Received: by 2002:ab2:3350:0:b0:1f4:6588:b3a7 with SMTP id o16csp1675779lqe; Mon, 8 Apr 2024 17:15:26 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVBtTg9LI4pOlHuC2+zuEm2BfyB5ffGZ4+SHdvNOk50/i5khRjldsnCEPrtHVDteJ/ayauoDQXFtlo6EXxuq8Az675MiETJM0vF5AToyQ== X-Google-Smtp-Source: AGHT+IG1XkPfjivBy2ZGgzM/xlcnig7K0ErQiRA9/9kbTHVr+0QwirtoXFRNO6mbuWcTpLpy56a2 X-Received: by 2002:a05:6870:c087:b0:22e:c5a1:f739 with SMTP id c7-20020a056870c08700b0022ec5a1f739mr12666208oad.25.1712621726618; Mon, 08 Apr 2024 17:15:26 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712621726; cv=pass; d=google.com; s=arc-20160816; b=VY7EXEMsp8uymqy7zfl1d5zWRta9Mh47Fj8D/MggEmYuwEGzvMmbsy7Lhe5VUDr17H tgdtiKb/m1TotgJcH+WKm2EfKIkuT5KWjwK2egL+AaUm9OLLoK+bsjLUxVVUYpyTHkfX urJudasU181lwp6WQS0llop2uxFOsiVvnjqFQqg2yPTGxXZfiHbQqXRkViKMvo3jl9UB 3R4DqAc//6G9pg9d+VhkHfN+dXZjJ0f3NCMtGmpMfj5GjFV/+lQDr49rK21RKFaizOUv gR/bnbB9o3sZRw0D4xaUJxPniB/VgIwZOyE+pvfi7HgvzM+HKjCpkFEhwOsKgUI/Rj9F Il3w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:dkim-signature:message-id; bh=Sjp5f9oGLEoLkHdn8mA9hv760wrE2Mtc0mHWY7INqz8=; fh=NiXGlFbyCjuVs+8FnR6fH55v0b0VYWGdrX2H5RupiQ0=; b=jzPcZTgRiLound2B7/olmUl87zW1Kf6uZ3BNtHnqMgu45+P6WLQckejTgaiDm8l3i5 th/zzl+eVJg5BKO+hWrs4v0Zh7JHA9uuFPRlC0iWyGMSyAroS7NEwNzwqK75XqqgQifL oDZPVgvcNnDl2dQIxVugKO3t96Uo6Ufb33bMqeggDOEfuvvxzYluU2n2svHEKVpcljxC moUBhHv7aTpT2Tz4UNqMOGThBY3qCzIYB8c8BHck6m9vuKzNNlMGcvAapTCdZ5vKt13S 8XhBriqHtJxA47d2VrOoySzvBz5h0jSFrU3AN2Cgj8K3EJYmqGjvkHSrj2RJ74lrHC00 uw3w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=LlkLyyHX; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-136036-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-136036-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id p35-20020a631e63000000b005df469b4f7asi7290264pgm.489.2024.04.08.17.15.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Apr 2024 17:15:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-136036-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=LlkLyyHX; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-136036-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-136036-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id E6BEBB21795 for ; Tue, 9 Apr 2024 00:11:19 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AA112323C; Tue, 9 Apr 2024 00:11:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="LlkLyyHX" Received: from out-182.mta0.migadu.com (out-182.mta0.migadu.com [91.218.175.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 72DF92570 for ; Tue, 9 Apr 2024 00:10:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712621461; cv=none; b=Et6pz03HnyZN+RGLJVIHozLQhhuDwnYGfR/9HP6rEIQOSTgdL1/Rk0EqIR2MdKA1VEBhS2b3ey5W2kY/4nyEAQdAnPAY1Pu1lMDk9FPty8fIrX1WuWGWfkc0NWRDee+llNofHJ/9rVMDPIB9bXZRYf46d9nzPGi5/v875aa+Rbc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712621461; c=relaxed/simple; bh=jHhcISfvM5hw7cGoH7GmgOSBwsHp6ACYR2aJyOjpY8g=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=Fa+DvZkVa3BtGL1YliOQKlCGjEfXGjkMddSB2MgNbdfIA3iiZXNnX+MDN+9yJwnn0qvtLp+1Wcbdrj76hQR1Ep/26eAz1TLIUfdyHSLMt8uSJDZM5wVvpNOOblbdof3vjT9HnOiU3LISlbVw3Zpd0n9OzVR6VyY41HFVtTdro74= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=LlkLyyHX; arc=none smtp.client-ip=91.218.175.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Message-ID: <737ae55d-3cd0-40fb-b3e9-3b676f1f735f@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1712621457; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Sjp5f9oGLEoLkHdn8mA9hv760wrE2Mtc0mHWY7INqz8=; b=LlkLyyHXayvJ2oLUWrzshr7bf5ZTEEuDnUEiflTdRU6YK2A8fJZjfrRUB941Uh3Kbm7m8d Mr0BddGphdRLxPPg0PvAWC5py9I3f4EJ27htGz7irp1grKnHhVR2ILg1xXbsg0rJvvjT+J 26y6vC662TUE6I6neMclRoL6ja/jbm4= Date: Mon, 8 Apr 2024 17:10:48 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH] bpf: dereference of null in __cgroup_bpf_query() function To: Mikhail Lobanov Cc: Alexei Starovoitov , Andrii Nakryiko , Song Liu , Roman Gushchin , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org References: <20240406151457.4774-1-m.lobanov@rosalinux.ru> Content-Language: en-US X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Martin KaFai Lau In-Reply-To: <20240406151457.4774-1-m.lobanov@rosalinux.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT On 4/6/24 8:14 AM, Mikhail Lobanov wrote: > In the __cgroup_bpf_query() function, it is possible to dereference > the null pointer in the line id = prog->aux->id; since there is no > check for a non-zero value of the variable prog. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: af6eea57437a ("bpf: Implement bpf_link-based cgroup BPF program attachment") > Cc: stable@vger.kernel.org > Signed-off-by: Mikhail Lobanov > --- > kernel/bpf/cgroup.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c > index 491d20038cbe..7f2db96f0c6a 100644 > --- a/kernel/bpf/cgroup.c > +++ b/kernel/bpf/cgroup.c > @@ -1092,6 +1092,8 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr, > i = 0; > hlist_for_each_entry(pl, progs, node) { > prog = prog_list_prog(pl); > + if (!prog_list_prog(pl)) prog cannot be null. It is under cgroup_lock(). > + continue; > id = prog->aux->id; > if (copy_to_user(prog_ids + i, &id, sizeof(id))) > return -EFAULT;