| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <03545f38-c01a-faeb-adab-a0a471ff9fc3@iogearbox.net>
Date: Fri, 31 Jul 2020 18:12:48 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: Jiri Olsa <jolsa@...hat.com>
Cc: davem@...emloft.net, kuba@...nel.org, ast@...nel.org,
jolsa@...nel.org, netdev@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: pull-request: bpf 2020-07-31
On 7/31/20 5:24 PM, Jiri Olsa wrote:
> On Fri, Jul 31, 2020 at 03:51:45PM +0200, Daniel Borkmann wrote:
>> Hi David,
>>
>> The following pull-request contains BPF updates for your *net* tree.
>>
>> We've added 5 non-merge commits during the last 21 day(s) which contain
>> a total of 5 files changed, 126 insertions(+), 18 deletions(-).
>>
>> The main changes are:
>>
>> 1) Fix a map element leak in HASH_OF_MAPS map type, from Andrii Nakryiko.
>>
>> 2) Fix a NULL pointer dereference in __btf_resolve_helper_id() when no
>> btf_vmlinux is available, from Peilin Ye.
>>
>> 3) Init pos variable in __bpfilter_process_sockopt(), from Christoph Hellwig.
>>
>> 4) Fix a cgroup sockopt verifier test by specifying expected attach type,
>> from Jean-Philippe Brucker.
>>
>> Please consider pulling these changes from:
>>
>> git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git
>>
>> Thanks a lot!
>>
>> Note that when net gets merged into net-next later on, there is a small
>> merge conflict in kernel/bpf/btf.c between commit 5b801dfb7feb ("bpf: Fix
>> NULL pointer dereference in __btf_resolve_helper_id()") from the bpf tree
>> and commit 138b9a0511c7 ("bpf: Remove btf_id helpers resolving") from the
>> net-next tree.
>>
>> Resolve as follows: remove the old hunk with the __btf_resolve_helper_id()
>> function. Change the btf_resolve_helper_id() so it actually tests for a
>> NULL btf_vmlinux and bails out:
>>
>> int btf_resolve_helper_id(struct bpf_verifier_log *log,
>> const struct bpf_func_proto *fn, int arg)
>> {
>> int id;
>>
>> if (fn->arg_type[arg] != ARG_PTR_TO_BTF_ID || !btf_vmlinux)
>> return -EINVAL;
>> id = fn->btf_id[arg];
>> if (!id || id > btf_vmlinux->nr_types)
>> return -EINVAL;
>> return id;
>> }
>>
>> Let me know if you run into any others issues (CC'ing Jiri Olsa so he's in
>> the loop with regards to merge conflict resolution).
>
> we'll loose the bpf_log message, but I'm fine with that ;-) looks good
Checking again on the fix, even though it was only triggered by syzkaller
so far, I think it's also possible if users don't have BTF debug data set
in the Kconfig but use a helper that expects it, so agree, lets re-add the
log in this case:
int btf_resolve_helper_id(struct bpf_verifier_log *log,
const struct bpf_func_proto *fn, int arg)
{
int id;
if (fn->arg_type[arg] != ARG_PTR_TO_BTF_ID)
return -EINVAL;
if (!btf_vmlinux) {
bpf_log(log, "btf_vmlinux doesn't exist\n");
return -EINVAL;
}
id = fn->btf_id[arg];
if (!id || id > btf_vmlinux->nr_types)
return -EINVAL;
return id;
}
Thanks,
Daniel
Powered by blists - more mailing lists