lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 13 Apr 2022 10:28:00 -0700
From:   Tadeusz Struk <>
To:     Andrii Nakryiko <>
Cc:     bpf <>, Alexei Starovoitov <>,
        Daniel Borkmann <>,
        Andrii Nakryiko <>,
        Martin KaFai Lau <>,
        Song Liu <>, Yonghong Song <>,
        John Fastabend <>,
        KP Singh <>,
        Networking <>,
        linux- stable <>,
        open list <>,
Subject: Re: [PATCH] bpf: Fix KASAN use-after-free Read in

Hi Andrii,
On 4/12/22 21:34, Andrii Nakryiko wrote:
> On Tue, Apr 5, 2022 at 10:04 AM Tadeusz Struk<>  wrote:
>> Syzbot found a Use After Free bug in compute_effective_progs().
>> The reproducer creates a number of BPF links, and causes a fault
>> injected alloc to fail, while calling bpf_link_detach on them.
>> Link detach triggers the link to be freed by bpf_link_free(),
>> which calls __cgroup_bpf_detach() and update_effective_progs().
>> If the memory allocation in this function fails, the function restores
>> the pointer to the bpf_cgroup_link on the cgroup list, but the memory
>> gets freed just after it returns. After this, every subsequent call to
>> update_effective_progs() causes this already deallocated pointer to be
>> dereferenced in prog_list_length(), and triggers KASAN UAF error.
>> To fix this don't preserve the pointer to the link on the cgroup list
>> in __cgroup_bpf_detach(), but proceed with the cleanup and retry calling
>> update_effective_progs() again afterwards.
> I think it's still problematic. BPF link might have been the last one
> that holds bpf_prog's refcnt, so when link is put, its prog can stay
> there in effective_progs array(s) and will cause use-after-free
> anyways.
> It would be best to make sure that detach never fails. On detach
> effective prog array can only shrink, so even if
> update_effective_progs() fails to allocate memory, we should be able
> to iterate and just replace that prog with NULL, as a fallback
> strategy.

it would be ideal if detach would never fail, but it would require some kind of 
prealloc, on attach maybe? Another option would be to minimize the probability
of failing by sending it gfp_t flags (GFP_NOIO | GFP_NOFS | __GFP_NOFAIL)?
Detach can really only fail if the kzalloc in compute_effective_progs() fails
so maybe doing something like bellow would help:

diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index 128028efda64..5a47740c317b 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -226,7 +226,8 @@ static bool hierarchy_allows_attach(struct cgroup *cgrp,
  static int compute_effective_progs(struct cgroup *cgrp,
  				   enum cgroup_bpf_attach_type atype,
-				   struct bpf_prog_array **array)
+				   struct bpf_prog_array **array,
+				   gfp_t flags)
  	struct bpf_prog_array_item *item;
  	struct bpf_prog_array *progs;
@@ -241,7 +242,7 @@ static int compute_effective_progs(struct cgroup *cgrp,
  		p = cgroup_parent(p);
  	} while (p);

-	progs = bpf_prog_array_alloc(cnt, GFP_KERNEL);
+	progs = bpf_prog_array_alloc(cnt, flags);
  	if (!progs)
  		return -ENOMEM;

@@ -308,7 +309,7 @@ int cgroup_bpf_inherit(struct cgroup *cgrp)

  	for (i = 0; i < NR; i++)
-		if (compute_effective_progs(cgrp, i, &arrays[i]))
+		if (compute_effective_progs(cgrp, i, &arrays[i], GFP_KERNEL))
  			goto cleanup;

  	for (i = 0; i < NR; i++)
@@ -328,7 +329,8 @@ int cgroup_bpf_inherit(struct cgroup *cgrp)

  static int update_effective_progs(struct cgroup *cgrp,
-				  enum cgroup_bpf_attach_type atype)
+				  enum cgroup_bpf_attach_type atype,
+				  gfp_t flags)
  	struct cgroup_subsys_state *css;
  	int err;
@@ -340,7 +342,8 @@ static int update_effective_progs(struct cgroup *cgrp,
  		if (percpu_ref_is_zero(&desc->bpf.refcnt))

-		err = compute_effective_progs(desc, atype, &desc->bpf.inactive);
+		err = compute_effective_progs(desc, atype, &desc->bpf.inactive,
+					      flags);
  		if (err)
  			goto cleanup;
@@ -499,7 +502,7 @@ static int __cgroup_bpf_attach(struct cgroup *cgrp,
  	bpf_cgroup_storages_assign(pl->storage, storage);
  	cgrp->bpf.flags[atype] = saved_flags;

-	err = update_effective_progs(cgrp, atype);
+	err = update_effective_progs(cgrp, atype, GFP_KERNEL);
  	if (err)
  		goto cleanup;

@@ -722,7 +725,7 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct 
bpf_prog *prog,
  	pl->prog = NULL;
  	pl->link = NULL;

-	err = update_effective_progs(cgrp, atype);
+	err = update_effective_progs(cgrp, atype, GFP_NOIO | GFP_NOFS | __GFP_NOFAIL);
  	if (err)
  		goto cleanup;

>> -cleanup:
>> -       /* restore back prog or link */
>> -       pl->prog = old_prog;
>> -       pl->link = link;
>> +       /* In case of error call update_effective_progs again */
>> +       if (err)
>> +               err = update_effective_progs(cgrp, atype);
> there is no guarantee that this will now succeed, right? so it's more
> like "let's try just in case we are lucky this time"?

Yes, there is no guarantee, but my thinking was that since we have freed some
memory (see kfree(pl) above) let's retry and see if it works this time.
If that is combined with the above gfp flags it is a good chance that it will
work. What do you think?


Powered by blists - more mailing lists