bpf: Reject narrower access to pointer ctx fields #9336
+37
−10
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![kernel-patches-daemon-bpf[bot]](https://avatars.githubusercontent.com/u/70728002?s=60&v=4){kind=small}
|
Upstream branch: 42be23e |
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
ffefc6d to
4ccf98a
Compare
|
Upstream branch: 42be23e |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/984328=>bpf-next
branch
from
e171102 to
5e55350
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
4ccf98a to
95edab2
Compare
The following BPF program, simplified from a syzkaller repro, causes a
kernel warning:
r0 = *(u8 *)(r1 + 169);
exit;
With pointer field sk being at offset 168 in __sk_buff. This access is
detected as a narrower read in bpf_skb_is_valid_access because it
doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
and later proceeds to bpf_convert_ctx_access. At that point,
target_size is null and the verifier errors with a kernel warning and:
verifier bug: error during ctx access conversion(1)
This patch fixes that to return a proper "invalid bpf_context" error on
the load instruction.
The same issue affects the sk field in multiple context structure, as
well as data and data_end in bpf_sock_ops and optval and optval_end in
bpf_sockopt.
Note this syzkaller crash was reported in [1], which used to be about a
different bug, fixed in commit fce7bd8 ("bpf/verifier: Handle
BPF_LOAD_ACQ instructions in insn_def_regno()"). Because syzbot somehow
confused the two bugs, the new crash and repro didn't get reported to
the mailing list.
Link: https://syzkaller.appspot.com/bug?extid=0ef84a7bdf5301d4cbec [1]
Fixes: f96da09 ("bpf: simplify narrower ctx access")
Fixes: 0df1a55 ("bpf: Warn on internal verifier errors")
Reported-by: [email protected]
Signed-off-by: Paul Chaignon <[email protected]>
|
Upstream branch: 95993dc |
This patch adds two selftests to cover invalid narrower loads on the context. These used to cause kernel warning before the previous patch. To trigger the warning, the load had to be aligned, to read an affected pointer field (ex., skb->sk), and not starting at the beginning of the pointer field. The new selftests show two such loads of 1B and 4B sizes. Signed-off-by: Paul Chaignon <[email protected]>
kernel-patches-daemon-bpf
bot
force-pushed
the
series/984328=>bpf-next
branch
from
5e55350 to
8db6daa
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: Reject narrower access to pointer ctx fields
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=984328