Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp19471pxb; Tue, 12 Apr 2022 15:35:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfKCCXU+XBrYqCD87fgbywcZrB9LZdaiSm7Y2NpBLq+bkYBvCZoLQSomm/uDdN6E6ygWGC X-Received: by 2002:a63:ce0e:0:b0:39d:2648:289 with SMTP id y14-20020a63ce0e000000b0039d26480289mr14086858pgf.278.1649802948537; Tue, 12 Apr 2022 15:35:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649802948; cv=none; d=google.com; s=arc-20160816; b=Q7zcHdZS4rnYWY1chmjZzR25lvMoPY5YDP0f/SuhASvA3pIyswbg1mgbPfOy5DAhHq 3X0t5JzjYmbdMLONQk/HxqtQ4IKrcd8ZKBdOoUwYsGYmORxVDScs8PB2rdYsUjGkfbHG oLEahDk2L2v6qCC4fPVBz9r58os7Uw2Okf/+r6BT1dmVYvbY8i3TT5GuTiK00bXzj9O1 JSpdSNtGmI5FtW3WSbW8E8jZ3O5D+qcCKUoCMbr8cEY0hM3KPn2fLBoF9dwvybu/WHfj 4FAxPctGkn6OOIOpUzylJPKlAqmEolz0aikyjrqV8Wk05BlEZiULJgCr+fy3snOxftAS TLyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=btzB568iXxZj9oc1tZbDY7UAY4m0s81uXgV8WCBbWRs=; b=Inx9Rsf07aPlXbu/aRUni9MuXFHFCrYjFRykbi+K1t/7K2+azd4lZaIIHkeMhy8KCk bNTK67foM47OXYOq+0GYd1ZgOXSnEqLtazfMo1t65rxNPNK5rP8J7K6m64wb4U9BNWwa XKTBQQjvcwMif0pGAh1xi3hS6Rb0NLwbbh9/EvEKQaEdMyO4y4QC0mBKNmtjrKpewLwA ftxyboWFiZ9yazlK0IAL/NaObDIj1+gLkVJsjUltdmqupf9YFNJEdZXGFaI22KntL95A 1BrsdBvky+vpsdNGVVAxP4Hcer+MU3LyN2waxwgNKnZIRxhVBtPRyZndikKgtv3BmUP1 kYVQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dXdSmaig; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id i70-20020a638749000000b003816043f00dsi1737200pge.514.2022.04.12.15.35.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Apr 2022 15:35:48 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dXdSmaig; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B0950198EEE; Tue, 12 Apr 2022 14:12:53 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356736AbiDLOrP (ORCPT + 99 others); Tue, 12 Apr 2022 10:47:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37272 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348249AbiDLOrN (ORCPT ); Tue, 12 Apr 2022 10:47:13 -0400 Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D380B1CFE0 for ; Tue, 12 Apr 2022 07:44:55 -0700 (PDT) Received: by mail-pf1-x435.google.com with SMTP id a42so11154956pfx.7 for ; Tue, 12 Apr 2022 07:44:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=btzB568iXxZj9oc1tZbDY7UAY4m0s81uXgV8WCBbWRs=; b=dXdSmaigsQfS8iGJpoICwbRXz1FWNpMiL0cOtSsxpoStwnZDu8idR451LAKSFR0LbD WBvG1gRSfyZYV+fpXfeukko3SJfNYwqBBWJGmH368YCyXpc3GjQLRHJq6vIV620Zi+C+ GFPN/IEJRPMpd56zrExzJS0jJiBWd21Z60iyUL/GM29N6qb53l1kbEHeybz26ZVz+ITV URfnlKx+gP6pFW2MXUOvUqUzOrFbZF/+TM8xcIn+SIlL38WlpsDKUhhYuj6r1XUunWxP nKp8mhXWh6RIxt006y1145LhvFYYhb+W9I8OAXs/+QfyIKGlec+ytOV/2nbRrfaHcQkU OEQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=btzB568iXxZj9oc1tZbDY7UAY4m0s81uXgV8WCBbWRs=; b=DpC5QtzhbULQuydQOs4byFtsHqrHBhA/gB1NHm+w6JZtUqzAWpk+Cfan+ycmgoUmqs /yqplFylzRxVnAENbT1K3hPk0gd7SBGJyS02mtNBlCOHAnyTHSXRShVWEo7ttIA9o9dA OWetmSS8LNJmhR09vzVw9MUFS9VWfPvkvLMOQuA3Xwk61YWamQHHScaNO+K24fKCHpM5 OadJ07+e1E0yAyRFhAaMRnJbfmxD9aRV76dZq7oIuebQXk23Q71p5cGTx7PgYGttYFPO 7RBNM5whkf7OUKPSNF5SBFIPTICOrIqSRiYJeuwfm/Hpm6pzHdKQlHyp20E0M8BjxNew y8Wg== X-Gm-Message-State: AOAM532nAukeVupxSEXHTzLRqXhQ5zSvusxJRpN4XP090stoNG9aWkVc h6uQNBF8Z1YU3TfCtvxDPk5jnA== X-Received: by 2002:a63:2f46:0:b0:382:230f:b155 with SMTP id v67-20020a632f46000000b00382230fb155mr31794155pgv.64.1649774695275; Tue, 12 Apr 2022 07:44:55 -0700 (PDT) Received: from [192.168.254.17] ([50.39.160.154]) by smtp.gmail.com with ESMTPSA id w14-20020a63474e000000b0039cce486b9bsm3111136pgk.13.2022.04.12.07.44.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 12 Apr 2022 07:44:54 -0700 (PDT) Message-ID: Date: Tue, 12 Apr 2022 07:44:53 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH] bpf: Fix KASAN use-after-free Read in compute_effective_progs Content-Language: en-US To: bpf@vger.kernel.org Cc: Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , netdev@vger.kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+f264bffdfbd5614f3bb2@syzkaller.appspotmail.com, Alexei Starovoitov References: <20220405170356.43128-1-tadeusz.struk@linaro.org> From: Tadeusz Struk In-Reply-To: <20220405170356.43128-1-tadeusz.struk@linaro.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/5/22 10:03, Tadeusz Struk wrote: > Syzbot found a Use After Free bug in compute_effective_progs(). > The reproducer creates a number of BPF links, and causes a fault > injected alloc to fail, while calling bpf_link_detach on them. > Link detach triggers the link to be freed by bpf_link_free(), > which calls __cgroup_bpf_detach() and update_effective_progs(). > If the memory allocation in this function fails, the function restores > the pointer to the bpf_cgroup_link on the cgroup list, but the memory > gets freed just after it returns. After this, every subsequent call to > update_effective_progs() causes this already deallocated pointer to be > dereferenced in prog_list_length(), and triggers KASAN UAF error. > To fix this don't preserve the pointer to the link on the cgroup list > in __cgroup_bpf_detach(), but proceed with the cleanup and retry calling > update_effective_progs() again afterwards. > > > Cc: "Alexei Starovoitov" > Cc: "Daniel Borkmann" > Cc: "Andrii Nakryiko" > Cc: "Martin KaFai Lau" > Cc: "Song Liu" > Cc: "Yonghong Song" > Cc: "John Fastabend" > Cc: "KP Singh" > Cc: > Cc: > Cc: > Cc: > > Link: https://syzkaller.appspot.com/bug?id=8ebf179a95c2a2670f7cf1ba62429ec044369db4 > Fixes: af6eea57437a ("bpf: Implement bpf_link-based cgroup BPF program attachment") > Reported-by: > Signed-off-by: Tadeusz Struk > --- > kernel/bpf/cgroup.c | 25 ++++++++++++++----------- > 1 file changed, 14 insertions(+), 11 deletions(-) > > diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c > index 128028efda64..b6307337a3c7 100644 > --- a/kernel/bpf/cgroup.c > +++ b/kernel/bpf/cgroup.c > @@ -723,10 +723,11 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog, > pl->link = NULL; > > err = update_effective_progs(cgrp, atype); > - if (err) > - goto cleanup; > - > - /* now can actually delete it from this cgroup list */ > + /* > + * Proceed regardless of error. The link and/or prog will be freed > + * just after this function returns so just delete it from this > + * cgroup list and retry calling update_effective_progs again later. > + */ > list_del(&pl->node); > kfree(pl); > if (list_empty(progs)) > @@ -735,12 +736,11 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog, > if (old_prog) > bpf_prog_put(old_prog); > static_branch_dec(&cgroup_bpf_enabled_key[atype]); > - return 0; > > -cleanup: > - /* restore back prog or link */ > - pl->prog = old_prog; > - pl->link = link; > + /* In case of error call update_effective_progs again */ > + if (err) > + err = update_effective_progs(cgrp, atype); > + > return err; > } > > @@ -881,6 +881,7 @@ static void bpf_cgroup_link_release(struct bpf_link *link) > struct bpf_cgroup_link *cg_link = > container_of(link, struct bpf_cgroup_link, link); > struct cgroup *cg; > + int err; > > /* link might have been auto-detached by dying cgroup already, > * in that case our work is done here > @@ -896,8 +897,10 @@ static void bpf_cgroup_link_release(struct bpf_link *link) > return; > } > > - WARN_ON(__cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link, > - cg_link->type)); > + err = __cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link, > + cg_link->type); > + if (err) > + pr_warn("cgroup_bpf_detach() failed, err %d\n", err); > > cg = cg_link->cgroup; > cg_link->cgroup = NULL; Hi, Any feedback/comments on this one? -- Thanks, Tadeusz