Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1385725rwd; Thu, 8 Jun 2023 17:39:20 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5Vut2y7l3GZWQkyR3FE6K08E6gjpUTlqHOc/kTJvH5OGC9W0UpS+hlVRGWIz4Iy3RP8x9f X-Received: by 2002:a05:6a21:6da4:b0:105:fd78:cb41 with SMTP id wl36-20020a056a216da400b00105fd78cb41mr5303794pzb.54.1686271159700; Thu, 08 Jun 2023 17:39:19 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1686271159; cv=pass; d=google.com; s=arc-20160816; b=mrCn8hSCpx+MMpFLVbwnnM7cSwTCB7rKgRucM5gy1Et1WZCGYBcsfjrL1PS1SToCac /D5ZbB5SwsksGaJ/XgdyIOuHf1Z0tUPxW57PYk762L9mGoXGf2D8QeCSqaNEQldeD9dq Llpgt+P5mwj3mq4e+9AWx5fJQM6vRGSOumes+VwZxZcB3Xg1nVqgEYDOXyKI/t4x/6cV QAQY0Qf4Ka4KmHADSF5r0anLBZ+fDXNBu6q9Bsn4JCQPcmwrBXBX+dJHQcLsJ1ZuVMYh p0pSjC6GswAto7CYQOxOlza0v9GPgljrDUZRdTZqemuhAUtS0i7XItRuRgdGZiNMiq/V 8ejA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:cc:to:from:date:dkim-signature; bh=HeNuXD0zf3NfQuJ7PUoGga0OpHJpYDBE8S37/JQICZM=; b=cgwK/Taho26CcXOPzZZH7liDMPeE3y85/IrGrIpudr/8ik9Fr95nXo5BWmf7k4Tme+ Bpn8JYgxlPmB0dkJyG5f1Bezl20g02VygIJxgQMSdeEPJwORngFWeMmedyRykojfLd4/ zCQJOcSVWu+zbweUhieuIqZjJ6aaYhyGJ/L50PMxgBt2Fla1gLznlIzoZpGWnGUyyWYZ 5ws99ksGQekHD0ermnVSeWHJVHz2NrRXwHX+Dk2xCMUdm1Vsmk1VBJ9V6DjFhqYm0omW jSgsMy78QaZGswZqZm1raXjyVilvSIN+rBvlQTS6VBZhpKdG9BmTrfebnnOr+Xua066o rvaQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=fail header.i=@templeofstupid.com header.s=dreamhost header.b=QHyLeBj+; arc=pass (i=1); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ca27-20020a056a00419b00b006581d3c44d1si1589514pfb.89.2023.06.08.17.39.07; Thu, 08 Jun 2023 17:39:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@templeofstupid.com header.s=dreamhost header.b=QHyLeBj+; arc=pass (i=1); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237694AbjFIAKl (ORCPT + 99 others); Thu, 8 Jun 2023 20:10:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39058 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229551AbjFIAKi (ORCPT ); Thu, 8 Jun 2023 20:10:38 -0400 Received: from cheetah.elm.relay.mailchannels.net (cheetah.elm.relay.mailchannels.net [23.83.212.34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F21730D6 for ; Thu, 8 Jun 2023 17:10:34 -0700 (PDT) X-Sender-Id: dreamhost|x-authsender|kjlx@templeofstupid.com Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id A67903C1C64 for ; Fri, 9 Jun 2023 00:10:33 +0000 (UTC) Received: from pdx1-sub0-mail-a313.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 40AD83C2965 for ; Fri, 9 Jun 2023 00:10:33 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1686269433; a=rsa-sha256; cv=none; b=8Jyk38t/6aBYQz0YFXoBj7vKLHf+mb9MRWch0CH1y4XbSk8mDkt7E8HRtkAZZEDgd39c+m utXsm3QyaYTex8JfM4TqtqqoE22DXichl89i1kggDwIPKst81lXlGXdgM4q/8vUykreAcD Et09qOsCWh7cysY0PIhw1nvvZScmACY29ehUbstTEJnUiDdQkpeTFKrrM1ykBH8UslMjzs BZ2ZH4St6qctHlfbNBBhNvO64c+nXO6kzY/EU5cyKkrRVZuMmmElWYE0bZKnbi1b4i+33O ekD27rgEdEWLA4mxkUwuHoHgeI9tC5WCAVXhlbs0ed6K2a6hh5rEuwaqkUk8ZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1686269433; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: dkim-signature; bh=HeNuXD0zf3NfQuJ7PUoGga0OpHJpYDBE8S37/JQICZM=; b=P7zWMQ5AhoP9Utp7eEO8Hn/OgoID1q+ciofrDYv7nI5QhnU7+j0J+YYxW++mp9RmQo248y TgTCKxZyL55tzc+p+D+C1bj9u6Pw0ZpXoq/+30YkFiDGsEwBtzMZC8A41rLgwvzvVimFtW R28cbk5GmH6xdO8ix2CdYcKdQUASCKWeDaPPDlbKGGfNyjiec5DRLDF6cXJhfUSFitMCJu c9QLK6M+n0pTa2S7oEXRIPdEDNQpwRPB8qkVibDvQYnAqzyWc5/vmnAvQxAgbYjeUsGfZJ QuuqGa2DWTgow9oA8lxqEus8+cJYUnn2hZ9DmbPkOKgBJZSaMfKlILPGh29GPw== ARC-Authentication-Results: i=1; rspamd-fcb9f4dcf-gg558; auth=pass smtp.auth=dreamhost smtp.mailfrom=kjlx@templeofstupid.com X-Sender-Id: dreamhost|x-authsender|kjlx@templeofstupid.com X-MC-Relay: Good X-MailChannels-SenderId: dreamhost|x-authsender|kjlx@templeofstupid.com X-MailChannels-Auth-Id: dreamhost X-Spicy-Invention: 6e8fff7925fb4832_1686269433503_2694719543 X-MC-Loop-Signature: 1686269433503:2011903529 X-MC-Ingress-Time: 1686269433503 Received: from pdx1-sub0-mail-a313.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.107.49.247 (trex/6.8.1); Fri, 09 Jun 2023 00:10:33 +0000 Received: from kmjvbox (c-73-93-64-36.hsd1.ca.comcast.net [73.93.64.36]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kjlx@templeofstupid.com) by pdx1-sub0-mail-a313.dreamhost.com (Postfix) with ESMTPSA id 4QchLJ4HXjz1mP for ; Thu, 8 Jun 2023 17:10:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=templeofstupid.com; s=dreamhost; t=1686269432; bh=HeNuXD0zf3NfQuJ7PUoGga0OpHJpYDBE8S37/JQICZM=; h=Date:From:To:Cc:Subject:Content-Type; b=QHyLeBj+nzOnd+MaABKkDQpg1ZHJv0OCvgLMf4NZplmdAtKpOV4nJ6hB/P9KHCz2K PGU+5d30VGlzw45Gne/QE8+EFffTX20wK+a2BWdgOfBfWxLqbz7tAdJ4ID70IdH4p5 /1IrjBqHLWnqC6oJGg9jo+qAlzSfy5rySTyccBAU= Received: from johansen (uid 1000) (envelope-from kjlx@templeofstupid.com) id e0042 by kmjvbox (DragonFly Mail Agent v0.12); Thu, 08 Jun 2023 17:10:31 -0700 Date: Thu, 8 Jun 2023 17:10:31 -0700 From: Krister Johansen To: bpf@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Mykola Lysenko , Shuah Khan , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: [PATCH bpf v3 0/2] bpf: fix NULL dereference during extable search Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Enclosed are a pair of patches for an oops that can occur if an exception is generated while a bpf subprogram is running. One of the bpf_prog_aux entries for the subprograms are missing an extable. This can lead to an exception that would otherwise be handled turning into a NULL pointer bug. When run out of the selftest, the oops looks like this: BUG: kernel NULL pointer dereference, address: 000000000000000c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 1132 Comm: test_progs Tainted: G OE 6.4.0-rc3+ #2 RIP: 0010:cmp_ex_search+0xb/0x30 Code: cc cc cc cc e8 36 cb 03 00 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 48 8b 07 <48> 63 0e 48 01 f1 31 d2 48 39 c8 19 d2 48 39 c8 b8 01 00 00 00 0f RSP: 0018:ffffb30c4291f998 EFLAGS: 00010006 RAX: ffffffffc00b49da RBX: 0000000000000002 RCX: 000000000000000c RDX: 0000000000000002 RSI: 000000000000000c RDI: ffffb30c4291f9e8 RBP: ffffb30c4291f998 R08: ffffffffab1a42d0 R09: 0000000000000001 R10: 0000000000000000 R11: ffffffffab1a42d0 R12: ffffb30c4291f9e8 R13: 000000000000000c R14: 000000000000000c R15: 0000000000000000 FS: 00007fb5d9e044c0(0000) GS:ffff92e95ee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 000000010c3a2005 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: bsearch+0x41/0x90 ? __pfx_cmp_ex_search+0x10/0x10 ? bpf_prog_45a7907e7114d0ff_handle_fexit_ret_subprogs3+0x2a/0x6c search_extable+0x3b/0x60 ? bpf_prog_45a7907e7114d0ff_handle_fexit_ret_subprogs3+0x2a/0x6c search_bpf_extables+0x10d/0x190 ? bpf_prog_45a7907e7114d0ff_handle_fexit_ret_subprogs3+0x2a/0x6c search_exception_tables+0x5d/0x70 fixup_exception+0x3f/0x5b0 ? look_up_lock_class+0x61/0x110 ? __lock_acquire+0x6b8/0x3560 ? __lock_acquire+0x6b8/0x3560 ? __lock_acquire+0x6b8/0x3560 kernelmode_fixup_or_oops+0x46/0x110 __bad_area_nosemaphore+0x68/0x2b0 ? __lock_acquire+0x6b8/0x3560 bad_area_nosemaphore+0x16/0x20 do_kern_addr_fault+0x81/0xa0 exc_page_fault+0xd6/0x210 asm_exc_page_fault+0x2b/0x30 RIP: 0010:bpf_prog_45a7907e7114d0ff_handle_fexit_ret_subprogs3+0x2a/0x6c Code: f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 7f 08 49 bb 00 00 00 00 00 80 00 00 4c 39 df 73 04 31 f6 eb 04 <48> 8b 77 00 49 bb 00 00 00 00 00 80 00 00 48 81 c7 7c 00 00 00 4c RSP: 0018:ffffb30c4291fcb8 EFLAGS: 00010282 RAX: 0000000000000001 RBX: 0000000000000001 RCX: 0000000000000000 RDX: 00000000cddf1af1 RSI: 000000005315a00d RDI: ffffffffffffffea RBP: ffffb30c4291fcb8 R08: ffff92e644bf38a8 R09: 0000000000000000 R10: 0000000000000000 R11: 0000800000000000 R12: ffff92e663652690 R13: 00000000000001c8 R14: 00000000000001c8 R15: 0000000000000003 bpf_trampoline_251255721842_2+0x63/0x1000 bpf_testmod_return_ptr+0x9/0xb0 [bpf_testmod] ? bpf_testmod_test_read+0x43/0x2d0 [bpf_testmod] sysfs_kf_bin_read+0x60/0x90 kernfs_fop_read_iter+0x143/0x250 vfs_read+0x240/0x2a0 ksys_read+0x70/0xe0 __x64_sys_read+0x1f/0x30 do_syscall_64+0x68/0xa0 ? syscall_exit_to_user_mode+0x77/0x1f0 ? do_syscall_64+0x77/0xa0 ? irqentry_exit+0x35/0xa0 ? sysvec_apic_timer_interrupt+0x4d/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7fb5da00a392 Code: ac 00 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb be 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 RSP: 002b:00007ffc5b3cab68 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000055bee7b8b100 RCX: 00007fb5da00a392 RDX: 00000000000001c8 RSI: 0000000000000000 RDI: 0000000000000009 RBP: 00007ffc5b3caba0 R08: 0000000000000000 R09: 0000000000000037 R10: 000055bee7b8c2a7 R11: 0000000000000246 R12: 000055bee78f1f60 R13: 00007ffc5b3cae90 R14: 0000000000000000 R15: 0000000000000000 Modules linked in: bpf_testmod(OE) nls_iso8859_1 dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua intel_rapl_msr intel_rapl_common intel_uncore_frequency_common ppdev nfit crct10dif_pclmul crc32_pclmul psmouse ghash_clmulni_intel sha512_ssse3 aesni_intel parport_pc crypto_simd cryptd input_leds parport rapl ena i2c_piix4 mac_hid serio_raw ramoops reed_solomon pstore_blk drm pstore_zone efi_pstore autofs4 [last unloaded: bpf_testmod(OE)] CR2: 000000000000000c These changes were tested via the verifier and progs selftests and no regressions were observed. Changes from v2: - Insert only the main program's kallsyms (Feedback from Yonghong Song and Alexei Starovoitov) - Selftest should use ASSERT instead of CHECK (Feedback from Yonghong Song) - Selftest needs some cleanup (Feedback from Yonghong Song) - Switch patch order (Feedback from Alexei Starovoitov) Changes from v1: - Add a selftest (Feedback From Alexei Starovoitov) - Move to a 1-line verifier change instead of searching multiple extables Krister Johansen (2): bpf: ensure main program has an extable selftests/bpf: add a test for subprogram extables kernel/bpf/verifier.c | 6 ++- .../bpf/prog_tests/subprogs_extable.c | 31 +++++++++++++ .../bpf/progs/test_subprogs_extable.c | 46 +++++++++++++++++++ 3 files changed, 81 insertions(+), 2 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/subprogs_extable.c create mode 100644 tools/testing/selftests/bpf/progs/test_subprogs_extable.c -- 2.25.1