lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bea428ec-6f89-e828-5d23-59c29c940869@fb.com>
Date:   Thu, 2 Nov 2017 08:28:26 -0700
From:   Alexei Starovoitov <ast@...com>
To:     Craig Gallek <kraigatgoog@...il.com>,
        "David S . Miller" <davem@...emloft.net>
CC:     <netdev@...r.kernel.org>
Subject: Re: [PATCH net-next v2] bpf: fix verifier NULL pointer dereference

On 11/2/17 8:18 AM, Craig Gallek wrote:
> From: Craig Gallek <kraig@...gle.com>
>
> do_check() can fail early without allocating env->cur_state under
> memory pressure.  Syzkaller found the stack below on the linux-next
> tree because of this.
>
>   kasan: CONFIG_KASAN_INLINE enabled
>   kasan: GPF could be caused by NULL-ptr deref or user memory access
>   general protection fault: 0000 [#1] SMP KASAN
>   Dumping ftrace buffer:
>      (ftrace buffer empty)
>   Modules linked in:
>   CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106
>   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>   task: ffff8801c2c74700 task.stack: ffff8801c3e28000
>   RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]
>   RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533
>   RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202
>   RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000
>   RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380
>   RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f
>   R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28
>   R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20
>   FS:  00007f311079b700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>   CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0
>   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>   Call Trace:
>    bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166
>    SYSC_bpf kernel/bpf/syscall.c:1690 [inline]
>    SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652
>    entry_SYSCALL_64_fastpath+0x1f/0xbe
>   RIP: 0033:0x452869
>   RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
>   RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869
>   RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005
>   RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000
>   R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550
>   R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000
>   Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26
>   RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: ffff8801c3e2f5c8
>   RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: ffff8801c3e2f5c8
>   ---[ end trace c8d37f339dc64004 ]---
>
> Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption")
> Fixes: 1969db47f8d0 ("bpf: fix verifier memory leaks")
> Signed-off-by: Craig Gallek <kraig@...gle.com>

Acked-by: Alexei Starovoitov <ast@...nel.org>

Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ