lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 18 Aug 2022 23:35:40 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Greg KH <gregkh@...uxfoundation.org>, Pu Lehui <pulehui@...wei.com>
Cc:     Alexei Starovoitov <ast@...nel.org>,
        Andrii Nakryiko <andrii@...nel.org>, bpf@...r.kernel.org,
        stable@...r.kernel.org, linux-kernel@...r.kernel.org,
        Martin KaFai Lau <kafai@...com>,
        Tadeusz Struk <tadeusz.struk@...aro.org>,
        Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
        John Fastabend <john.fastabend@...il.com>,
        KP Singh <kpsingh@...nel.org>,
        Jean-Philippe Brucker <jean-philippe@...aro.org>,
        Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>
Subject: Re: [PATCH bpf] bpf: Fix kernel BUG in purge_effective_progs

On 8/18/22 7:26 AM, Greg KH wrote:
> On Thu, Aug 18, 2022 at 10:46:33AM +0800, Pu Lehui wrote:
>> On 2022/8/17 4:39, Andrii Nakryiko wrote:
>>> On Sat, Aug 13, 2022 at 6:11 AM Pu Lehui <pulehui@...wei.com> wrote:
[...]
>>>> Failslab injection will cause kmalloc fail and fall back to
>>>> purge_effective_progs. The problem is that cg2 have attached another prog,
>>>> so when go through cg2 layer, iteration will add pos to 1, and subsequent
>>>> operations will be skipped by the following condition, and cg will meet
>>>> NULL in the end.
>>>>
>>>> `if (pos && !(cg->bpf.flags[atype] & BPF_F_ALLOW_MULTI))`
>>>>
>>>> The NULL cg means no link or prog match, this is as expected, and it's not
>>>> a bug. So here just skip the no match situation.
>>>>
>>>> Fixes: 4c46091ee985 ("bpf: Fix KASAN use-after-free Read in compute_effective_progs")
>>>> Signed-off-by: Pu Lehui <pulehui@...wei.com>
>>>> ---
>>>>    kernel/bpf/cgroup.c | 4 +++-
>>>>    1 file changed, 3 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
>>>> index 59b7eb60d5b4..4a400cd63731 100644
>>>> --- a/kernel/bpf/cgroup.c
>>>> +++ b/kernel/bpf/cgroup.c
>>>> @@ -921,8 +921,10 @@ static void purge_effective_progs(struct cgroup *cgrp, struct bpf_prog *prog,
>>>>                                   pos++;
>>>>                           }
>>>>                   }
>>>> +
>>>> +               /* no link or prog match, skip the cgroup of this layer */
>>>> +               continue;
>>>>    found:
>>>> -               BUG_ON(!cg);
>>>
>>> I don't think it's necessary to remove this BUG_ON(), but it also
>>> feels unnecessary for purge_effective_progs, so I don't mind it.
>>>
>>> Acked-by: Andrii Nakryiko <andrii@...nel.org>
>>
>> Will this patch be accepted? I think we should CC stable.

Stable will pick this up given Fixes tag. We were pinging also original patch author,
Tadeusz, for an ACK to include in commit msg, but looks he's unresponsive ... anyway,
applied, thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ