Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1773977rwb; Mon, 7 Nov 2022 05:45:28 -0800 (PST) X-Google-Smtp-Source: AMsMyM4hwD9mWy9Tt2MpXxWdDsNEPLD93etTffpMqDgclXInmAJ3JS4lpKGLhSiavMltRRDQv3nN X-Received: by 2002:a17:90a:e147:b0:213:bd97:d6b7 with SMTP id ez7-20020a17090ae14700b00213bd97d6b7mr47323175pjb.199.1667828728184; Mon, 07 Nov 2022 05:45:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667828728; cv=none; d=google.com; s=arc-20160816; b=OAuroUwg0qYp2ljV+Td+dIKWjVlx8UQs7JUk9p1xw/ghajJhZlw8Y+JgzLwb6I62FL URVJCcUVWZb/yocF9dNGBQdFHiMwhch95lCt2j8EZ7QSjPUK7GGdvQ+zN7RDshkNmzsT P7vnW7fBSYwA1VvKUmRdUO+XAvpeI1sanFeIH6GeqZxK1yc3bfeHOL0XPqtDhX1It7DM b1PjBCFKgwHOeepmewlAwlasS4K4JWkXQpQBy0yXdlYOvTpOkGY3mxx6d+d3+bbXqO5x UoQM1rUisHaEuxyrnCY088W71OKQEVsBH9GLrG3UC2+doKTfJxWHqWrHAobg/Ci3qFpn S+iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=5SoqAUcnwiRm88ADd2ljnWMq6OYtUHzfrs6KNHdyEzE=; b=BW2zocoKrLyIDtKKZFeViQDNuxOcIVi2K46Vi0PhTJMtCA1XOOsS/yY994chLM8cup ly7wGnp5T0leNSOQBnGbPra+DwmYexWeanF1fRQzhQh0gbsmq75QD/nQCte5Ex+OmApp WLm0NsZhZJgwM1IUWKx8nNBVL/7eaOYsecAK1aJE7K0SWq6jerwHPS+hKNOQupMCyAh1 HxDafN8FfYi9Wf+FTdSboe+WdLnBuq8MGmoGORG41iGsSkc1qNq/eHOM0chSjGsPGdC7 kEAbzE+72ypoOiQjBbB28r4KiUt6RQj6Nd+8We9GLJazjhxEDDBFFofxKlMvz2GUB4NF HYPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=UGhWJk4H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b17-20020a17090aa59100b0020b2101908asi8479217pjq.16.2022.11.07.05.45.14; Mon, 07 Nov 2022 05:45:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=UGhWJk4H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231682AbiKGNSh (ORCPT + 93 others); Mon, 7 Nov 2022 08:18:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231462AbiKGNSf (ORCPT ); Mon, 7 Nov 2022 08:18:35 -0500 Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EC2B719025 for ; Mon, 7 Nov 2022 05:18:33 -0800 (PST) Received: by mail-yb1-xb33.google.com with SMTP id 129so13502682ybb.12 for ; Mon, 07 Nov 2022 05:18:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=5SoqAUcnwiRm88ADd2ljnWMq6OYtUHzfrs6KNHdyEzE=; b=UGhWJk4HpX9TKsQWQGTHKMh66inqZKg22bG/7kNXFFQ3kZkidg97XqTIHwxg7WPOXu 0v2Y5ywyxTm8lK4tBBVrN7AiivG6csBLgRaKdyQnRao7nV8N5aOvbgLHoSMCgmQFQyDc P87IdNxHWNAAYgvfcEc11SC556SRE2deFJ7I51lI/P+WQ0tCIlZuVbZPBUAraptpo1iV HPagSQ3kgZQp0lwo+iU90EWh3daa+XDUDbFYJP15USWHYAYV+3YZqa69ti4roaHutWsS tlruEWldOByyLJJXOYjkavzkTQ0kST9VtsXYHB6M93pJmTmgUHEwb1+kVsYuJB9mdnqY 4lew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5SoqAUcnwiRm88ADd2ljnWMq6OYtUHzfrs6KNHdyEzE=; b=vor2uJlZI9gneL7DdUVvVJWNb5qUmmCO+W2ecel1ledCsJQg+Qez1zEwTfSgGWXVxC pUlqbfsqsYr5c6p/nJTDvEZyCZZot26VDFUU2cLDGkj+9tBfHRZ0mlKDW3oQ2URY5fUJ GBBO3gRcKRzuFbZC0EEplt7QFxMwlow93hMi1teIJTxXnfw+KQudIt3NO8QSz79ZyPBQ u7y/x21rao7GNosCE2KA0xRC9V1rNzDKtnUBncefRbXcpw+ujFHgLBuIXaVcIMOO32Og zoB2JkMqai/bkUt9wZOs0AeW91G+oGNiRCdl94JMArlbh8a3TNY8gMV+HgF+3Me3BpS1 GOkw== X-Gm-Message-State: ANoB5pkGdaOhJhPcTIJmd2t/wN2n3qWMfZIB/xim5iCFk6j+0vZXpigB a8j6Eo2gG7GkKd1uaxTALz2UrWuUQ2Nlh+jrfnoFPA== X-Received: by 2002:a25:4090:0:b0:6d3:7bde:23fe with SMTP id n138-20020a254090000000b006d37bde23femr15834157yba.388.1667827112974; Mon, 07 Nov 2022 05:18:32 -0800 (PST) MIME-Version: 1.0 References: <20221102081620.1465154-1-zhongbaisong@huawei.com> In-Reply-To: From: Alexander Potapenko Date: Mon, 7 Nov 2022 14:17:56 +0100 Message-ID: Subject: Re: [PATCH -next,v2] bpf, test_run: fix alignment problem in bpf_prog_test_run_skb() To: Mark Rutland Cc: Baisong Zhong , elver@google.com, Catalin Marinas , edumazet@google.com, keescook@chromium.org, kuba@kernel.org, ast@kernel.org, daniel@iogearbox.net, davem@davemloft.net, pabeni@redhat.com, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 7, 2022 at 11:33 AM Mark Rutland wrote: > > On Fri, Nov 04, 2022 at 06:06:05PM +0100, Alexander Potapenko wrote: > > On Wed, Nov 2, 2022 at 9:16 AM Baisong Zhong = wrote: > > > > > > we got a syzkaller problem because of aarch64 alignment fault > > > if KFENCE enabled. > > > > > > When the size from user bpf program is an odd number, like > > > 399, 407, etc, it will cause the struct skb_shared_info's > > > unaligned access. As seen below: > > > > > > BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/= skbuff.c:1032 > > > > It's interesting that KFENCE is reporting a UAF without a deallocation > > stack here. > > > > Looks like an unaligned access to 0xffff6254fffac077 causes the ARM > > CPU to throw a fault handled by __do_kernel_fault() > > Importantly, an unaligned *atomic*, which is a bug regardless of KFENCE. > > > This isn't technically a page fault, but anyway the access address > > gets passed to kfence_handle_page_fault(), which defaults to a > > use-after-free, because the address belongs to the object page, not > > the redzone page. > > > > Catalin, Mark, what is the right way to only handle traps caused by > > reading/writing to a page for which `set_memory_valid(addr, 1, 0)` was > > called? > > That should appear as a translation fault, so we could add an > is_el1_translation_fault() helper for that. I can't immediately recall ho= w > misaligned atomics are presented, but I presume as something other than a > translation fault. > > If the below works for you, I can go spin that as a real patch. Thanks! It works for me in QEMU (doesn't report UAF for an unaligned atomic access and doesn't break the original KFENCE tests), and matches my reading of https://developer.arm.com/documentation/ddi0595/2020-12/AArch64-= Registers/ESR-EL1--Exception-Syndrome-Register--EL1- Feel free to add: Reviewed-by: Alexander Potapenko Tested-by: Alexander Potapenko > Mark. > > ---->8---- > diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c > index 5b391490e045b..1de4b6afa8515 100644 > --- a/arch/arm64/mm/fault.c > +++ b/arch/arm64/mm/fault.c > @@ -239,6 +239,11 @@ static bool is_el1_data_abort(unsigned long esr) > return ESR_ELx_EC(esr) =3D=3D ESR_ELx_EC_DABT_CUR; > } > > +static bool is_el1_translation_fault(unsigned long esr) > +{ > + return (esr & ESR_ELx_FSC_TYPE) =3D=3D ESR_ELx_FSC_FAULT; Should we also introduce ESR_ELx_FSC(esr) for this? > +} > + > static inline bool is_el1_permission_fault(unsigned long addr, unsigned = long esr, > struct pt_regs *regs) > { > @@ -385,7 +390,8 @@ static void __do_kernel_fault(unsigned long addr, uns= igned long esr, > } else if (addr < PAGE_SIZE) { > msg =3D "NULL pointer dereference"; > } else { > - if (kfence_handle_page_fault(addr, esr & ESR_ELx_WNR, reg= s)) > + if (is_el1_translation_fault(esr) && > + kfence_handle_page_fault(addr, esr & ESR_ELx_WNR, reg= s)) > return; > > msg =3D "paging request"; -- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Stra=C3=9Fe, 33 80636 M=C3=BCnchen Gesch=C3=A4ftsf=C3=BChrer: Paul Manicle, Liana Sebastian Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg