lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <fae09019-fffc-dc78-3c50-483d9c042bfe@iogearbox.net>
Date:   Tue, 6 Jul 2021 10:10:39 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     John Fastabend <john.fastabend@...il.com>,
        maciej.fijalkowski@...el.com, ast@...nel.org, andriin@...com
Cc:     bpf@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH bpf 1/2] bpf: track subprog poke correctly, fix
 use-after-free

On 6/30/21 9:40 PM, John Fastabend wrote:
[...]
>   arch/x86/net/bpf_jit_comp.c |  4 ++++
>   include/linux/bpf.h         |  1 +
>   kernel/bpf/core.c           |  7 ++++++-
>   kernel/bpf/verifier.c       | 39 +++++++------------------------------
>   4 files changed, 18 insertions(+), 33 deletions(-)
> 
> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> index 2a2e290fa5d8..ce8dbc9310a9 100644
> --- a/arch/x86/net/bpf_jit_comp.c
> +++ b/arch/x86/net/bpf_jit_comp.c
> @@ -576,6 +576,10 @@ static void bpf_tail_call_direct_fixup(struct bpf_prog *prog)
>   
>   	for (i = 0; i < prog->aux->size_poke_tab; i++) {
>   		poke = &prog->aux->poke_tab[i];
> +
> +		if (poke->aux && poke->aux != prog->aux)
> +			continue;
> +
>   		WARN_ON_ONCE(READ_ONCE(poke->tailcall_target_stable));
>   
>   		if (poke->reason != BPF_POKE_REASON_TAIL_CALL)
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index 02b02cb29ce2..a7532cb3493a 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -777,6 +777,7 @@ struct bpf_jit_poke_descriptor {
>   	void *tailcall_target;
>   	void *tailcall_bypass;
>   	void *bypass_addr;
> +	void *aux;
>   	union {
>   		struct {
>   			struct bpf_map *map;
> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> index 5e31ee9f7512..72810314c43b 100644
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c
> @@ -2211,8 +2211,13 @@ static void bpf_prog_free_deferred(struct work_struct *work)
>   #endif
>   	if (aux->dst_trampoline)
>   		bpf_trampoline_put(aux->dst_trampoline);
> -	for (i = 0; i < aux->func_cnt; i++)
> +	for (i = 0; i < aux->func_cnt; i++) {
> +		/* poke_tab in subprogs are links to main prog and are
> +		 * freed above so delete link without kfree.
> +		 */
> +		aux->func[i]->aux->poke_tab = NULL;
>   		bpf_jit_free(aux->func[i]);
> +	}
>   	if (aux->func_cnt) {
>   		kfree(aux->func);
>   		bpf_prog_unlock_free(aux->prog);
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 6e2ebcb0d66f..daa5a3f5e7b8 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -12109,30 +12109,17 @@ static int jit_subprogs(struct bpf_verifier_env *env)
>   		/* the btf and func_info will be freed only at prog->aux */
>   		func[i]->aux->btf = prog->aux->btf;
>   		func[i]->aux->func_info = prog->aux->func_info;
> +		func[i]->aux->poke_tab = prog->aux->poke_tab;
> +		func[i]->aux->size_poke_tab = prog->aux->size_poke_tab;
>   
>   		for (j = 0; j < prog->aux->size_poke_tab; j++) {
> -			u32 insn_idx = prog->aux->poke_tab[j].insn_idx;
> -			int ret;
> +			struct bpf_jit_poke_descriptor *poke;
>   
> -			if (!(insn_idx >= subprog_start &&
> -			      insn_idx <= subprog_end))
> -				continue;
> -
> -			ret = bpf_jit_add_poke_descriptor(func[i],
> -							  &prog->aux->poke_tab[j]);
> -			if (ret < 0) {
> -				verbose(env, "adding tail call poke descriptor failed\n");
> -				goto out_free;
> -			}
> +			poke = &prog->aux->poke_tab[j];
>   
> -			func[i]->insnsi[insn_idx - subprog_start].imm = ret + 1;
> -
> -			map_ptr = func[i]->aux->poke_tab[ret].tail_call.map;
> -			ret = map_ptr->ops->map_poke_track(map_ptr, func[i]->aux);
> -			if (ret < 0) {
> -				verbose(env, "tracking tail call prog failed\n");
> -				goto out_free;
> -			}
> +			if (poke->insn_idx < subprog_end &&
> +			    poke->insn_idx >= subprog_start)
> +				poke->aux = func[i]->aux;
>   		}

This still has a bug which leads to a use-after-free. Check the out_free label:

   out_free:
         for (i = 0; i < env->subprog_cnt; i++) {
                 if (!func[i])
                         continue;

                 for (j = 0; j < func[i]->aux->size_poke_tab; j++) {
                         map_ptr = func[i]->aux->poke_tab[j].tail_call.map;
                         map_ptr->ops->map_poke_untrack(map_ptr, func[i]->aux);
                 }
                 bpf_jit_free(func[i]);
         }
         kfree(func);

Neither the map_poke_untrack() belongs in there nor bpf_jit_free() with non-NULL
aux->func[i]->aux->poke_tab (given it belongs to the main prog instead).

>   		/* Use bpf_prog_F_tag to indicate functions in stack traces.
> @@ -12163,18 +12150,6 @@ static int jit_subprogs(struct bpf_verifier_env *env)
>   		cond_resched();
>   	}
>   
> -	/* Untrack main program's aux structs so that during map_poke_run()
> -	 * we will not stumble upon the unfilled poke descriptors; each
> -	 * of the main program's poke descs got distributed across subprogs
> -	 * and got tracked onto map, so we are sure that none of them will
> -	 * be missed after the operation below
> -	 */
> -	for (i = 0; i < prog->aux->size_poke_tab; i++) {
> -		map_ptr = prog->aux->poke_tab[i].tail_call.map;
> -
> -		map_ptr->ops->map_poke_untrack(map_ptr, prog->aux);
> -	}
> -
>   	/* at this point all bpf functions were successfully JITed
>   	 * now populate all bpf_calls with correct addresses and
>   	 * run last pass of JIT
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ