On Thu, Nov 2, 2017 at 11:07 AM, Alexei Starovoitov <a...@fb.com> wrote:
> On 11/2/17 7:21 AM, Craig Gallek wrote:
>>
>> From: Craig Gallek <kr...@google.com>
>>
>> do_check() can fail early without allocating env->cur_state under
>> memory pressure. Syzkaller found the stack below on the linux-next
>> tree because of this.
>>
>> kasan: CONFIG_KASAN_INLINE enabled
>> kasan: GPF could be caused by NULL-ptr deref or user memory access
>> general protection fault: 0000 [#1] SMP KASAN
>> Dumping ftrace buffer:
>> (ftrace buffer empty)
>> Modules linked in:
>> CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> task: ffff8801c2c74700 task.stack: ffff8801c3e28000
>> RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]
>> RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533
>> RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202
>> RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000
>> RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380
>> RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f
>> R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28
>> R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20
>> FS: 00007f311079b700(0000) GS:ffff8801db300000(0000)
>> knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> Call Trace:
>> bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166
>> SYSC_bpf kernel/bpf/syscall.c:1690 [inline]
>> SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652
>> entry_SYSCALL_64_fastpath+0x1f/0xbe
>> RIP: 0033:0x452869
>> RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
>> RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869
>> RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005
>> RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550
>> R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000
>> Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00
>> 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00
>> 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26
>> RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP:
>> ffff8801c3e2f5c8
>> RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP:
>> ffff8801c3e2f5c8
>> ---[ end trace c8d37f339dc64004 ]---
>>
>> Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption")
>> Fixes: 1969db47f8d0 ("bpf: fix verifier memory leaks")
>> Signed-off-by: Craig Gallek <kr...@google.com>
>> ---
>> kernel/bpf/verifier.c | 6 ++++--
>> 1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index 530b68550fd2..199ae7ccb2b7 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -4530,8 +4530,10 @@ int bpf_check(struct bpf_prog **prog, union
>> bpf_attr *attr)
>> env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
>>
>> ret = do_check(env);
>> - free_verifier_state(env->cur_state, true);
>> - env->cur_state = NULL;
>> + if (env->cur_state) {
>> + free_verifier_state(env->cur_state, true);
>> + env->cur_state = NULL;
>> + }
>
>
> right. good catch. similar fix needed in bpf_analyzer()
> Can you respin with fix for both?
I swear I had that in my test tree ;) Sending now...
