-
Notifications
You must be signed in to change notification settings - Fork 146
bpf: Reject narrower access to pointer ctx fields #9336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: bpf-next_base
Are you sure you want to change the base?
Conversation
Upstream branch: 42be23e |
ffefc6d
to
4ccf98a
Compare
Upstream branch: 42be23e |
e171102
to
5e55350
Compare
4ccf98a
to
95edab2
Compare
Upstream branch: 95993dc |
5e55350
to
8db6daa
Compare
Upstream branch: 95993dc |
8db6daa
to
b278fbf
Compare
Upstream branch: 95993dc |
b278fbf
to
0d033a9
Compare
Upstream branch: 95993dc |
The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buff. This access is detected as a narrower read in bpf_skb_is_valid_access because it doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed and later proceeds to bpf_convert_ctx_access. At that point, target_size is null and the verifier errors with a kernel warning and: verifier bug: error during ctx access conversion(1) This patch fixes that to return a proper "invalid bpf_context access off=X size=Y" error on the load instruction. The same issue affects multiple other fields in context structures that allow narrow access. Some other non-affected fields (for sk_msg, sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for consistency. Note this syzkaller crash was reported in [1], which used to be about a different bug, fixed in commit fce7bd8 ("bpf/verifier: Handle BPF_LOAD_ACQ instructions in insn_def_regno()"). Because syzbot somehow confused the two bugs, the new crash and repro didn't get reported to the mailing list. Link: https://syzkaller.appspot.com/bug?extid=0ef84a7bdf5301d4cbec [1] Fixes: f96da09 ("bpf: simplify narrower ctx access") Fixes: 0df1a55 ("bpf: Warn on internal verifier errors") Reported-by: syzbot+0ef84a7bdf5301d4cbec@syzkaller.appspotmail.com Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
This patch adds selftests to cover invalid narrower loads on the context. These used to cause kernel warnings before the previous patch. To trigger the warning, the load had to be aligned, to read an affected context field (ex., skb->sk), and not starting at the beginning of the field. The nine new cases all fail without the previous patch. Suggested-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
0d033a9
to
6364d8c
Compare
Pull request for series with
subject: bpf: Reject narrower access to pointer ctx fields
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=984328