lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <wz6god46aom7lfyuvhju67w47czdznzflec3ilqs6f7fpyf3di@k5wliusgqlut>
Date: Wed, 24 Sep 2025 23:58:03 +0530
From: Brahmajit Das <listout@...tout.xyz>
To: KaFai Wan <kafai.wan@...ux.dev>, 
	Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: syzbot+d36d5ae81e1b0a53ef58@...kaller.appspotmail.com, 
	Andrii Nakryiko <andrii@...nel.org>, Alexei Starovoitov <ast@...nel.org>, bpf <bpf@...r.kernel.org>, 
	Daniel Borkmann <daniel@...earbox.net>, Eduard <eddyz87@...il.com>, Hao Luo <haoluo@...gle.com>, 
	John Fastabend <john.fastabend@...il.com>, Jiri Olsa <jolsa@...nel.org>, KP Singh <kpsingh@...nel.org>, 
	LKML <linux-kernel@...r.kernel.org>, Martin KaFai Lau <martin.lau@...ux.dev>, 
	Stanislav Fomichev <sdf@...ichev.me>, Song Liu <song@...nel.org>, 
	syzkaller-bugs <syzkaller-bugs@...glegroups.com>, Yonghong Song <yonghong.song@...ux.dev>
Subject: Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

On 25.09.2025 01:38, KaFai Wan wrote:
> On Wed, 2025-09-24 at 21:10 +0530, Brahmajit Das wrote:
> > On 24.09.2025 09:32, Alexei Starovoitov wrote:
> > > On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das <listout@...tout.xyz>
> > > wrote:
> > > > 
> > > > Syzkaller reported a general protection fault due to a NULL
> > > > pointer
> > > > dereference in print_reg_state() when accessing reg->map_ptr
> > > > without
> > > > checking if it is NULL.
> > > > 
> > ...snip...
> > > > -       if (type_is_map_ptr(t)) {
> > > > +       if (type_is_map_ptr(t) && reg->map_ptr) {
> > > 
> > > You ignored earlier feedback.
> > > Fix the root cause, not the symptom.
> > > 
> > > pw-bot: cr
> > 
> > I'm not sure if I'm headed the write direction but it seems like in
> > check_alu_op, we are calling adjust_scalar_min_max_vals when we get
> > an
> > BPF_NEG as opcode. Which has a call to __mark_reg_known when opcode
> > is
> > BPF_NEG. And __mark_reg_known clears map_ptr with
> > 
> > 	/* Clear off and union(map_ptr, range) */
> > 	memset(((u8 *)reg) + sizeof(reg->type), 0,
> > 	       offsetof(struct bpf_reg_state, var_off) - sizeof(reg-
> > >type));
> > 
> 
> I think you are right. The following code can reproduce the error.
> 
> 	asm volatile ("					\
> 	r0 = %[map_hash_48b] ll;			\
> 	r0 = -r0;					\
> 	exit;						\
> "	:
> 	: __imm_addr(map_hash_48b)
> 	: __clobber_all);
> 
> 
> BPF_NEG calls __mark_reg_known(dst_reg, 0) which clears the 'off' and
> 'union(map_ptr, range)' of dst_reg, but keeps the 'type', which is
> CONST_PTR_TO_MAP.
> 
> Perhaps we can only allow the SCALAR_VALUE type to run BPF_NEG as an
> opcode, while for other types same as the before BPF_NEG.
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index e892df386eed..dbf9f1efc6e7 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -15346,13 +15346,15 @@ static bool
> is_safe_to_compute_dst_reg_range(struct bpf_insn *insn,
>  	switch (BPF_OP(insn->code)) {
>  	case BPF_ADD:
>  	case BPF_SUB:
> -	case BPF_NEG:
>  	case BPF_AND:
>  	case BPF_XOR:
>  	case BPF_OR:
>  	case BPF_MUL:
>  		return true;
>  
> +	case BPF_NEG:
> +		return base_type(src_reg->type) == SCALAR_VALUE;
> +
> 
> 
> -- 
> Thanks,
> KaFai

Before even going into adjust_scalar_min_max_vals we have a check in
check_alu_op, which I think is not being respected. Going to expand on
this below as response to Alexei.

On 24.09.2025 18:28, Alexei Starovoitov wrote:
> On Wed, Sep 24, 2025 at 4:41 PM Brahmajit Das <listout@...tout.xyz> wrote:
> >
> > On 24.09.2025 09:32, Alexei Starovoitov wrote:
> > > On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das <listout@...tout.xyz> wrote:
> > > >
> > > > Syzkaller reported a general protection fault due to a NULL pointer
> > > > dereference in print_reg_state() when accessing reg->map_ptr without
> > > > checking if it is NULL.
> > > >
> > ...snip...
> > > > -       if (type_is_map_ptr(t)) {
> > > > +       if (type_is_map_ptr(t) && reg->map_ptr) {
> > >
> > > You ignored earlier feedback.
> > > Fix the root cause, not the symptom.
> > >
> > > pw-bot: cr
> >
> > I'm not sure if I'm headed the write direction but it seems like in
> > check_alu_op, we are calling adjust_scalar_min_max_vals when we get an
> > BPF_NEG as opcode. Which has a call to __mark_reg_known when opcode is
> > BPF_NEG. And __mark_reg_known clears map_ptr with
> 
> Looks like we're getting somewhere.
> It seems the verifier is not clearing reg->type.
> adjust_scalar_min_max_vals() should be called on scalar types only.

Right, there is a check in check_alu_op

		if (is_pointer_value(env, insn->dst_reg)) {
			verbose(env, "R%d pointer arithmetic prohibited\n",
				insn->dst_reg);
			return -EACCES;
		}

is_pointer_value calls __is_pointer_value which takes bool
allow_ptr_leaks as the first argument. Now for some reason in this case
allow_ptr_leaks is being passed as true, as a result __is_pointer_value
(and in turn is_pointer_value) returns false when even when register
type is CONST_PTR_TO_MAP.

-- 
Regards,
listout

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ