| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 May 2022 16:16:12 -0700
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Tadeusz Struk <tadeusz.struk@...aro.org>
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>,
Networking <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
linux- stable <stable@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>,
syzbot+f264bffdfbd5614f3bb2@...kaller.appspotmail.com
Subject: Re: [PATCH v3] bpf: Fix KASAN use-after-free Read in compute_effective_progs
On Fri, May 13, 2022 at 12:08 PM Tadeusz Struk <tadeusz.struk@...aro.org> wrote:
>
> Syzbot found a Use After Free bug in compute_effective_progs().
> The reproducer creates a number of BPF links, and causes a fault
> injected alloc to fail, while calling bpf_link_detach on them.
> Link detach triggers the link to be freed by bpf_link_free(),
> which calls __cgroup_bpf_detach() and update_effective_progs().
> If the memory allocation in this function fails, the function restores
> the pointer to the bpf_cgroup_link on the cgroup list, but the memory
> gets freed just after it returns. After this, every subsequent call to
> update_effective_progs() causes this already deallocated pointer to be
> dereferenced in prog_list_length(), and triggers KASAN UAF error.
>
> To fix this issue don't preserve the pointer to the prog or link in the
> list, but remove it and replace it with a dummy prog without shrinking
> the table. The subsequent call to __cgroup_bpf_detach() or
> __cgroup_bpf_detach() will correct it.
>
> Cc: "Alexei Starovoitov" <ast@...nel.org>
> Cc: "Daniel Borkmann" <daniel@...earbox.net>
> Cc: "Andrii Nakryiko" <andrii@...nel.org>
> Cc: "Martin KaFai Lau" <kafai@...com>
> Cc: "Song Liu" <songliubraving@...com>
> Cc: "Yonghong Song" <yhs@...com>
> Cc: "John Fastabend" <john.fastabend@...il.com>
> Cc: "KP Singh" <kpsingh@...nel.org>
> Cc: <netdev@...r.kernel.org>
> Cc: <bpf@...r.kernel.org>
> Cc: <stable@...r.kernel.org>
> Cc: <linux-kernel@...r.kernel.org>
>
> Link: https://syzkaller.appspot.com/bug?id=8ebf179a95c2a2670f7cf1ba62429ec044369db4
> Fixes: af6eea57437a ("bpf: Implement bpf_link-based cgroup BPF program attachment")
> Reported-by: <syzbot+f264bffdfbd5614f3bb2@...kaller.appspotmail.com>
> Signed-off-by: Tadeusz Struk <tadeusz.struk@...aro.org>
> ---
> v2: Add a fall back path that removes a prog from the effective progs
> table in case detach fails to allocate memory in compute_effective_progs().
>
> v3: Implement the fallback in a separate function purge_effective_progs
> ---
> kernel/bpf/cgroup.c | 64 +++++++++++++++++++++++++++++++++++++++------
> 1 file changed, 56 insertions(+), 8 deletions(-)
>
> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
> index 128028efda64..9d3af4d6c055 100644
> --- a/kernel/bpf/cgroup.c
> +++ b/kernel/bpf/cgroup.c
> @@ -681,6 +681,57 @@ static struct bpf_prog_list *find_detach_entry(struct list_head *progs,
> return ERR_PTR(-ENOENT);
> }
>
> +/**
> + * purge_effective_progs() - After compute_effective_progs fails to alloc new
> + * cgrp->bpf.inactive table we can recover by
> + * recomputing the array in place.
> + *
> + * @cgrp: The cgroup which descendants to traverse
> + * @link: A link to detach
> + * @atype: Type of detach operation
> + */
> +static void purge_effective_progs(struct cgroup *cgrp, struct bpf_prog *prog,
> + enum cgroup_bpf_attach_type atype)
> +{
> + struct cgroup_subsys_state *css;
> + struct bpf_prog_array_item *item;
> + struct bpf_prog *tmp;
> + struct bpf_prog_array *array;
> + int index = 0, index_purge = -1;
> +
> + if (!prog)
> + return;
> +
> + /* recompute effective prog array in place */
> + css_for_each_descendant_pre(css, &cgrp->self) {
> + struct cgroup *desc = container_of(css, struct cgroup, self);
> +
> + array = desc->bpf.effective[atype];
../kernel/bpf/cgroup.c:748:23: warning: incorrect type in assignment
(different address spaces)
../kernel/bpf/cgroup.c:748:23: expected struct bpf_prog_array *array
../kernel/bpf/cgroup.c:748:23: got struct bpf_prog_array [noderef] __rcu *
you need rcu_dereference here? but also see suggestions below to avoid
iterating effective directly (it's ambiguous to search by prog only)
> + item = &array->items[0];
> +
> + /* Find the index of the prog to purge */
> + while ((tmp = READ_ONCE(item->prog))) {
> + if (tmp == prog) {
I think comparing just prog isn't always correct, as the same program
can be in effective array multiple times if attached through bpf_link.
Looking at replace_effective_prog() I think we can do a very similar
(and tested) approach:
1. restore original pl state in __cgroup_bpf_detach (so we can find it
by comparing pl->prog == prog && pl->link == link)
2. use replace_effective_prog's approach to find position of pl in
effective array (using this nested for loop over cgroup parents and
list_for_each_entry inside)
3. then instead of replacing one prog with another do
bpf_prog_array_delete_safe_at ?
I'd feel more comfortable using the same tested overall approach of
replace_effective_prog.
> + index_purge = index;
> + break;
> + }
> + item++;
> + index++;
> + }
> +
> + /* Check if we found what's needed for removing the prog */
> + if (index_purge == -1 || index_purge == index - 1)
> + continue;
the search shouldn't fail, should it?
> +
> + /* Remove the program from the array */
> + WARN_ONCE(bpf_prog_array_delete_safe_at(array, index_purge),
> + "Failed to purge a prog from array at index %d", index_purge);
> +
> + index = 0;
> + index_purge = -1;
> + }
> +}
> +
> /**
> * __cgroup_bpf_detach() - Detach the program or link from a cgroup, and
> * propagate the change to descendants
> @@ -723,8 +774,11 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
> pl->link = NULL;
>
> err = update_effective_progs(cgrp, atype);
> - if (err)
> - goto cleanup;
> + if (err) {
> + struct bpf_prog *prog_purge = prog ? prog : link->link.prog;
> +
so here we shouldn't forget link, instead pass both link and prog (one
of them will have to be NULL) into purge_effective_progs
> + purge_effective_progs(cgrp, prog_purge, atype);
> + }
>
> /* now can actually delete it from this cgroup list */
> list_del(&pl->node);
> @@ -736,12 +790,6 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
> bpf_prog_put(old_prog);
> static_branch_dec(&cgroup_bpf_enabled_key[atype]);
> return 0;
> -
> -cleanup:
> - /* restore back prog or link */
> - pl->prog = old_prog;
> - pl->link = link;
> - return err;
> }
>
> static int cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
> --
> 2.36.1
>
Powered by blists - more mailing lists