Re: [PATCH net] bpf: fix verifier memory corruption
From: Alexei Starovoitov
Date: Tue, 14 Apr 2015 15:57:13 -0700
> Due to missing bounds check the DAG pass of the BPF verifier can corrupt
> the memory which can cause random crashes during program loading:
>
> [8.449451] BUG: unable to handle kernel paging request at
> [8.451293] IP: [] kmem_cache_alloc_trace+0x8d/0x2f0
> [8.452329] Oops: [#1] SMP
> [8.452329] Call Trace:
> [8.452329] [] bpf_check+0x852/0x2000
> [8.452329] [] bpf_prog_load+0x1e4/0x310
> [8.452329] [] ? might_fault+0x5f/0xb0
> [8.452329] [] SyS_bpf+0x806/0xa30
>
> Fixes: f1bca824dabb ("bpf: add search pruning optimization to verifier")
> Signed-off-by: Alexei Starovoitov
Applied and queued up for -stable, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH net] bpf: fix verifier memory corruption
On 04/15/2015 12:57 AM, Alexei Starovoitov wrote:
Due to missing bounds check the DAG pass of the BPF verifier can corrupt
the memory which can cause random crashes during program loading:
[8.449451] BUG: unable to handle kernel paging request at
[8.451293] IP: [] kmem_cache_alloc_trace+0x8d/0x2f0
[8.452329] Oops: [#1] SMP
[8.452329] Call Trace:
[8.452329] [] bpf_check+0x852/0x2000
[8.452329] [] bpf_prog_load+0x1e4/0x310
[8.452329] [] ? might_fault+0x5f/0xb0
[8.452329] [] SyS_bpf+0x806/0xa30
Fixes: f1bca824dabb ("bpf: add search pruning optimization to verifier")
Signed-off-by: Alexei Starovoitov
As far as I can tell, looks good to me. Any other access to a next
instruction elsewhere would be blocked from push_insn() with an error.
Acked-by: Daniel Borkmann
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH net] bpf: fix verifier memory corruption
On Wed, Apr 15, 2015, at 18:07, Alexei Starovoitov wrote:
> On 4/15/15 8:59 AM, Hannes Frederic Sowa wrote:
> > On Di, 2015-04-14 at 15:57 -0700, Alexei Starovoitov wrote:
> >> Due to missing bounds check the DAG pass of the BPF verifier can corrupt
> >> the memory which can cause random crashes during program loading:
> >>
> >> [8.449451] BUG: unable to handle kernel paging request at
> >> [8.451293] IP: [] kmem_cache_alloc_trace+0x8d/0x2f0
> >> [8.452329] Oops: [#1] SMP
> >> [8.452329] Call Trace:
> >> [8.452329] [] bpf_check+0x852/0x2000
> >> [8.452329] [] bpf_prog_load+0x1e4/0x310
> >> [8.452329] [] ? might_fault+0x5f/0xb0
> >> [8.452329] [] SyS_bpf+0x806/0xa30
> >>
> >> Fixes: f1bca824dabb ("bpf: add search pruning optimization to verifier")
> >> Signed-off-by: Alexei Starovoitov
> >> ---
> >> Many things need to align for this crash to be seen, yet I managed to hit
> >> it.
> >> In my case JA was last insn, 't' was 255 and explored_states array
> >> had 256 elements. I've double checked other similar paths and all seems
> >> clean.
> >>
> >> kernel/bpf/verifier.c |3 ++-
> >> 1 file changed, 2 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> >> index a28e09c7825d..36508e69e92a 100644
> >> --- a/kernel/bpf/verifier.c
> >> +++ b/kernel/bpf/verifier.c
> >> @@ -1380,7 +1380,8 @@ peek_stack:
> >>/* tell verifier to check for equivalent states
> >> * after every call and jump
> >> */
> >> - env->explored_states[t + 1] = STATE_LIST_MARK;
> >> + if (t + 1 < insn_cnt)
> >> + env->explored_states[t + 1] = STATE_LIST_MARK;
> >>} else {
> >>/* conditional jump with two edges */
> >>ret = push_insn(t, t + 1, FALLTHROUGH, env);
> >
> > Quick review:
> >
> > We have env->explored_states[t+1] access in the
> >
> > } else {
> > /* conditional jump with two edges */
> > ret = push_insn(t, t + 1, FALLTHROUGH, env);
> > if (ret == 1)
> > goto peek_stack;
> > else if (ret < 0)
> > goto err_free;
> >
> ret = push_insn(t, t + insns[t].off + 1, BRANCH,
> env);
> > if (ret == 1)
> > goto peek_stack;
> > else if (ret < 0)
> > goto err_free;
> > }
> > } else {
> >
> >
> > push_insn call. At this point insn[t].off could be 0, no?
>
> insn[t].off can be anything, but the first thing that push_insn()
> checks is:
> if (w < 0 || w >= env->prog->len)
> only then it does:
> env->explored_states[w] = STATE_LIST_MARK;
> so we're good there.
> Though thanks for triple checking :)
Sorry, yes. That check was too obvious to me. ;)
Acked-by: Hannes Frederic Sowa
Bye,
Hannes
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH net] bpf: fix verifier memory corruption
On 4/15/15 8:59 AM, Hannes Frederic Sowa wrote:
On Di, 2015-04-14 at 15:57 -0700, Alexei Starovoitov wrote:
Due to missing bounds check the DAG pass of the BPF verifier can corrupt
the memory which can cause random crashes during program loading:
[8.449451] BUG: unable to handle kernel paging request at
[8.451293] IP: [] kmem_cache_alloc_trace+0x8d/0x2f0
[8.452329] Oops: [#1] SMP
[8.452329] Call Trace:
[8.452329] [] bpf_check+0x852/0x2000
[8.452329] [] bpf_prog_load+0x1e4/0x310
[8.452329] [] ? might_fault+0x5f/0xb0
[8.452329] [] SyS_bpf+0x806/0xa30
Fixes: f1bca824dabb ("bpf: add search pruning optimization to verifier")
Signed-off-by: Alexei Starovoitov
---
Many things need to align for this crash to be seen, yet I managed to hit it.
In my case JA was last insn, 't' was 255 and explored_states array
had 256 elements. I've double checked other similar paths and all seems clean.
kernel/bpf/verifier.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a28e09c7825d..36508e69e92a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1380,7 +1380,8 @@ peek_stack:
/* tell verifier to check for equivalent states
* after every call and jump
*/
- env->explored_states[t + 1] = STATE_LIST_MARK;
+ if (t + 1 < insn_cnt)
+ env->explored_states[t + 1] = STATE_LIST_MARK;
} else {
/* conditional jump with two edges */
ret = push_insn(t, t + 1, FALLTHROUGH, env);
Quick review:
We have env->explored_states[t+1] access in the
} else {
/* conditional jump with two edges */
ret = push_insn(t, t + 1, FALLTHROUGH, env);
if (ret == 1)
goto peek_stack;
else if (ret < 0)
goto err_free;
ret = push_insn(t, t + insns[t].off + 1, BRANCH, env);
if (ret == 1)
goto peek_stack;
else if (ret < 0)
goto err_free;
}
} else {
push_insn call. At this point insn[t].off could be 0, no?
insn[t].off can be anything, but the first thing that push_insn()
checks is:
if (w < 0 || w >= env->prog->len)
only then it does:
env->explored_states[w] = STATE_LIST_MARK;
so we're good there.
Though thanks for triple checking :)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH net] bpf: fix verifier memory corruption
On Di, 2015-04-14 at 15:57 -0700, Alexei Starovoitov wrote:
> Due to missing bounds check the DAG pass of the BPF verifier can corrupt
> the memory which can cause random crashes during program loading:
>
> [8.449451] BUG: unable to handle kernel paging request at
> [8.451293] IP: [] kmem_cache_alloc_trace+0x8d/0x2f0
> [8.452329] Oops: [#1] SMP
> [8.452329] Call Trace:
> [8.452329] [] bpf_check+0x852/0x2000
> [8.452329] [] bpf_prog_load+0x1e4/0x310
> [8.452329] [] ? might_fault+0x5f/0xb0
> [8.452329] [] SyS_bpf+0x806/0xa30
>
> Fixes: f1bca824dabb ("bpf: add search pruning optimization to verifier")
> Signed-off-by: Alexei Starovoitov
> ---
> Many things need to align for this crash to be seen, yet I managed to hit it.
> In my case JA was last insn, 't' was 255 and explored_states array
> had 256 elements. I've double checked other similar paths and all seems clean.
>
> kernel/bpf/verifier.c |3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index a28e09c7825d..36508e69e92a 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -1380,7 +1380,8 @@ peek_stack:
> /* tell verifier to check for equivalent states
>* after every call and jump
>*/
> - env->explored_states[t + 1] = STATE_LIST_MARK;
> + if (t + 1 < insn_cnt)
> + env->explored_states[t + 1] = STATE_LIST_MARK;
> } else {
> /* conditional jump with two edges */
> ret = push_insn(t, t + 1, FALLTHROUGH, env);
Quick review:
We have env->explored_states[t+1] access in the
} else {
/* conditional jump with two edges */
ret = push_insn(t, t + 1, FALLTHROUGH, env);
if (ret == 1)
goto peek_stack;
else if (ret < 0)
goto err_free;
>>> ret = push_insn(t, t + insns[t].off + 1, BRANCH, env);
if (ret == 1)
goto peek_stack;
else if (ret < 0)
goto err_free;
}
} else {
push_insn call. At this point insn[t].off could be 0, no?
Thanks,
Hannes
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
