Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp11157iob;
        Mon, 2 May 2022 10:42:55 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxwggJK9SYiQhthDZOLSCXh+ZUHPIMgNAdAZWmOTKtYEctuO3Kym9InYcN9sU1SM7ZUSaQs
X-Received: by 2002:a05:6a00:114e:b0:4c8:55f7:faad with SMTP id b14-20020a056a00114e00b004c855f7faadmr12286263pfm.86.1651513374837;
        Mon, 02 May 2022 10:42:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1651513374; cv=none;
        d=google.com; s=arc-20160816;
        b=ZDaSXa5E8FBvmJ2BU40DHRA2WjAK6cnOFz2GXR2A5o6vwdPniqohwEePETDF59poNs
         anA+KNwmrJr/WmgkFM87oZHg9Fh/TKz3lO8a1QdD/8l6+uleJWL7AyIom+qnNBXHvXTf
         ggwnoUgq3glYJrJaIbg5DU+5H5CpVv0UHNPwbtXCTczRoVmUIpIOXorRSSVnak91Lhm8
         1i5smvYRRhQrDQOWyFxwqI170kIBiKqcGz9qRcnVP9WZ0/CVygiYX0gqSzcwMy2b9OXV
         WZkgN3S4rD/ltwrgcFn4KwLXjKyuoRCB/Eif4uc5TmwrMoRatj+MyzsCHq70vJhVeZ66
         CKHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=1eOVFR2q8q3lvbd29lvJ1j5JrY5pvSCGnPmcqHjs0c0=;
        b=OjYr6i/5krmUM/fqXvqOiG1gt2FMoccohaAnwaFrREFWHMgYT4/SrCv8fBVf4C116T
         0mfrn5kGr8Vmdb8OJEW1KrUflmbwtSQ9m/1jCcEk5zsTOmr7Cqmwpjur7iXVL4sVyjE6
         Iun39j+I4pss3WW4S1JOem/EGZjpvmm0/ogGnj2MXwO3Ijcyq0UzrAPfV4DUDRzyvnsJ
         Io760DRoiXU6XBnqVckoBtthTDjIQ+n00wwrAaOc0F0GnZaw/2iWg+6g+6JLaetnSSf2
         3CEO3dSsAB2+vs66he56dxEFeqU2rVkN5X8juzeLSHUvkR2ZWCg2Zi/GaEu+PfDtoTFs
         Q+Lg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bpEHM6Ek;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id y16-20020a17090a6c9000b001d288bfa699si13913276pjj.126.2022.05.02.10.42.37;
        Mon, 02 May 2022 10:42:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bpEHM6Ek;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1357853AbiD2Kqo (ORCPT <rfc822;andreykovskii@gmail.com>
        + 99 others); Fri, 29 Apr 2022 06:46:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58736 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S245509AbiD2KqD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 29 Apr 2022 06:46:03 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 63437C749C;
        Fri, 29 Apr 2022 03:42:36 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 01CD862325;
        Fri, 29 Apr 2022 10:42:36 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C82ADC385A4;
        Fri, 29 Apr 2022 10:42:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1651228955;
        bh=OEBy9BIJsvJj8QlMo6Gd+ZfXJ26Uwm0qSRRilNBekfY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=bpEHM6Ekg66RxowrLo8kxZJXWHyl4OeowUp/AFoRkbDf7dpxuw5atiJ/bYtFvMGzy
         Uzlxhpp1wahM4Lv7kYshlJX6hk8yCJYs1iZm1nxb7+lGxAQAvBOz2oxAiFI2/ISavX
         FvthfY02940hAhtz6iMkSGEGVpLlk/vkwoN6lOOw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Kumar Kartikeya Dwivedi <memxor@gmail.com>,
        Hao Luo <haoluo@google.com>,
        Alexei Starovoitov <ast@kernel.org>
Subject: [PATCH 5.15 11/33] bpf: Fix crash due to out of bounds access into reg2btf_ids.
Date:   Fri, 29 Apr 2022 12:41:58 +0200
Message-Id: <20220429104052.672989921@linuxfoundation.org>
X-Mailer: git-send-email 2.36.0
In-Reply-To: <20220429104052.345760505@linuxfoundation.org>
References: <20220429104052.345760505@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Kumar Kartikeya Dwivedi <memxor@gmail.com>

commit 45ce4b4f9009102cd9f581196d480a59208690c1 upstream

When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added
kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier
reg type to the appropriate btf_vmlinux BTF ID, however
commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after
the base register types, and defined other variants using type flag
composition. However, now, the direct usage of reg->type to index into
reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to
out of bounds access and kernel crash on dereference of bad pointer.

[backport note: commit 3363bd0cfbb80 ("bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM
 argument support") was introduced after 5.15 and contains an out of bound
 reg2btf_ids access. Since that commit hasn't been backported, this patch
 doesn't include fix to that access. If we backport that commit in future,
 we need to fix its faulting access as well.]

Fixes: c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Hao Luo <haoluo@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220216201943.624869-1-memxor@gmail.com
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/btf.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -5510,9 +5510,9 @@ static int btf_check_func_arg_match(stru
 			if (reg->type == PTR_TO_BTF_ID) {
 				reg_btf = reg->btf;
 				reg_ref_id = reg->btf_id;
-			} else if (reg2btf_ids[reg->type]) {
+			} else if (reg2btf_ids[base_type(reg->type)]) {
 				reg_btf = btf_vmlinux;
-				reg_ref_id = *reg2btf_ids[reg->type];
+				reg_ref_id = *reg2btf_ids[base_type(reg->type)];
 			} else {
 				bpf_log(log, "kernel function %s args#%d expected pointer to %s %s but R%d is not a pointer to btf_id\n",
 					func_name, i,