lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <01c816691c132dd6c8c2588f396b240f033ce201.camel@gmail.com>
Date: Wed, 11 Jun 2025 15:23:06 -0700
From: Eduard Zingerman <eddyz87@...il.com>
To: Luis Gerhorst <luis.gerhorst@....de>, Alexei Starovoitov
 <ast@...nel.org>,  Daniel Borkmann <daniel@...earbox.net>, John Fastabend
 <john.fastabend@...il.com>, Andrii Nakryiko	 <andrii@...nel.org>, Martin
 KaFai Lau <martin.lau@...ux.dev>, Song Liu	 <song@...nel.org>, Yonghong
 Song <yonghong.song@...ux.dev>, KP Singh	 <kpsingh@...nel.org>, Stanislav
 Fomichev <sdf@...ichev.me>, Hao Luo	 <haoluo@...gle.com>, Jiri Olsa
 <jolsa@...nel.org>, Kumar Kartikeya Dwivedi	 <memxor@...il.com>, Henriette
 Herzog <henriette.herzog@....de>, 	bpf@...r.kernel.org,
 linux-kernel@...r.kernel.org
Cc: syzbot+b5eb72a560b8149a1885@...kaller.appspotmail.com
Subject: Re: [PATCH bpf-next] bpf: Fix state use-after-free on push_stack()
 err

On Wed, 2025-06-11 at 23:07 +0200, Luis Gerhorst wrote:

[...]

> Signed-off-by: Luis Gerhorst <luis.gerhorst@....de>

I reproduced the error locally and this patch fixes it.
Also double-checked places where free_verifier_state is called
and error codes used in error_recoverable_with_nospec() are used.
Looks like env->cur_state should be always ok if
error_recoverable_with_nospec() recovers, env internal structures
in healthy state.

Acked-by: Eduard Zingerman <eddyz87@...il.com>

> ---
>  kernel/bpf/verifier.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index b1f797616f20..d3bff0385a55 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -14229,7 +14229,7 @@ static int sanitize_err(struct bpf_verifier_env *env,
>  	case REASON_STACK:
>  		verbose(env, "R%d could not be pushed for speculative verification, %s\n",
>  			dst, err);
> -		break;
> +		return -ENOMEM;

Good catch, I would have probably missed it.

>  	default:
>  		verbose(env, "verifier internal error: unknown reason (%d)\n",
>  			reason);
> @@ -19753,7 +19753,7 @@ static int do_check(struct bpf_verifier_env *env)
>  			goto process_bpf_exit;
>  
>  		err = do_check_insn(env, &do_print_state);
> -		if (state->speculative && error_recoverable_with_nospec(err)) {
> +		if (error_recoverable_with_nospec(err) && state->speculative) {
>  			/* Prevent this speculative path from ever reaching the
>  			 * insn that would have been unsafe to execute.
>  			 */
> 
> base-commit: 2d72dd14d77f31a7caa619fe0b889304844e612e

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ