Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp3053855rwe; Mon, 29 Aug 2022 05:12:26 -0700 (PDT) X-Google-Smtp-Source: AA6agR7uaviWtS2s5qy/Vbe0yVEe1TnUEpVPyfcgTHcOLdLBn6ovC9AlMJAgTy4KYupNio9C/uu4 X-Received: by 2002:a17:907:7b92:b0:72b:67fb:8985 with SMTP id ne18-20020a1709077b9200b0072b67fb8985mr12635663ejc.569.1661775146034; Mon, 29 Aug 2022 05:12:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661775146; cv=none; d=google.com; s=arc-20160816; b=mQk1yKtTRZLJF3s1gY3ZBJVC+pj/WkRlscU3SGD8WxHWo6JBXxRm9eWLnDkOY5ttG8 Zc/CvPC03Bk4FnpYuvMF6ULw905Efy22gMQUBx91WtFlKrHsDLF7MEwY3tijWIJUE9Kf Res8ulc45yZk++GcFU22OB0UmkgUU6/Ds0JCwwgfjmmOjcxyELI58dZkAdqKdszU5gz6 y5xIRVM7WlKmWWlkjm88fsbBtcuI0fKzgpY2q96vXaKgzNOYyHlX6dIcZ6uUWuA5ikcH POTPQenCFfblim4hIe42bt5AtY0NZKhb6u+deogzDJ6PkwvRLZWsRzuunHTBh4T3tRE8 beCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jQ96Vx6zn5DpsLECo/3oqiTFycUaee4jrSt68HXEkW4=; b=d1cEDrns22/iHGIbW+Lk5Nb7LrEZKM03HpRmbAh6W5nprZ10iolKRaB0W+vLS1f8Hj 6/yRZqbldyHz3nyp2YosH/x47xaGq7jtJYRCGR3GuZ+5vPLOPEa8RJtiZE6td5wnn+1v DdE5zC+eURM9gKA9P65027qOudJu9euWgzyDUscIOxZSWab/YMAtgyxXlguyMNU0Fdx8 bQg61thcRSJrLMqqYdTZDnfDGbrIJ/mUroJWykeWaHqRxQuxPcU7pL1sQmwBJfCfstj6 igreliBxk63uFr/fM/nMm8E3VQMFa5dx8MBETqBX6p0SGPC6YFN46ildF05L4rApsK8P Vd7w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="aR0/3iGO"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id my17-20020a1709065a5100b00711da52c6e4si5387332ejc.309.2022.08.29.05.11.52; Mon, 29 Aug 2022 05:12:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="aR0/3iGO"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232215AbiH2L12 (ORCPT + 99 others); Mon, 29 Aug 2022 07:27:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231944AbiH2LZG (ORCPT ); Mon, 29 Aug 2022 07:25:06 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C33DC76970; Mon, 29 Aug 2022 04:16:02 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 25323B80FA7; Mon, 29 Aug 2022 11:15:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 632B5C433C1; Mon, 29 Aug 2022 11:15:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661771743; bh=HfDtiuA9iBa7GfZo9hpjRgzirIQnn3ZJhYVhiJK9XF0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aR0/3iGOOd3Nq0yENP83sbx965kULxUswyXLbscQnvKmX9SRcFAFaxKfrF8jKWEK+ kSirEuyRmou4xujZWdfgEWky66GHuWbOiYzf7wH044F0PRXWsx4T9cC595Q10CI/ue mJTyx+gtInoUKrGTLccwbm2UiqD7+RZy5ttpxjTM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hsin-Wei Hung , Daniel Borkmann , Shung-Hsi Yu , John Fastabend , Alexei Starovoitov Subject: [PATCH 5.10 86/86] bpf: Dont use tnum_range on array range checking for poke descriptors Date: Mon, 29 Aug 2022 12:59:52 +0200 Message-Id: <20220829105800.058074303@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220829105756.500128871@linuxfoundation.org> References: <20220829105756.500128871@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Daniel Borkmann commit a657182a5c5150cdfacb6640aad1d2712571a409 upstream. Hsin-Wei reported a KASAN splat triggered by their BPF runtime fuzzer which is based on a customized syzkaller: BUG: KASAN: slab-out-of-bounds in bpf_int_jit_compile+0x1257/0x13f0 Read of size 8 at addr ffff888004e90b58 by task syz-executor.0/1489 CPU: 1 PID: 1489 Comm: syz-executor.0 Not tainted 5.19.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: dump_stack_lvl+0x9c/0xc9 print_address_description.constprop.0+0x1f/0x1f0 ? bpf_int_jit_compile+0x1257/0x13f0 kasan_report.cold+0xeb/0x197 ? kvmalloc_node+0x170/0x200 ? bpf_int_jit_compile+0x1257/0x13f0 bpf_int_jit_compile+0x1257/0x13f0 ? arch_prepare_bpf_dispatcher+0xd0/0xd0 ? rcu_read_lock_sched_held+0x43/0x70 bpf_prog_select_runtime+0x3e8/0x640 ? bpf_obj_name_cpy+0x149/0x1b0 bpf_prog_load+0x102f/0x2220 ? __bpf_prog_put.constprop.0+0x220/0x220 ? find_held_lock+0x2c/0x110 ? __might_fault+0xd6/0x180 ? lock_downgrade+0x6e0/0x6e0 ? lock_is_held_type+0xa6/0x120 ? __might_fault+0x147/0x180 __sys_bpf+0x137b/0x6070 ? bpf_perf_link_attach+0x530/0x530 ? new_sync_read+0x600/0x600 ? __fget_files+0x255/0x450 ? lock_downgrade+0x6e0/0x6e0 ? fput+0x30/0x1a0 ? ksys_write+0x1a8/0x260 __x64_sys_bpf+0x7a/0xc0 ? syscall_enter_from_user_mode+0x21/0x70 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f917c4e2c2d The problem here is that a range of tnum_range(0, map->max_entries - 1) has limited ability to represent the concrete tight range with the tnum as the set of resulting states from value + mask can result in a superset of the actual intended range, and as such a tnum_in(range, reg->var_off) check may yield true when it shouldn't, for example tnum_range(0, 2) would result in 00XX -> v = 0000, m = 0011 such that the intended set of {0, 1, 2} is here represented by a less precise superset of {0, 1, 2, 3}. As the register is known const scalar, really just use the concrete reg->var_off.value for the upper index check. Fixes: d2e4c1e6c294 ("bpf: Constant map key tracking for prog array pokes") Reported-by: Hsin-Wei Hung Signed-off-by: Daniel Borkmann Cc: Shung-Hsi Yu Acked-by: John Fastabend Link: https://lore.kernel.org/r/984b37f9fdf7ac36831d2137415a4a915744c1b6.1661462653.git.daniel@iogearbox.net Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5282,8 +5282,7 @@ record_func_key(struct bpf_verifier_env struct bpf_insn_aux_data *aux = &env->insn_aux_data[insn_idx]; struct bpf_reg_state *regs = cur_regs(env), *reg; struct bpf_map *map = meta->map_ptr; - struct tnum range; - u64 val; + u64 val, max; int err; if (func_id != BPF_FUNC_tail_call) @@ -5293,10 +5292,11 @@ record_func_key(struct bpf_verifier_env return -EINVAL; } - range = tnum_range(0, map->max_entries - 1); reg = ®s[BPF_REG_3]; + val = reg->var_off.value; + max = map->max_entries; - if (!register_is_const(reg) || !tnum_in(range, reg->var_off)) { + if (!(register_is_const(reg) && val < max)) { bpf_map_key_store(aux, BPF_MAP_KEY_POISON); return 0; } @@ -5304,8 +5304,6 @@ record_func_key(struct bpf_verifier_env err = mark_chain_precision(env, BPF_REG_3); if (err) return err; - - val = reg->var_off.value; if (bpf_map_key_unseen(aux)) bpf_map_key_store(aux, val); else if (!bpf_map_key_poisoned(aux) &&