bpf: Reject narrower access to pointer ctx fields #9336
+39
−14
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![kernel-patches-daemon-bpf[bot]](https://avatars.githubusercontent.com/u/70728002?s=60&v=4){kind=small}
|
Upstream branch: 42be23e |
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
ffefc6d to
4ccf98a
Compare
|
Upstream branch: 42be23e |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/984328=>bpf-next
branch
from
e171102 to
5e55350
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
4ccf98a to
95edab2
Compare
|
Upstream branch: 95993dc |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/984328=>bpf-next
branch
from
5e55350 to
8db6daa
Compare
|
Upstream branch: 95993dc |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/984328=>bpf-next
branch
from
8db6daa to
b278fbf
Compare
|
Upstream branch: 95993dc |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/984328=>bpf-next
branch
from
b278fbf to
0d033a9
Compare
|
Upstream branch: 95993dc |
The following BPF program, simplified from a syzkaller repro, causes a
kernel warning:
r0 = *(u8 *)(r1 + 169);
exit;
With pointer field sk being at offset 168 in __sk_buff. This access is
detected as a narrower read in bpf_skb_is_valid_access because it
doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
and later proceeds to bpf_convert_ctx_access. At that point,
target_size is null and the verifier errors with a kernel warning and:
verifier bug: error during ctx access conversion(1)
This patch fixes that to return a proper "invalid bpf_context access
off=X size=Y" error on the load instruction.
The same issue affects multiple other fields in context structures that
allow narrow access. Some other non-affected fields (for sk_msg,
sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for
consistency.
Note this syzkaller crash was reported in [1], which used to be about a
different bug, fixed in commit fce7bd8 ("bpf/verifier: Handle
BPF_LOAD_ACQ instructions in insn_def_regno()"). Because syzbot somehow
confused the two bugs, the new crash and repro didn't get reported to
the mailing list.
Link: https://syzkaller.appspot.com/bug?extid=0ef84a7bdf5301d4cbec [1]
Fixes: f96da09 ("bpf: simplify narrower ctx access")
Fixes: 0df1a55 ("bpf: Warn on internal verifier errors")
Reported-by: [email protected]
Signed-off-by: Paul Chaignon <[email protected]>
Acked-by: Eduard Zingerman <[email protected]>
This patch adds selftests to cover invalid narrower loads on the context. These used to cause kernel warnings before the previous patch. To trigger the warning, the load had to be aligned, to read an affected context field (ex., skb->sk), and not starting at the beginning of the field. The nine new cases all fail without the previous patch. Suggested-by: Eduard Zingerman <[email protected]> Signed-off-by: Paul Chaignon <[email protected]> Acked-by: Eduard Zingerman <[email protected]>
kernel-patches-daemon-bpf
bot
force-pushed
the
series/984328=>bpf-next
branch
from
0d033a9 to
6364d8c
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: Reject narrower access to pointer ctx fields
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=984328