Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp825736pxb; Wed, 6 Apr 2022 00:55:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwlYp8RR/fqCGJu5EZCqe9g+xldO2pByUJkBMZE2t7UcGYy5U09X10wC7qGnZaFfQUFx2gY X-Received: by 2002:a17:903:1cb:b0:156:c35f:7f14 with SMTP id e11-20020a17090301cb00b00156c35f7f14mr7342292plh.26.1649231715588; Wed, 06 Apr 2022 00:55:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649231715; cv=none; d=google.com; s=arc-20160816; b=Dagz8lkiXDu+HinXSTIhFlJniSPPjLFGxlwJB7S0SJ0oOKLQt+MWRLhVjG2m3Fqmk4 vquD+93iomrjKPMidygvr1cfyiG6KKkI3cSPkwi6t8mKXoQCGVlMnnL2yAyqpwjEHn2r Si9ZKPHbxRJIZxtFiJp3xXkMZTkAZNzcK+HXgoyUUbUNSJlV5Wm2KL3+uqRc5gf4+fUw 5EtErLuzEMM7Et1hAQBIWyhZFfc20eXphlmoeKWCkUqq2s+C+KxAlE1XG1aJmC4lfIRd 80/lBG6aYtyFGGmmBSg+qp3okIbCgYaZEcOG/mtTSXOquKLWdHbIktb6/OvgtZUsLkBw +GDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=pROGuwStiro9rcSYW3YeAtKJaGC9ZWqC+E1qhRzShxk=; b=g6JRWaUHT6ApRxPniBoVZA5OXaW/3kTrHJ0pvuU7pixsswR+riFhcDIUDYjvDSp1lO qemaP7iu5q/pYaUmXYraBrOHyWnrw1V+Bj/UX/C7H8GGAY6TAhsRIVyjrUtwj5PIDh+g FRQiyQMPX9qnIWNbEgQ/ms/udrMC4o71KZFAEb3d2t4p+PDiAggp4V/F4ulxY19FDdrT es7hbj0eEmEpGb2gxg7/HBIrAzKvGYNEsrlAuzd9V8k1v9VQHZxVe3qJtgkvyOkDUdeA JbatXP/P3Km3C0HRgQqm46LaFevOMP4HCauovPe3VwK4axrMh1FCMcqvV2lYQcZcUD7L d0XA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=tA6Lp2KT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id n2-20020a17090a9f0200b001c79aa946bdsi4188097pjp.122.2022.04.06.00.55.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 00:55:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=tA6Lp2KT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with SMTP id 8747C528D06; Wed, 6 Apr 2022 00:29:37 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1442245AbiDFBIV (ORCPT + 99 others); Tue, 5 Apr 2022 21:08:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37936 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1458054AbiDERGb (ORCPT ); Tue, 5 Apr 2022 13:06:31 -0400 Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1AC31AC071 for ; Tue, 5 Apr 2022 10:04:32 -0700 (PDT) Received: by mail-pf1-x435.google.com with SMTP id x16so4508pfa.10 for ; Tue, 05 Apr 2022 10:04:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=pROGuwStiro9rcSYW3YeAtKJaGC9ZWqC+E1qhRzShxk=; b=tA6Lp2KTlzqbzCItB0ys8viPQghH3YJ6+SdbGwcrPNlITBfn8nt3mBaneYmi6Ifz19 CJiVBsCpL+c6HqbbfYgHzDZsuF/gkKXK2lc4bTgNxgAK0/S4mz/rsh1hqwAlMUKEjKul w4GTz21a+EhIjdikEvLqtLFgIfLRaNS4O1VLUqQ4S1I5lgeSNNvm0TyL80b59lj1OXUa hXj0ircE3zWV8P0ASeIP76xonjuC1AoHwd7xnKPxA8+7Ewp9e+chhvgblMU270xglxj+ rlavD5UNtimCx/YI+j+fTfO8nmEkwYIbCLnqEcie9L/jpvqMoWWcBJR7XFjpUQvB+ZAa 7E8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=pROGuwStiro9rcSYW3YeAtKJaGC9ZWqC+E1qhRzShxk=; b=to4cLf40hmZzsRBDmnaG6s2+glaIxAb3I1vAyq44yjPcUCVmQOwnYhzBmB31bp6EvN THXoXYqE9qxL4mPeuptLCV2U0Pna7pbh+nPVvbykrQbdgfeZd5ekfzJ4I4In2woxKhcd RD9Px/kfOopCKMAA4dYziSpONqEM5qdoVN7JZ4W/QRTrwbGqEcXrPnc3cnU9hQXtpGtJ tILg62c9GAs3P/UWZvL3xXx5PAjTZeEpDFgjfxMa8+Xfk/EK9l8lIFbKitKQIBqJKcC7 2skgVnkN5WErrYEtRS/WV1pjIASDhd5h6149bmT2buYETgxC+p3vw7UAPUclwbyiCEbf yX4g== X-Gm-Message-State: AOAM532mwbeisg/NS2GLDTlwWakU/CqjGeyn3j8JHaMwt/DXB6xEnxqM 2bK3w9QCIEIrjrQ3gWyM0JHwJQ== X-Received: by 2002:a65:4647:0:b0:399:11b1:810b with SMTP id k7-20020a654647000000b0039911b1810bmr3638651pgr.449.1649178271389; Tue, 05 Apr 2022 10:04:31 -0700 (PDT) Received: from localhost.localdomain ([50.39.160.154]) by smtp.gmail.com with ESMTPSA id m7-20020a625807000000b004fe0a89f24fsm7796142pfb.112.2022.04.05.10.04.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Apr 2022 10:04:30 -0700 (PDT) From: Tadeusz Struk To: bpf@vger.kernel.org Cc: Tadeusz Struk , "Alexei Starovoitov" , "Daniel Borkmann" , "Andrii Nakryiko" , "Martin KaFai Lau" , "Song Liu" , "Yonghong Song" , "John Fastabend" , "KP Singh" , netdev@vger.kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+f264bffdfbd5614f3bb2@syzkaller.appspotmail.com Subject: [PATCH] bpf: Fix KASAN use-after-free Read in compute_effective_progs Date: Tue, 5 Apr 2022 10:03:56 -0700 Message-Id: <20220405170356.43128-1-tadeusz.struk@linaro.org> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Syzbot found a Use After Free bug in compute_effective_progs(). The reproducer creates a number of BPF links, and causes a fault injected alloc to fail, while calling bpf_link_detach on them. Link detach triggers the link to be freed by bpf_link_free(), which calls __cgroup_bpf_detach() and update_effective_progs(). If the memory allocation in this function fails, the function restores the pointer to the bpf_cgroup_link on the cgroup list, but the memory gets freed just after it returns. After this, every subsequent call to update_effective_progs() causes this already deallocated pointer to be dereferenced in prog_list_length(), and triggers KASAN UAF error. To fix this don't preserve the pointer to the link on the cgroup list in __cgroup_bpf_detach(), but proceed with the cleanup and retry calling update_effective_progs() again afterwards. Cc: "Alexei Starovoitov" Cc: "Daniel Borkmann" Cc: "Andrii Nakryiko" Cc: "Martin KaFai Lau" Cc: "Song Liu" Cc: "Yonghong Song" Cc: "John Fastabend" Cc: "KP Singh" Cc: Cc: Cc: Cc: Link: https://syzkaller.appspot.com/bug?id=8ebf179a95c2a2670f7cf1ba62429ec044369db4 Fixes: af6eea57437a ("bpf: Implement bpf_link-based cgroup BPF program attachment") Reported-by: Signed-off-by: Tadeusz Struk --- kernel/bpf/cgroup.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index 128028efda64..b6307337a3c7 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -723,10 +723,11 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog, pl->link = NULL; err = update_effective_progs(cgrp, atype); - if (err) - goto cleanup; - - /* now can actually delete it from this cgroup list */ + /* + * Proceed regardless of error. The link and/or prog will be freed + * just after this function returns so just delete it from this + * cgroup list and retry calling update_effective_progs again later. + */ list_del(&pl->node); kfree(pl); if (list_empty(progs)) @@ -735,12 +736,11 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog, if (old_prog) bpf_prog_put(old_prog); static_branch_dec(&cgroup_bpf_enabled_key[atype]); - return 0; -cleanup: - /* restore back prog or link */ - pl->prog = old_prog; - pl->link = link; + /* In case of error call update_effective_progs again */ + if (err) + err = update_effective_progs(cgrp, atype); + return err; } @@ -881,6 +881,7 @@ static void bpf_cgroup_link_release(struct bpf_link *link) struct bpf_cgroup_link *cg_link = container_of(link, struct bpf_cgroup_link, link); struct cgroup *cg; + int err; /* link might have been auto-detached by dying cgroup already, * in that case our work is done here @@ -896,8 +897,10 @@ static void bpf_cgroup_link_release(struct bpf_link *link) return; } - WARN_ON(__cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link, - cg_link->type)); + err = __cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link, + cg_link->type); + if (err) + pr_warn("cgroup_bpf_detach() failed, err %d\n", err); cg = cg_link->cgroup; cg_link->cgroup = NULL; -- 2.35.1