moonjuice/kernel_arpi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
b2eccb43aa1b2da075373a26b978f1253bee2b50
kernel_arpi/kernel
History
Daniel Borkmann b2eccb43aa bpf: Fix passing modified ctx to ld/abs/ind instruction 
commit 6d4f151acf upstream.

Anatoly has been fuzzing with kBdysch harness and reported a KASAN
slab oob in one of the outcomes:

  [...]
  [   77.359642] BUG: KASAN: slab-out-of-bounds in bpf_skb_load_helper_8_no_cache+0x71/0x130
  [   77.360463] Read of size 4 at addr ffff8880679bac68 by task bpf/406
  [   77.361119]
  [   77.361289] CPU: 2 PID: 406 Comm: bpf Not tainted 5.5.0-rc2-xfstests-00157-g2187f215eba #1
  [   77.362134] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
  [   77.362984] Call Trace:
  [   77.363249]  dump_stack+0x97/0xe0
  [   77.363603]  print_address_description.constprop.0+0x1d/0x220
  [   77.364251]  ? bpf_skb_load_helper_8_no_cache+0x71/0x130
  [   77.365030]  ? bpf_skb_load_helper_8_no_cache+0x71/0x130
  [   77.365860]  __kasan_report.cold+0x37/0x7b
  [   77.366365]  ? bpf_skb_load_helper_8_no_cache+0x71/0x130
  [   77.366940]  kasan_report+0xe/0x20
  [   77.367295]  bpf_skb_load_helper_8_no_cache+0x71/0x130
  [   77.367821]  ? bpf_skb_load_helper_8+0xf0/0xf0
  [   77.368278]  ? mark_lock+0xa3/0x9b0
  [   77.368641]  ? kvm_sched_clock_read+0x14/0x30
  [   77.369096]  ? sched_clock+0x5/0x10
  [   77.369460]  ? sched_clock_cpu+0x18/0x110
  [   77.369876]  ? bpf_skb_load_helper_8+0xf0/0xf0
  [   77.370330]  ___bpf_prog_run+0x16c0/0x28f0
  [   77.370755]  __bpf_prog_run32+0x83/0xc0
  [   77.371153]  ? __bpf_prog_run64+0xc0/0xc0
  [   77.371568]  ? match_held_lock+0x1b/0x230
  [   77.371984]  ? rcu_read_lock_held+0xa1/0xb0
  [   77.372416]  ? rcu_is_watching+0x34/0x50
  [   77.372826]  sk_filter_trim_cap+0x17c/0x4d0
  [   77.373259]  ? sock_kzfree_s+0x40/0x40
  [   77.373648]  ? __get_filter+0x150/0x150
  [   77.374059]  ? skb_copy_datagram_from_iter+0x80/0x280
  [   77.374581]  ? do_raw_spin_unlock+0xa5/0x140
  [   77.375025]  unix_dgram_sendmsg+0x33a/0xa70
  [   77.375459]  ? do_raw_spin_lock+0x1d0/0x1d0
  [   77.375893]  ? unix_peer_get+0xa0/0xa0
  [   77.376287]  ? __fget_light+0xa4/0xf0
  [   77.376670]  __sys_sendto+0x265/0x280
  [   77.377056]  ? __ia32_sys_getpeername+0x50/0x50
  [   77.377523]  ? lock_downgrade+0x350/0x350
  [   77.377940]  ? __sys_setsockopt+0x2a6/0x2c0
  [   77.378374]  ? sock_read_iter+0x240/0x240
  [   77.378789]  ? __sys_socketpair+0x22a/0x300
  [   77.379221]  ? __ia32_sys_socket+0x50/0x50
  [   77.379649]  ? mark_held_locks+0x1d/0x90
  [   77.380059]  ? trace_hardirqs_on_thunk+0x1a/0x1c
  [   77.380536]  __x64_sys_sendto+0x74/0x90
  [   77.380938]  do_syscall_64+0x68/0x2a0
  [   77.381324]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
  [   77.381878] RIP: 0033:0x44c070
  [...]

After further debugging, turns out while in case of other helper functions
we disallow passing modified ctx, the special case of ld/abs/ind instruction
which has similar semantics (except r6 being the ctx argument) is missing
such check. Modified ctx is impossible here as bpf_skb_load_helper_8_no_cache()
and others are expecting skb fields in original position, hence, add
check_ctx_reg() to reject any modified ctx. Issue was first introduced back
in f1174f77b5 ("bpf/verifier: rework value tracking").

Fixes: f1174f77b5 ("bpf/verifier: rework value tracking")
Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20200106215157.3553-1-daniel@iogearbox.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-01-12 12:21:10 +01:00
..
bpf
bpf: Fix passing modified ctx to ld/abs/ind instruction
2020-01-12 12:21:10 +01:00
cgroup
cgroup: freezer: don't change task and cgroups status unnecessarily
2019-12-31 16:45:06 +01:00
configs
debug
kgdb: don't use a notifier to enter kgdb at panic; call directly
2019-09-25 17:51:40 -07:00
dma
dma-mapping: fix handling of dma-ranges for reserved memory (again)
2020-01-04 19:17:00 +01:00
events
perf/core: Fix the mlock accounting, again
2019-12-31 16:45:38 +01:00
gcov
um: Enable CONFIG_CONSTRUCTORS
2019-09-15 21:37:13 +02:00
irq
irq/irqdomain: Update __irq_domain_alloc_fwnode() function documentation
2019-11-05 00:48:26 +01:00
livepatch
livepatch: Nullify obj->mod in klp_module_coming()'s error path
2019-08-19 13:03:37 +02:00
locking
Revert "locking/pvqspinlock: Don't wait if vCPU is preempted"
2019-09-25 10:22:37 +02:00
power
PM / hibernate: memory_bm_find_bit(): Tighten node optimisation
2020-01-09 10:19:51 +01:00
printk
Merge branch 'for-5.4' into for-linus
2019-09-16 12:54:25 +02:00
rcu
Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2019-09-16 17:25:49 -07:00
sched
cpufreq: Avoid leaving stale IRQ work items during CPU offline
2019-12-31 16:46:06 +01:00
time
ptp: fix the race between the release of ptp_clock and cdev
2020-01-04 19:18:48 +01:00
trace
ftrace: Avoid potential division by zero in function profiler
2020-01-09 10:20:01 +01:00
.gitignore
Provide in-kernel headers to make extending kernel easier
2019-04-29 16:48:03 +02:00
acct.c
acct_on(): don't mess with freeze protection
2019-04-04 21:04:13 -04:00
async.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441
2019-06-05 17:37:17 +02:00
audit_fsnotify.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157
2019-05-30 11:26:37 -07:00
audit_tree.c
fsnotify: switch send_to_group() and ->handle_event to const struct qstr *
2019-04-26 13:51:03 -04:00
audit_watch.c
audit_get_nd(): don't unlock parent too early
2019-11-10 11:56:55 -05:00
audit.c
Merge tag 'audit-pr-20190702' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
2019-07-08 18:55:42 -07:00
audit.h
Merge tag 'audit-pr-20190702' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
2019-07-08 18:55:42 -07:00
auditfilter.c
Merge tag 'audit-pr-20190702' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
2019-07-08 18:55:42 -07:00
auditsc.c
audit: enforce op for string fields
2019-05-28 17:46:43 -04:00
backtracetest.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441
2019-06-05 17:37:17 +02:00
bounds.c
capability.c
LSM: add SafeSetID module that gates setid calls
2019-01-25 11:22:43 -08:00
compat.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
configs.c
kernel/configs: Replace GPL boilerplate code with SPDX identifier
2019-07-30 18:34:15 +02:00
context_tracking.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
cpu_pm.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282
2019-06-05 17:36:37 +02:00
cpu.c
cpu/speculation: Uninline and export CPU mitigations helpers
2019-11-04 12:22:02 +01:00
crash_core.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 230
2019-06-19 17:09:06 +02:00
crash_dump.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
cred.c
memcg: account security cred as well to kmemcg
2020-01-09 10:19:57 +01:00
delayacct.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 25
2019-05-21 11:52:39 +02:00
dma.c
elfcore.c
kernel/elfcore.c: include proper prototypes
2019-09-25 17:51:39 -07:00
exec_domain.c
exit.c
exit: panic before exit_mm() on global init exit
2020-01-09 10:20:01 +01:00
extable.c
extable: Add function to search only kernel exception table
2019-08-21 22:23:48 +10:00
fail_function.c
fail_function: no need to check return value of debugfs_create functions
2019-06-03 15:49:06 +02:00
fork.c
futex: Split futex_mm_release() for exit/exec
2019-11-29 10:10:10 +01:00
freezer.c
Revert "libata, freezer: avoid block device removal while system is frozen"
2019-10-06 09:11:37 -06:00
futex.c
futex: Prevent exit livelock
2019-11-29 10:10:14 +01:00
gen_kheaders.sh
kheaders: substituting --sort in archive creation
2019-10-17 09:08:19 +09:00
groups.c
hung_task.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
iomem.c
mm/nvdimm: add is_ioremap_addr and use that to check ioremap address
2019-07-12 11:05:40 -07:00
irq_work.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
jump_label.c
jump_label: Don't warn on __exit jump entries
2019-08-29 15:10:10 +01:00
kallsyms.c
kallsyms: Don't let kallsyms_lookup_size_offset() fail on retrieving the first symbol
2019-08-27 16:19:56 +01:00
kcmp.c
Kconfig.freezer
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
Kconfig.hz
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
Kconfig.locks
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
Kconfig.preempt
sched/rt, Kconfig: Unbreak def/oldconfig with CONFIG_PREEMPT=y
2019-07-22 18:05:11 +02:00
kcov.c
kcov: convert kcov.refcount to refcount_t
2019-03-07 18:32:02 -08:00
kexec_core.c
kexec: bail out upon SIGKILL when allocating memory.
2019-09-25 17:51:40 -07:00
kexec_elf.c
kexec_elf: support 32 bit ELF files
2019-09-06 23:58:44 +02:00
kexec_file.c
Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
2019-09-28 08:14:15 -07:00
kexec_internal.h
kexec.c
kexec_load: Disable at runtime if the kernel is locked down
2019-08-19 21:54:15 -07:00
kheaders.c
kheaders: Move from proc to sysfs
2019-05-24 20:16:01 +02:00
kmod.c
kprobes.c
Merge tag 'trace-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
2019-09-20 11:19:48 -07:00
ksysfs.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 170
2019-05-30 11:26:39 -07:00
kthread.c
kthread: make __kthread_queue_delayed_work static
2019-10-16 09:20:58 -07:00
latencytop.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441
2019-06-05 17:37:17 +02:00
Makefile
Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
2019-09-27 19:37:27 -07:00
module_signature.c
MODSIGN: Export module signature definitions
2019-08-05 18:39:56 -04:00
module_signing.c
MODSIGN: Export module signature definitions
2019-08-05 18:39:56 -04:00
module-internal.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36
2019-05-24 17:27:11 +02:00
module.c
kernel/module.c: wakeup processes in module_wq on module unload
2020-01-09 10:20:02 +01:00
notifier.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
nsproxy.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441
2019-06-05 17:37:17 +02:00
padata.c
padata: remove cpu_index from the parallel_queue
2019-09-13 21:15:41 +10:00
panic.c
panic: ensure preemption is disabled during panic()
2019-10-07 15:47:19 -07:00
params.c
lockdown: Lock down module params that specify hardware parameters (eg. ioport)
2019-08-19 21:54:16 -07:00
pid_namespace.c
proc/sysctl: add shared variables for range check
2019-07-18 17:08:07 -07:00
pid.c
kernel/pid.c: convert struct pid count to refcount_t
2019-07-16 19:23:24 -07:00
profile.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
ptrace.c
ptrace: add PTRACE_GET_SYSCALL_INFO request
2019-07-16 19:23:24 -07:00
range.c
reboot.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
relay.c
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-03-12 13:27:20 -07:00
resource.c
mm/memory_hotplug.c: use PFN_UP / PFN_DOWN in walk_system_ram_range()
2019-09-24 15:54:09 -07:00
rseq.c
signal: Remove task parameter from force_sig
2019-05-27 09:36:28 -05:00
seccomp.c
seccomp: Check that seccomp_notif is zeroed out by the user
2020-01-09 10:19:57 +01:00
signal.c
cgroup: freezer: call cgroup_enter_frozen() with preemption disabled in ptrace_stop()
2019-10-11 08:39:57 -07:00
smp.c
smp: Warn on function calls from softirq context
2019-07-20 11:27:16 +02:00
smpboot.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
smpboot.h
softirq.c
Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2019-07-08 11:01:13 -07:00
stackleak.c
stacktrace.c
stacktrace: Don't skip first entry on noncurrent tasks
2019-11-04 21:19:25 +01:00
stop_machine.c
stop_machine: Avoid potential race behaviour
2019-10-17 12:47:12 +02:00
sys_ni.c
arch: handle arches who do not yet define clone3
2019-06-21 01:54:53 +02:00
sys.c
Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2019-09-17 12:35:15 -07:00
sysctl_binary.c
kernel/sysctl: add panic_print into sysctl
2019-01-04 13:13:47 -08:00
sysctl.c
kernel: sysctl: make drop_caches write-only
2020-01-04 19:18:32 +01:00
task_work.c
taskstats.c
taskstats: fix data-race
2020-01-09 10:19:54 +01:00
test_kprobes.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 25
2019-05-21 11:52:39 +02:00
torture.c
torture: Remove exporting of internal functions
2019-08-01 14:30:22 -07:00
tracepoint.c
Merge tag 'trace-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
2019-07-18 11:51:00 -07:00
tsacct.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157
2019-05-30 11:26:37 -07:00
ucount.c
proc/sysctl: add shared variables for range check
2019-07-18 17:08:07 -07:00
uid16.c
uid16.h
umh.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
up.c
smp: Remove smp_call_function() and on_each_cpu() return values
2019-06-23 14:26:26 +02:00
user_namespace.c
Merge tag 'keys-namespace-20190627' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
2019-07-08 19:36:47 -07:00
user-return-notifier.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
user.c
Merge tag 'keys-namespace-20190627' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
2019-07-08 19:36:47 -07:00
utsname_sysctl.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441
2019-06-05 17:37:17 +02:00
utsname.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441
2019-06-05 17:37:17 +02:00
watchdog_hld.c
kernel/watchdog_hld.c: hard lockup message should end with a newline
2019-04-19 09:46:05 -07:00
watchdog.c
watchdog: Mark watchdog_hrtimer to expire in hard interrupt context
2019-08-01 20:51:20 +02:00
workqueue_internal.h
sched/core, workqueues: Distangle worker accounting from rq lock
2019-04-16 16:55:15 +02:00
workqueue.c
workqueue: Fix missing kfree(rescuer) in destroy_workqueue()
2019-12-17 19:56:54 +01:00