lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 21 Mar 2019 17:28:41 +0800
From:   Yu Xu <xuyu@...ux.alibaba.com>
To:     Daniel Borkmann <daniel@...earbox.net>, bpf@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] bpf: do not restore dst_reg when cur_state is freed

On 3/21/19 4:50 PM, Daniel Borkmann wrote:
> On 03/21/2019 09:31 AM, Xu Yu wrote:
>> Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug.
>> Call trace:
>>    dump_stack+0xbf/0x12e
>>    print_address_description+0x6a/0x280
>>    kasan_report+0x237/0x360
>>    sanitize_ptr_alu+0x85a/0x8d0
>>    adjust_ptr_min_max_vals+0x8f2/0x1ca0
>>    adjust_reg_min_max_vals+0x8ed/0x22e0
>>    do_check+0x1ca6/0x5d00
>>    bpf_check+0x9ca/0x2570
>>    bpf_prog_load+0xc91/0x1030
>>    __se_sys_bpf+0x61e/0x1f00
>>    do_syscall_64+0xc8/0x550
>>    entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> Fault injection trace:
>>    kfree+0xea/0x290
>>    free_func_state+0x4a/0x60
>>    free_verifier_state+0x61/0xe0
>>    push_stack+0x216/0x2f0	          <- inject failslab
>>    sanitize_ptr_alu+0x2b1/0x8d0
>>    adjust_ptr_min_max_vals+0x8f2/0x1ca0
>>    adjust_reg_min_max_vals+0x8ed/0x22e0
>>    do_check+0x1ca6/0x5d00
>>    bpf_check+0x9ca/0x2570
>>    bpf_prog_load+0xc91/0x1030
>>    __se_sys_bpf+0x61e/0x1f00
>>    do_syscall_64+0xc8/0x550
>>    entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> When kzalloc() fails in push_stack(), free_verifier_state() will free
>> current verifier state. As push_stack() returns, dst_reg was restored
>> if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg
>> is also freed, and error occurs when dereferencing dst_reg.
>>
>> Simply fix it by checking whether cur_state is NULL before retoring
>> dst_reg.
>>
>> Signed-off-by: Xu Yu <xuyu@...ux.alibaba.com>
>> ---
>>   kernel/bpf/verifier.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index ce166a0..018ce4f 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -3368,7 +3368,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
>>   		*dst_reg = *ptr_reg;
>>   	}
>>   	ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
>> -	if (!ptr_is_dst_reg)
>> +	if (!ptr_is_dst_reg && env->cur_state)
>>   		*dst_reg = tmp;
> 
> Good catch, test should be more obvious rewritten as:
> 
>    if (!ptr_is_dst_reg && ret)
> 
> Could you resubmit with that?

sure, will send patch v2 later.

thanks,
Yu

> 
>>   	return !ret ? -EFAULT : 0;
>>   }
>>
> 
> Thanks,
> Daniel
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ