Received: by 2002:ab2:7b86:0:b0:1f7:5705:b850 with SMTP id q6csp778339lqh; Sun, 5 May 2024 01:21:44 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVxuRC244QDLXQ45qZjIkt91xyY2IEQy9P4e6wKXLz/3FpfFIVxL8wtywZlBHl2Qqebg5uPKvVx9U6SNW42DWef1JOPSZA2kKNZv0T9ZA== X-Google-Smtp-Source: AGHT+IFehVKBLYxgLx6UoAwDRhz8RuOGRZpms4DPugTZ/hcZkHLhvw7GUfVU0wjmMlDHc8ry5JOU X-Received: by 2002:a05:620a:3b82:b0:792:94a5:1df6 with SMTP id ye2-20020a05620a3b8200b0079294a51df6mr1061946qkn.51.1714897304181; Sun, 05 May 2024 01:21:44 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714897304; cv=pass; d=google.com; s=arc-20160816; b=FreC3nRQE82nl5NXUGxbN7+BcKF0e4SsGnYw3a9Ga4dBFRx7qsk9VhcF2K6vT4XIQh NTB/64EueXUJJV64zkp17PlPOYH0f6cYwPJHVP5Id53dplheTYiX8Z3v3SwmpJgo1tyQ fa5pYs6NqMWVHoYqqD117EsfO3N4LLmqeHhQg3DM46ubFFfbouXP3Il+7ACvmy+14q5s Rppma1EgMudp8zfU0T5dn4HFjiKoCuvcB5HiFcKwFqZrbYuwZugwbegU9pNhbNIZUHdi tXBuPqj9i336EFoHCHN0PIbXULwk24x5RiwkeMGVcq1hVRtVkXVVLQMOuQ1eI7Jt11gQ +HLg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=hocpwkdCzNkFP2oJ/Rkbamwkx4VeWwV1/HslBK8Y70c=; fh=+sG2X6bP1eLR2MhPCdd8B1IJnke4XOdW8D8PoG2yBFw=; b=J1d0OZ/k+PAUXj+dmclkgoHoTgwAEmgWB2xniDx9fdR14cVNzHI8aajPAbsRcEG0SC AT8C5c/YCuSas0RWtLTNQ8j1drKP0lHObllQWgFGoX0e/r5RyoTJPXk055eaAbq3JUmz tXuLVod63BESpgz3wGMJEQE5QI9oqZjVIK0HYPe5bZuqb7sdwHWilKn0ZC9SV7QaoA3Y MX7prOEcIo9n8mBh51ZroiND3kWVbGjU9E9ioOiQ9RAGQBTEBbvVACZjeTa/z7HoM31l WavHeowoVVYH55phx2rYhj0oeXsB4siyyU0cdyHpt0+oeSkqEM5vtu2gzKYjTo8RIyK+ rsQg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Hp+mC9HW; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-168919-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-168919-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id a24-20020a05620a02f800b00792965af9afsi258735qko.588.2024.05.05.01.21.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 May 2024 01:21:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-168919-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Hp+mC9HW; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-168919-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-168919-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id CBEA51C20DA3 for ; Sun, 5 May 2024 08:21:43 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C8FE2B645; Sun, 5 May 2024 08:21:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Hp+mC9HW" Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6FCEBB672; Sun, 5 May 2024 08:21:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.45 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714897287; cv=none; b=EJiMdUFq11xLWe0tRER0nUZiqYFeOSca7eFxx2DESK72TxOdw8bzhaGsD8irkmIlsLR7fx7ZcaGhxWqnWNa1+qVyf1zL0TgchP2T6MImuAJYJb0oNMazz1+payudt+mBZJm6nqY9G0IkZCIPz8bIGO8pZ3a3cLerNrJTzw55Zo8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714897287; c=relaxed/simple; bh=nnWWU6Av9ppVhpFVlXtww6Fd+dstAUsmq49usKvTCRA=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=J7I14PJJiWI7sUSS+CNnrbHgaG2yUelS4sz1UbiY4CLRv0lqo2xJ7FIT16syQXpM8YOMOzFuMS5PFEB8qgobLHdb3WXjPcwx4MIE4fgfNKQgFjH4/qLnTRTkPKh53IowvS+2oY2RLN3Xgn9aWeKJAqGWcTVIxPxAtzpQJJJ//+Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Hp+mC9HW; arc=none smtp.client-ip=209.85.221.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-34da4d6f543so854129f8f.3; Sun, 05 May 2024 01:21:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714897284; x=1715502084; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=hocpwkdCzNkFP2oJ/Rkbamwkx4VeWwV1/HslBK8Y70c=; b=Hp+mC9HW/CPfu0AW5Js9XCQ/l39B4P9Yt5oyI8y4CMNNkR+5BffS062qZy4B8asIEB wTTQKCjF2bRf5KwNDqlIvDjnERFlfJS/bxs0I+NN6teYdNmNeSOSI7Xgr7kHz8VKvNWR gkyV82vKR/3D0Axo26wlJL8iin/cKoH+IBb6H/BgiIwhBUElnP/U9UArnKVXojRZVjc8 V5C80uc96JNnO0HN3YO17tzrORvoXH8PDdLKw14wGRFTs/Kig12UFhE16VRO4RH+vJwt Pt9VwnQhPPkw6DgNr7Nb+PCBvHTXoSTe7jKAR/GfvgmlGhCMs3zvVDuSfbxYyPRARZfc Kukw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714897284; x=1715502084; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hocpwkdCzNkFP2oJ/Rkbamwkx4VeWwV1/HslBK8Y70c=; b=G/sHOkhhjdet+WTbqrXMb67GjVzITbRP02myjC+r71bgjDKp3/NtkXXgx4W+9mn9hD e+FabkG3twe9PcSVUmwLwqb/YOOUErN08A4BPQgzO29LMn87CZYhlHGs9XyyiBy/fzWC nFCfcxWrUGDsXidd47uR+kokkYbHeosj9YTZlunAP+uYI3PDWn5Jieddk6mbk212Prnw 38xTZoQvAgaRCZJGDjhPWRVA+0p58+vI+VXnZjFdyXdxYqKm9HbENweJa1C6e/nF26kw biCffKeNGtRFcs6oB1YhbmgqxRVrVmjhkxp//pUHYWfEXGNAL5NqGLg11Gz+OqPswJMW i70g== X-Forwarded-Encrypted: i=1; AJvYcCUAOMfPusq1JtjzU8uO7tAMivj1blGvrfSg6Sz2RpPdhBXT3zAuoMttMCXXkMJYx994Mv33IQpIJzQFeY6J67FsgM/mzDqpTl6TOvQ52/f+fLfZvbu9Amx41G1sweNsc2k7 X-Gm-Message-State: AOJu0Yz2ciQPQnWTCj+FgddQ3DObs95mqwrz4kQJyI69hchjzel5ZPht K8PuX9ZLzckhcOp1cJZYeHLfy2ZfUuRGTkNWcsMiNiG56jwfUE6JCxbFKNEEkxfjpsx1NXEF9+v hBCA8DMMLpnwfSiT91Y0jrEihkl003Icb X-Received: by 2002:a05:6000:1cc8:b0:34f:595:a390 with SMTP id bf8-20020a0560001cc800b0034f0595a390mr685105wrb.63.1714897283436; Sun, 05 May 2024 01:21:23 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240505014641.203643-1-cam.alvarez.i@gmail.com> In-Reply-To: <20240505014641.203643-1-cam.alvarez.i@gmail.com> From: Alexei Starovoitov Date: Sun, 5 May 2024 01:21:12 -0700 Message-ID: Subject: Re: [PATCH] fix array-index-out-of-bounds in bpf_prog_select_runtime To: Camila Alvarez Cc: Alexei Starovoitov , Daniel Borkmann , bpf , LKML , syzbot+d2a2c639d03ac200a4f1@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, May 4, 2024 at 6:49=E2=80=AFPM Camila Alvarez wrote: > > The error indicates that the verifier is letting through a program with > a stack depth bigger than 512. > > This is due to the verifier not checking the stack depth after > instruction rewrites are perfomed. For example, the MAY_GOTO instruction > adds 8 bytes to the stack, which means that if the stack at the moment > was already 512 bytes it would overflow after rewriting the instruction. This is by design. may_goto and other constructs like bpf_loop inlining can consume a few words above 512 limit. > The fix involves adding a stack depth check after all instruction > rewrites are performed. > > Reported-by: syzbot+d2a2c639d03ac200a4f1@syzkaller.appspotmail.com This syzbot report is likely unrelated. It says that it bisected it to may_goto, but it has this report before may_goto was introduced, so bisection is incorrect. pw-bot: cr > Signed-off-by: Camila Alvarez > --- > kernel/bpf/verifier.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 63749ad5ac6b..a9e23b6b8e8f 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -21285,6 +21285,10 @@ int bpf_check(struct bpf_prog **prog, union bpf_= attr *attr, bpfptr_t uattr, __u3 > if (ret =3D=3D 0) > ret =3D do_misc_fixups(env); > > + /* max stack depth verification must be done after rewrites as w= ell */ > + if (ret =3D=3D 0) > + ret =3D check_max_stack_depth(env); > + > /* do 32-bit optimization after insn patching has done so those p= atched > * insns could be handled correctly. > */ > -- > 2.34.1 >