lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 21 Mar 2019 09:50:03 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Xu Yu <xuyu@...ux.alibaba.com>, bpf@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] bpf: do not restore dst_reg when cur_state is freed

On 03/21/2019 09:31 AM, Xu Yu wrote:
> Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug.
> Call trace:
>   dump_stack+0xbf/0x12e
>   print_address_description+0x6a/0x280
>   kasan_report+0x237/0x360
>   sanitize_ptr_alu+0x85a/0x8d0
>   adjust_ptr_min_max_vals+0x8f2/0x1ca0
>   adjust_reg_min_max_vals+0x8ed/0x22e0
>   do_check+0x1ca6/0x5d00
>   bpf_check+0x9ca/0x2570
>   bpf_prog_load+0xc91/0x1030
>   __se_sys_bpf+0x61e/0x1f00
>   do_syscall_64+0xc8/0x550
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> Fault injection trace:
>   kfree+0xea/0x290
>   free_func_state+0x4a/0x60
>   free_verifier_state+0x61/0xe0
>   push_stack+0x216/0x2f0	          <- inject failslab
>   sanitize_ptr_alu+0x2b1/0x8d0
>   adjust_ptr_min_max_vals+0x8f2/0x1ca0
>   adjust_reg_min_max_vals+0x8ed/0x22e0
>   do_check+0x1ca6/0x5d00
>   bpf_check+0x9ca/0x2570
>   bpf_prog_load+0xc91/0x1030
>   __se_sys_bpf+0x61e/0x1f00
>   do_syscall_64+0xc8/0x550
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> When kzalloc() fails in push_stack(), free_verifier_state() will free
> current verifier state. As push_stack() returns, dst_reg was restored
> if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg
> is also freed, and error occurs when dereferencing dst_reg.
> 
> Simply fix it by checking whether cur_state is NULL before retoring
> dst_reg.
> 
> Signed-off-by: Xu Yu <xuyu@...ux.alibaba.com>
> ---
>  kernel/bpf/verifier.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index ce166a0..018ce4f 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -3368,7 +3368,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
>  		*dst_reg = *ptr_reg;
>  	}
>  	ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
> -	if (!ptr_is_dst_reg)
> +	if (!ptr_is_dst_reg && env->cur_state)
>  		*dst_reg = tmp;

Good catch, test should be more obvious rewritten as:

  if (!ptr_is_dst_reg && ret)

Could you resubmit with that?

>  	return !ret ? -EFAULT : 0;
>  }
> 

Thanks,
Daniel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ