bpf: Fix out-of-bounds read in check_atomic_load/store() #8677
+12
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![kernel-patches-daemon-bpf[bot]](https://avatars.githubusercontent.com/u/70728002?s=60&v=4){kind=small}
|
Upstream branch: 2d7597d |
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
dc8d1d6 to
c16ba17
Compare
|
Upstream branch: 8c10109 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/944152=>bpf-next
branch
from
e8c566a to
6dbc6b8
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
c16ba17 to
84222f6
Compare
|
Upstream branch: bb2243f |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/944152=>bpf-next
branch
from
6dbc6b8 to
acd6e61
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
84222f6 to
014f72f
Compare
|
Upstream branch: 812f770 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/944152=>bpf-next
branch
from
acd6e61 to
c9537c4
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
014f72f to
4d1d6fc
Compare
|
Upstream branch: b02f072 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/944152=>bpf-next
branch
from
c9537c4 to
d07c1dd
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
4d1d6fc to
e14a0d8
Compare
|
Upstream branch: f3f8649 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/944152=>bpf-next
branch
from
d07c1dd to
50dd4a8
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
e14a0d8 to
503edd4
Compare
|
Upstream branch: ae0a457 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/944152=>bpf-next
branch
from
50dd4a8 to
2fb74d9
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
503edd4 to
7e623dc
Compare
|
Upstream branch: f4edc66 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/944152=>bpf-next
branch
from
2fb74d9 to
0981940
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
7e623dc to
156a3ac
Compare
|
Upstream branch: 6ca2162 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/944152=>bpf-next
branch
from
0981940 to
2138f85
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
156a3ac to
50dba77
Compare
|
Upstream branch: a259804 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/944152=>bpf-next
branch
from
2138f85 to
ab6f41d
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
50dba77 to
ce294a5
Compare
|
Upstream branch: 79db658 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/944152=>bpf-next
branch
from
ab6f41d to
dd286c1
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
ce294a5 to
e34fe93
Compare
|
Upstream branch: e16e64f |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/944152=>bpf-next
branch
from
dd286c1 to
e796ae9
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
e34fe93 to
8c0b07b
Compare
|
Upstream branch: 51d6504 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/944152=>bpf-next
branch
from
e796ae9 to
3115aa5
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
8c0b07b to
c55d243
Compare
|
Upstream branch: 307ef66 |
syzbot reported the following splat [0].
In check_atomic_load/store(), register validity is not checked before
atomic_ptr_type_ok(). This causes the out-of-bounds read in is_ctx_reg()
called from atomic_ptr_type_ok() when the register number is MAX_BPF_REG
or greater.
Add check_reg_arg() before atomic_ptr_type_ok(), and return early when
the register is invalid.
[0]
BUG: KASAN: slab-out-of-bounds in is_ctx_reg kernel/bpf/verifier.c:6185 [inline]
BUG: KASAN: slab-out-of-bounds in atomic_ptr_type_ok+0x3d7/0x550 kernel/bpf/verifier.c:6223
Read of size 4 at addr ffff888141b0d690 by task syz-executor143/5842
CPU: 1 UID: 0 PID: 5842 Comm: syz-executor143 Not tainted 6.14.0-rc3-syzkaller-gf28214603dc6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0x16e/0x5b0 mm/kasan/report.c:521
kasan_report+0x143/0x180 mm/kasan/report.c:634
is_ctx_reg kernel/bpf/verifier.c:6185 [inline]
atomic_ptr_type_ok+0x3d7/0x550 kernel/bpf/verifier.c:6223
check_atomic_store kernel/bpf/verifier.c:7804 [inline]
check_atomic kernel/bpf/verifier.c:7841 [inline]
do_check+0x89dd/0xedd0 kernel/bpf/verifier.c:19334
do_check_common+0x1678/0x2080 kernel/bpf/verifier.c:22600
do_check_main kernel/bpf/verifier.c:22691 [inline]
bpf_check+0x165c8/0x1cca0 kernel/bpf/verifier.c:23821
bpf_prog_load+0x1664/0x20e0 kernel/bpf/syscall.c:2967
__sys_bpf+0x4ea/0x820 kernel/bpf/syscall.c:5811
__do_sys_bpf kernel/bpf/syscall.c:5918 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5916 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5916
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa3ac86bab9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe50fff5f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa3ac86bab9
RDX: 0000000000000094 RSI: 00004000000009c0 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000006
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>
Allocated by task 5842:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4325
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
do_check_common+0x1ec/0x2080 kernel/bpf/verifier.c:22499
do_check_main kernel/bpf/verifier.c:22691 [inline]
bpf_check+0x165c8/0x1cca0 kernel/bpf/verifier.c:23821
bpf_prog_load+0x1664/0x20e0 kernel/bpf/syscall.c:2967
__sys_bpf+0x4ea/0x820 kernel/bpf/syscall.c:5811
__do_sys_bpf kernel/bpf/syscall.c:5918 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5916 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5916
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888141b0d000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 312 bytes to the right of
allocated 1368-byte region [ffff888141b0d000, ffff888141b0d558)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x141b08
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff88801b042000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
head: 057ff00000000040 ffff88801b042000 dead000000000100 dead000000000122
head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
head: 057ff00000000003 ffffea000506c201 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 8909973200, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1585
prep_new_page mm/page_alloc.c:1593 [inline]
get_page_from_freelist+0x3a8c/0x3c20 mm/page_alloc.c:3538
__alloc_frozen_pages_noprof+0x264/0x580 mm/page_alloc.c:4805
alloc_pages_mpol+0x311/0x660 mm/mempolicy.c:2270
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab+0x8f/0x3a0 mm/slub.c:2587
new_slab mm/slub.c:2640 [inline]
___slab_alloc+0xc27/0x14a0 mm/slub.c:3826
__slab_alloc+0x58/0xa0 mm/slub.c:3916
__slab_alloc_node mm/slub.c:3991 [inline]
slab_alloc_node mm/slub.c:4152 [inline]
__kmalloc_cache_noprof+0x27b/0x390 mm/slub.c:4320
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
virtio_pci_probe+0x54/0x340 drivers/virtio/virtio_pci_common.c:689
local_pci_probe drivers/pci/pci-driver.c:324 [inline]
pci_call_probe drivers/pci/pci-driver.c:392 [inline]
__pci_device_probe drivers/pci/pci-driver.c:417 [inline]
pci_device_probe+0x6c5/0xa10 drivers/pci/pci-driver.c:451
really_probe+0x2b9/0xad0 drivers/base/dd.c:658
__driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800
driver_probe_device+0x50/0x430 drivers/base/dd.c:830
__driver_attach+0x45f/0x710 drivers/base/dd.c:1216
bus_for_each_dev+0x239/0x2b0 drivers/base/bus.c:370
bus_add_driver+0x346/0x670 drivers/base/bus.c:678
page_owner free stack trace missing
Memory state around the buggy address:
ffff888141b0d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888141b0d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888141b0d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888141b0d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888141b0d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=a5964227adc0f904549c
Tested-by: [email protected]
Fixes: e24bbad ("bpf: Introduce load-acquire and store-release instructions")
Signed-off-by: Kohei Enju <[email protected]>
kernel-patches-daemon-bpf
bot
force-pushed
the
series/944152=>bpf-next
branch
from
3115aa5 to
8e80b58
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: Fix out-of-bounds read in check_atomic_load/store()
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=944152