lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200430194609.1216836-1-andriin@fb.com>
Date:   Thu, 30 Apr 2020 12:46:08 -0700
From:   Andrii Nakryiko <andriin@...com>
To:     <bpf@...r.kernel.org>, <netdev@...r.kernel.org>, <ast@...com>,
        <daniel@...earbox.net>
CC:     <andrii.nakryiko@...il.com>, <kernel-team@...com>,
        Andrii Nakryiko <andriin@...com>,
        <syzbot+39b64425f91b5aab714d@...kaller.appspotmail.com>
Subject: [PATCH bpf-next] bpf: fix use-after-free of bpf_link when priming half-fails

If bpf_link_prime() succeeds to allocate new anon file, but then fails to
allocate ID for it, link priming is considered to be failed and user is
supposed ot be able to directly kfree() bpf_link, because it was never exposed
to user-space.

But at that point file already keeps a pointer to bpf_link and will eventually
call bpf_link_release(), so if bpf_link was kfree()'d by caller, that would
lead to use-after-free.

Fix this by creating file with NULL private_data until ID allocation succeeds.
Only then set private_data to bpf_link. Teach bpf_link_release() to recognize
such situation and do nothing.

Fixes: a3b80e107894 ("bpf: Allocate ID for bpf_link")
Reported-by: syzbot+39b64425f91b5aab714d@...kaller.appspotmail.com
Signed-off-by: Andrii Nakryiko <andriin@...com>
---
 kernel/bpf/syscall.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index c75b2dd2459c..ce00df64a4d4 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2267,7 +2267,12 @@ static int bpf_link_release(struct inode *inode, struct file *filp)
 {
 	struct bpf_link *link = filp->private_data;
 
-	bpf_link_put(link);
+	/* if bpf_link_prime() allocated file, but failed to allocate ID,
+	 * file->private_data will be null and by now link itself is kfree()'d
+	 * directly, so just do nothing in such case.
+	 */
+	if (link)
+		bpf_link_put(link);
 	return 0;
 }
 
@@ -2348,7 +2353,7 @@ int bpf_link_prime(struct bpf_link *link, struct bpf_link_primer *primer)
 	if (fd < 0)
 		return fd;
 
-	file = anon_inode_getfile("bpf_link", &bpf_link_fops, link, O_CLOEXEC);
+	file = anon_inode_getfile("bpf_link", &bpf_link_fops, NULL, O_CLOEXEC);
 	if (IS_ERR(file)) {
 		put_unused_fd(fd);
 		return PTR_ERR(file);
@@ -2357,10 +2362,15 @@ int bpf_link_prime(struct bpf_link *link, struct bpf_link_primer *primer)
 	id = bpf_link_alloc_id(link);
 	if (id < 0) {
 		put_unused_fd(fd);
-		fput(file);
+		fput(file); /* won't put link, so user can kfree() it */
 		return id;
 	}
 
+	/* Link priming succeeded, point file's private data to link now.
+	 * After this caller has to call bpf_link_cleanup() to free link.
+	 */
+	file->private_data = link;
+
 	primer->link = link;
 	primer->file = file;
 	primer->fd = fd;
-- 
2.24.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ