lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 8 Jan 2018 18:33:21 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Alexei Starovoitov <ast@...nel.org>, davem@...emloft.net
Cc:     netdev@...r.kernel.org, kernel-team@...com
Subject: Re: [PATCH bpf-next] bpf: fix verifier GPF in kmalloc failure path

On 01/08/2018 04:51 PM, Alexei Starovoitov wrote:
> From: Alexei Starovoitov <ast@...com>
> 
> syzbot reported the following panic in the verifier triggered
> by kmalloc error injection:
> 
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> RIP: 0010:copy_func_state kernel/bpf/verifier.c:403 [inline]
> RIP: 0010:copy_verifier_state+0x364/0x590 kernel/bpf/verifier.c:431
> Call Trace:
>  pop_stack+0x8c/0x270 kernel/bpf/verifier.c:449
>  push_stack kernel/bpf/verifier.c:491 [inline]
>  check_cond_jmp_op kernel/bpf/verifier.c:3598 [inline]
>  do_check+0x4b60/0xa050 kernel/bpf/verifier.c:4731
>  bpf_check+0x3296/0x58c0 kernel/bpf/verifier.c:5489
>  bpf_prog_load+0xa2a/0x1b00 kernel/bpf/syscall.c:1198
>  SYSC_bpf kernel/bpf/syscall.c:1807 [inline]
>  SyS_bpf+0x1044/0x4420 kernel/bpf/syscall.c:1769
> 
> when copy_verifier_state() aborts in the middle due to kmalloc failure
> some of the frames could have been partially copied while
> current free_verifier_state() loop
> for (i = 0; i <= state->curframe; i++)
> assumed that all frames are non-null.
> Simply fix it by adding 'if (!state)' to free_func_state().
> Also avoid stressing copy frame logic more if kzalloc fails
> in push_stack() free env->cur_state right away.
> 
> Reported-by: syzbot+32ac5a3e473f2e01cfc7@...kaller.appspotmail.com
> Reported-by: syzbot+fa99e24f3c29d269a7d5@...kaller.appspotmail.com
> Signed-off-by: Alexei Starovoitov <ast@...nel.org>

Applied to bpf-next with Fixes tags, thanks Alexei!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ