf_patch_insn_single() to insert new instructions, then use adjust_insn_aux_data() to adjust insn_aux_data. If the old env->prog have no enough room for new inserted instructions, we use bpf_prog_realloc to construct new_prog and free the old env->prog. There have two errors here. First, if adjust_insn_aux_data() return ENOMEM, we should free the new_prog. Second, if adjust_insn_aux_data() return ENOMEM, bpf_patch_insn_data() will return NULL, and env->prog has been freed in bpf_prog_realloc, but we will use it in bpf_check(). So in this patch, we make the adjust_insn_aux_data() never fails. In bpf_patch_insn_data(), we first pre-malloc memory for the new insn_aux_data, then call bpf_patch_insn_single() to insert new instructions, at last call adjust_insn_aux_data() to adjust insn_aux_data. Fixes: 8041902dae52 ("bpf: adjust insn_aux_data when patching insns") Signed-off-by: He Fengqing Signed-off-by: Alexei Starovoitov Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20210714101815.164322-1-hefengqing@huawei.com Signed-off-by: Sasha Levin --- kernel/bpf/verifier.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 29d4f4e37595..78f24b19f6b1 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -10456,10 +10456,11 @@ static void convert_pseudo_ld_imm64(struct bpf_verifier_env *env) * insni[off, off + cnt). Adjust corresponding insn_aux_data by copying * [0, off) and [off, end) to new locations, so the patched range stays zero */ -static int adjust_insn_aux_data(struct bpf_verifier_env *env, - struct bpf_prog *new_prog, u32 off, u32 cnt) +static void adjust_insn_aux_data(struct bpf_verifier_env *env, + struct bpf_insn_aux_data *new_data, + struct bpf_prog *new_prog, u32 off, u32 cnt) { - struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data; + struct bpf_insn_aux_data *old_data = env->insn_aux_data; struct bpf_insn *insn = new_prog->insnsi; u32 old_seen = old_data[off].seen; u32 prog_len; @@ -10472,12 +10473,9 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, old_data[off].zext_dst = insn_has_def32(env, insn + off + cnt - 1); if (cnt == 1) - return 0; + return; prog_len = new_prog->len; - new_data = vzalloc(array_size(prog_len, - sizeof(struct bpf_insn_aux_data))); - if (!new_data) - return -ENOMEM; + memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off); memcpy(new_data + off + cnt - 1, old_data + off, sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1)); @@ -10488,7 +10486,6 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, } env->insn_aux_data = new_data; vfree(old_data); - return 0; } static void adjust_subprog_starts(struct bpf_verifier_env *env, u32 off, u32 len) @@ -10523,6 +10520,14 @@ static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 of const struct bpf_insn *patch, u32 len) { struct bpf_prog *new_prog; + struct bpf_insn_aux_data *new_data = NULL; + + if (len > 1) { + new_data = vzalloc(array_size(env->prog->len + len - 1, + sizeof(struct bpf_insn_aux_data))); + if (!new_data) + return NULL; + } new_prog = bpf_patch_insn_single(env->prog, off, patch, len); if (IS_ERR(new_prog)) { @@ -10530,10 +10535,10 @@ static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 of verbose(env, "insn %d cannot be patched due to 16-bit range\n", env->insn_aux_data[off].orig_idx); + vfree(new_data); return NULL; } - if (adjust_insn_aux_data(env, new_prog, off, len)) - return NULL; + adjust_insn_aux_data(env, new_data, new_prog, off, len); adjust_subprog_starts(env, off, len); adjust_poke_descs(new_prog, off, len); return new_prog; -- 2.30.2