Message-ID: <a6cb8004-50de-bcec-1f1b-b61b341fd8f4@oracle.com>
Date:   Mon, 20 Dec 2021 08:50:00 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.4.0
Subject: Re: [PATCH] bpf: check size before calling kvmalloc
Content-Language: en-CA
To:     Daniel Borkmann <daniel@iogearbox.net>, sdf@google.com,
        ast@kernel.org
Cc:     netdev@vger.kernel.org, bpf@vger.kernel.org,
        linux-kernel@vger.kernel.org
References: <1639766884-1210-1-git-send-email-george.kennedy@oracle.com>
 <395e51ca-2274-26ea-baf5-6353b0247214@iogearbox.net>
From:   George Kennedy <george.kennedy@oracle.com>
Organization: Oracle Corporation
In-Reply-To: <395e51ca-2274-26ea-baf5-6353b0247214@iogearbox.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?MG9paXhqK1NqME5STmJ2Qjd3b00xRFg0YWZoaVB0ZnViUmRIYytJYnpZR0hm?=
 =?utf-8?B?SFNZV3FSTGQ3eXRiMG96anJHMFJKUXVoMHJQenVlNDFDMkdoL1VRWWNEUWFC?=
 =?utf-8?B?dDhxYW5RT1ljTWJBaVV5ekxwTUE1ZWJTVHRKdmFjMTVHcTFKV0cwcHdrM3Zs?=
 =?utf-8?B?aHpKRFZzQTRjZ2xuUWFZMVdLUSt0MC9jMFBSeUdSNzdnMzl5c3dYaU5XYVN3?=
 =?utf-8?B?NmMyOS9Cb2d0YTBWZlEyWER1NTZQWjNHUkRWME0zUGVmOXdPRlhlSjRNVlRZ?=
 =?utf-8?B?TW1tUE81ck5SRFB5a2RLRHhNaG9yRkFQQlhMMHArU2hzZVd2WWV4TVNtcnpr?=
 =?utf-8?B?VEhIWTRGMGhpVllzQkIxN2lrL1JObXlBYVlhY0p3dVBSMk9XNEpqYWlwaVE2?=
 =?utf-8?B?UVg2TGNvNnhFWVdmOVZvWVQ2NzhqOVFyRTJWdzJZcHg4Y1lxYlhsaWJuNFNR?=
 =?utf-8?B?ZHFQN2lwRVp0cmVCcTFZOUhaaCtpNGtRZVRlamNsS1ZseFdZNForUFFuRU5Q?=
 =?utf-8?B?T05vQ0JiQmR5L0NnVDU1UDdKaFR1dlpLc0VOZC9yMFRjVXpRazNiZWlYSVNL?=
 =?utf-8?B?YlJKdUN6TEo3c1JOOTY5cllkTnVZL2JlOHMvMStLay9DRXRwT0d4dTdiRVpX?=
 =?utf-8?B?elgwdHhDYkk4R3ZBRlZTRjl4RzNDbEpBdldLZUJFQkZpNThVOG9wU2lkZ1Fj?=
 =?utf-8?B?T1lSZmhubEpEYTR3blhaUGdpbTg1OUJsMEs5Wjd4aTdnVFpIRzRNZ1dmZ3Qr?=
 =?utf-8?B?a3VZUzV3SVROdXJsRmpwSWNQd2pKZ2pHSjJ4YnU2UDRkUzFuVFUvR0lWR20y?=
 =?utf-8?B?Qy96QlpUdHVpQngrbmI2dWxHY3B0ZHJYQllRaWNoaU93M25pQk5BengydTlF?=
 =?utf-8?B?Y2EvYmhGQi9zWnF5UThJeVl3aXQvcDkxa3V5c2VuY3F4ZUN4NjF2NTRsTUtJ?=
 =?utf-8?B?VU5OMlhYQm9KeXJtUUk1ZFljVWdYUTJndlJXUUJwbnhGUVgxaTE0cC96THF1?=
 =?utf-8?B?bHBtZGc1VUpFY0lNU3VaY05UR0g3aWFNVmVJZWNmTTZEOVloNHF5dWVBa2Rj?=
 =?utf-8?B?NjhrbFhXcjE2dDdmQzJJQUhVQW5SVWphV3I4OWpQUGN0UVhwNWhhbndBb2hF?=
 =?utf-8?B?T2RVY3NkK3IwZmxkeXM5ZDI3WmYwTjkwd2libzBXWTNtb21YZ1hVZ3Q3Tlh6?=
 =?utf-8?B?ZXVYdnNDWkY5RVM5TGFLeU4rRkorbzF5RmdORGVWRHBLaitvS2FTSlFaZEdW?=
 =?utf-8?B?UzY5bHFtVHB0YU9DZGt0ak9iVzg5N2JZZnorUmE1VUIvTFJ3cU9KVWxTd09E?=
 =?utf-8?B?anY1M2xEeFBBU25WUHBsSTBVZlpoV3VCamplS0xjTFF3eFY1bHdxS3h2UENv?=
 =?utf-8?B?RG10czNnZ1A1VkJzYVR3SHVaanUwdk5Id29oQ1B1NlgxdlJzYlVUeTRVZVRw?=
 =?utf-8?B?cGNkQzcrUmhlWG01eXhZU1EvUFVsaWtrWWVXVWRUZDVGYkhESHFwUjlmMUR5?=
 =?utf-8?B?bERXdFYreG5BSnZXR1M2dkpkQWlZa3Y1ekNFa0RES1FBYmhOYzRxaThsSjJY?=
 =?utf-8?B?a2xqTmF2RVRQNVRhZUNmSys0aEtqSXV1MDVEOU1Ta2lGRXltSjJyNU1BTGRI?=
 =?utf-8?B?UUxZTnowZ1Q5elIxckhwQnFDZ3lSZjRKL2d1N1hXaUw2RTBmRjlFcHdlTEsy?=
 =?utf-8?B?UzFhMFU1S1BjNGpwek1ibEdXL3hQNzV2QkVCRDg5bFhtc2JpMWlCRGtsMEU4?=
 =?utf-8?B?em9BRmt0TkRvTzFNUmtDK3IrcURxbDNCN3U5KzV3UnBMUCtjWlJYVUFWZng3?=
 =?utf-8?B?S2o1WVBjQVh5dHBUMkVVeERqSXBGbE1zb2ZMU1p3NlcxZVhpdXBXSE5mRGF5?=
 =?utf-8?B?aktlUm9uclpRTEV4UDIzOUtBWjZvMWk5eEY4QXFrMWpaanFGYmZOZEZUREdX?=
 =?utf-8?B?bHJvR1IwUnR3VHc1TjVrMVFlZWtCMWFwd040elVxZmdMbnZvWC82bEgwWC9J?=
 =?utf-8?B?SEtVZ01oTWwzS3B5ZCsvbHhBZ1hydlNVRVhoVm9PUVdFSzhtS2Y0dXhpa09w?=
 =?utf-8?B?Z0NudXp4cFRTQ1BUVkN3b2hpcU4zdXVlZ2J5aVMzeGs3MHF1U2dTNlJWRWov?=
 =?utf-8?B?VkhDZ2VIakt0UmJzWWdYeEZkajZIWmxPb3RLSSt3dlVVQ3hrc2JneGtpZkVt?=
 =?utf-8?B?Zk1XR2x2RWZzeFNibjViT00zeXlFZWNkeGxON21DOE05U0hVc0RjaUt5S3ZF?=
 =?utf-8?B?ZHQzeGVqQUJLa282Ukc4SVJyVzlRPT0=?=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bc151bc4-96dc-40be-6336-08d9c3bf9fab
X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB3752.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2021 13:50:03.6333
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 96gC5+gKtE3J1xB7tk9H1NDhTKZsK5ocBecIpIWg5Hp+3Qi/Z7482lXdA8Td/XSoSqTPkKphgUDsGHv0VE923mpPMBsYUJrGGqZJOGcdbs4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5241
X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10203 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 malwarescore=0
 spamscore=0 phishscore=0 mlxscore=0 bulkscore=0 adultscore=0
 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2110150000 definitions=main-2112200079
X-Proofpoint-ORIG-GUID: KRfumoiHYXb78jqBuMPc-pCK76YPtIEs
X-Proofpoint-GUID: KRfumoiHYXb78jqBuMPc-pCK76YPtIEs
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 12/17/2021 5:45 PM, Daniel Borkmann wrote:
> On 12/17/21 7:48 PM, George Kennedy wrote:
>> ZERO_SIZE_PTR ((void *)16) is returned by kvmalloc() instead of NULL
>> if size is zero. Currently, return values from kvmalloc() are only
>> checked for NULL. Before calling kvmalloc() check for size of zero
>> and return error if size is zero to avoid the following crash.
>>
>> BUG: kernel NULL pointer dereference, address: 0000000000000000
>> PGD 1030bd067 P4D 1030bd067 PUD 103497067 PMD 0
>> Oops: 0010 [#1] PREEMPT SMP KASAN NOPTI
>> CPU: 1 PID: 15094 Comm: syz-executor344 Not tainted 5.16.0-rc1-syzk #1
>> Hardware name: Red Hat KVM, BIOS
>> RIP: 0010:0x0
>> Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
>> RSP: 0018:ffff888017627b78 EFLAGS: 00010246
>> RAX: 0000000000000000 RBX: ffff8880215d0780 RCX: ffffffff81b63c60
>> RDX: 0000000000000010 RSI: 0000000000000000 RDI: ffff8881035db400
>> RBP: ffff888017627f08 R08: ffffed1003697209 R09: ffffed1003697209
>> R10: ffff88801b4b9043 R11: ffffed1003697208 R12: ffffffff8f15d580
>> R13: 1ffff11002ec4f77 R14: ffff8881035db400 R15: 0000000000000000
>> FS:  00007f62bca78740(0000) GS:ffff888107880000(0000) 
>> knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: ffffffffffffffd6 CR3: 000000002282a000 CR4: 00000000000006e0
>> Call Trace:
>>   <TASK>
>>   map_get_next_key kernel/bpf/syscall.c:1279 [inline]
>>   __sys_bpf+0x384d/0x5b30 kernel/bpf/syscall.c:4612
>>   __do_sys_bpf kernel/bpf/syscall.c:4722 [inline]
>>   __se_sys_bpf kernel/bpf/syscall.c:4720 [inline]
>>   __x64_sys_bpf+0x7a/0xc0 kernel/bpf/syscall.c:4720
>>   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>   do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
>>   entry_SYSCALL_64_after_hwframe+0x44/0xae
>>
>> Reported-by: syzkaller <syzkaller@googlegroups.com>
>> Signed-off-by: George Kennedy <george.kennedy@oracle.com>
>
> Could you provide some more details, e.g. which map type is this where we
> have to assume zero-sized keys everywhere?
>
> (Or link to syzkaller report could also work alternatively if public.)

I don't think the report is public. Here's the report and C reproducer:

#ifdef REF
Syzkaller hit 'BUG: unable to handle kernel NULL pointer dereference in 
bpf' bug.

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 1030bd067 P4D 1030bd067 PUD 103497067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 15094 Comm: syz-executor344 Not tainted 5.16.0-rc1-syzk #1
Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29 
04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffff888017627b78 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880215d0780 RCX: ffffffff81b63c60
RDX: 0000000000000010 RSI: 0000000000000000 RDI: ffff8881035db400
RBP: ffff888017627f08 R08: ffffed1003697209 R09: ffffed1003697209
R10: ffff88801b4b9043 R11: ffffed1003697208 R12: ffffffff8f15d580
R13: 1ffff11002ec4f77 R14: ffff8881035db400 R15: 0000000000000000
FS:  00007f62bca78740(0000) GS:ffff888107880000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000002282a000 CR4: 00000000000006e0
Call Trace:
  <TASK>
  map_get_next_key kernel/bpf/syscall.c:1279 [inline]
  __sys_bpf+0x384d/0x5b30 kernel/bpf/syscall.c:4612
  __do_sys_bpf kernel/bpf/syscall.c:4722 [inline]
  __se_sys_bpf kernel/bpf/syscall.c:4720 [inline]
  __x64_sys_bpf+0x7a/0xc0 kernel/bpf/syscall.c:4720
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f62bc36f289
Code: 01 00 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 
f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 
f0 ff ff 73 01 c3 48 8b 0d b7 db 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffccaa211e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f62bc36f289
RDX: 0000000000000020 RSI: 0000000020000080 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004006d0
R13: 00007ffccaa212d0 R14: 0000000000000000 R15: 0000000000000000
  </TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace d203e5a1836d64aa ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffff888017627b78 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880215d0780 RCX: ffffffff81b63c60
RDX: 0000000000000010 RSI: 0000000000000000 RDI: ffff8881035db400
RBP: ffff888017627f08 R08: ffffed1003697209 R09: ffffed1003697209
R10: ffff88801b4b9043 R11: ffffed1003697208 R12: ffffffff8f15d580
R13: 1ffff11002ec4f77 R14: ffff8881035db400 R15: 0000000000000000
FS:  00007f62bca78740(0000) GS:ffff888107880000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000002282a000 CR4: 00000000000006e0


Syzkaller reproducer:
# {Threaded:false Collide:false Repeat:false RepeatTimes:0 Procs:1 
Slowdown:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 Leak:false 
NetInjection:false NetDevices:false NetReset:false Cgroups:false 
BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false 
VhciInjection:false Wifi:false IEEE802154:false Sysctl:false 
UseTmpDir:false HandleSegv:false Repro:false Trace:false}
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000001480)={0x1e, 0x0, 0x2, 0x2, 0x0, 
0x1}, 0x40)
bpf$MAP_GET_NEXT_KEY(0x4, &(0x7f0000000080)={r0, 0x0, 0x0}, 0x20)


C reproducer:
#endif /* REF */
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

uint64_t r[1] = {0xffffffffffffffff};

int main(void)
{
         syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
     syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
     syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
                 intptr_t res = 0;
*(uint32_t*)0x20001480 = 0x1e;
*(uint32_t*)0x20001484 = 0;
*(uint32_t*)0x20001488 = 2;
*(uint32_t*)0x2000148c = 2;
*(uint32_t*)0x20001490 = 0;
*(uint32_t*)0x20001494 = 1;
*(uint32_t*)0x20001498 = 0;
memset((void*)0x2000149c, 0, 16);
*(uint32_t*)0x200014ac = 0;
*(uint32_t*)0x200014b0 = -1;
*(uint32_t*)0x200014b4 = 0;
*(uint32_t*)0x200014b8 = 0;
*(uint32_t*)0x200014bc = 0;
     res = syscall(__NR_bpf, 0ul, 0x20001480ul, 0x40ul);
     if (res != -1)
         r[0] = res;
*(uint32_t*)0x20000080 = r[0];
*(uint64_t*)0x20000088 = 0;
*(uint64_t*)0x20000090 = 0;
*(uint64_t*)0x20000098 = 0;
     syscall(__NR_bpf, 4ul, 0x20000080ul, 0x20ul);
     return 0;
}

George

>
> Thanks,
> Daniel