lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87frg6gysw.fsf@fau.de>
Date: Wed, 11 Jun 2025 16:03:59 +0200
From: Luis Gerhorst <luis.gerhorst@....de>
To: Eduard Zingerman <eddyz87@...il.com>
Cc: andrii@...nel.org,  ast@...nel.org,  bpf@...r.kernel.org,
  daniel@...earbox.net,  haoluo@...gle.com,  john.fastabend@...il.com,
  jolsa@...nel.org,  kpsingh@...nel.org,  linux-kernel@...r.kernel.org,
  martin.lau@...ux.dev,  sdf@...ichev.me,  song@...nel.org,
  syzkaller-bugs@...glegroups.com,  yonghong.song@...ux.dev
Subject: Re: [syzbot] [bpf?] KASAN: slab-use-after-free Read in do_check

Eduard Zingerman <eddyz87@...il.com> writes:

> Accessed memory is freed at an error path in push_stack():
>
>   static struct bpf_verifier_state *push_stack(...)
>   {
>   	...
>   err:
>   	free_verifier_state(env->cur_state, true); // <-- KASAN points here
>   	...
>   }
>
> And is accessed after being freed here:
>
>   static int do_check(struct bpf_verifier_env *env)
>   {
>   	...
> 		err = do_check_insn(env, &do_print_state);
> KASAN -->	if (state->speculative && error_recoverable_with_nospec(err)) ...
>   	...
>   }
>   
> [...]
>
> Either 'state = env->cur_state' is needed after 'do_check_insn()' or
> error path should not free env->cur_state (seems logical).

Sorry, this was my error from [1]. Thanks for the pointer.

Yes, I think the former makes sense (with the respective `state &&`
added to the if).

The latter might also be possible, but I guess it would require more
significant changes.

state->speculative does not make sense if the error path of push_stack()
ran. In that case, `state->speculative &&
error_recoverable_with_nospec(err)` as a whole should already never
evaluate to true (because all cases where push_stack() fails also return
a non-recoverable error -ENOMEM/-EFAULT).

Alternatively to adding `state = env->cur_state` and `state &&`, turning
the check around would avoid the use-after-free. However, I think your
idea is better because it is more explicit compared to this:

	if (error_recoverable_with_nospec(err) && state->speculative) ...

Does this make sense to you? If yes I can send the fix later today.

I will also check that all other paths calling free_verifier_state() are
sane. So far it looks good.

The later

	if (state->speculative && cur_aux(env)->nospec_result) {

should already be fine, because !env->cur_state should imply that the
previous if raises the error.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=d6f1c85f22534d2d9fea9b32645da19c91ebe7d2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ