| Message ID | 20210307225248.79031-1-alexei.starovoitov@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 350a5c4dd2452ea999cc5e1d4a8dbf12de2f97ef |
| Delegated to: | BPF |
| Headers | show |
| Series | [bpf] bpf: Dont allow vmlinux BTF to be used in map_create and prog_load. | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Clearly marked for bpf |
| netdev/subject_prefix | success | Link |
| netdev/cc_maintainers | fail | 2 blamed authors not CCed: ast@kernel.org songliubraving@fb.com; 6 maintainers not CCed: netdev@vger.kernel.org yhs@fb.com kpsingh@kernel.org ast@kernel.org john.fastabend@gmail.com songliubraving@fb.com |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 17 this patch: 17 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 21 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 17 this patch: 17 |
| netdev/header_inline | success | Link |
On 3/7/21 2:52 PM, Alexei Starovoitov wrote: > From: Alexei Starovoitov <ast@kernel.org> > > The syzbot got FD of vmlinux BTF and passed it into map_create which caused > crash in btf_type_id_size() when it tried to access resolved_ids. The vmlinux > BTF doesn't have 'resolved_ids' and 'resolved_sizes' initialized to save > memory. To avoid such issues disallow using vmlinux BTF in prog_load and > map_create commands. > > Reported-by: syzbot+8bab8ed346746e7540e8@syzkaller.appspotmail.com > Fixes: 5329722057d4 ("bpf: Assign ID to vmlinux BTF and return extra info for BTF in GET_OBJ_INFO") > Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Yonghong Song <yhs@fb.com>
On 3/7/21 11:52 PM, Alexei Starovoitov wrote: > From: Alexei Starovoitov <ast@kernel.org> > > The syzbot got FD of vmlinux BTF and passed it into map_create which caused > crash in btf_type_id_size() when it tried to access resolved_ids. The vmlinux > BTF doesn't have 'resolved_ids' and 'resolved_sizes' initialized to save > memory. To avoid such issues disallow using vmlinux BTF in prog_load and > map_create commands. > > Reported-by: syzbot+8bab8ed346746e7540e8@syzkaller.appspotmail.com > Fixes: 5329722057d4 ("bpf: Assign ID to vmlinux BTF and return extra info for BTF in GET_OBJ_INFO") > Signed-off-by: Alexei Starovoitov <ast@kernel.org> > --- > kernel/bpf/syscall.c | 5 +++++ > kernel/bpf/verifier.c | 4 ++++ > 2 files changed, 9 insertions(+) > > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > index c859bc46d06c..250503482cda 100644 > --- a/kernel/bpf/syscall.c > +++ b/kernel/bpf/syscall.c > @@ -854,6 +854,11 @@ static int map_create(union bpf_attr *attr) > err = PTR_ERR(btf); > goto free_map; > } > + if (btf_is_kernel(btf)) { > + btf_put(btf); > + err = -EACCES; > + goto free_map; > + } > map->btf = btf; > > if (attr->btf_value_type_id) { > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index c56e3fcb5f1a..4192a9e56654 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -9056,6 +9056,10 @@ static int check_btf_info(struct bpf_verifier_env *env, > btf = btf_get_by_fd(attr->prog_btf_fd); > if (IS_ERR(btf)) > return PTR_ERR(btf); > + if (btf_is_kernel(btf)) { > + btf_put(btf); > + return -EACCES; > + } Looks good, applied! > env->prog->aux->btf = btf; > > err = check_btf_func(env, attr, uattr); Btw, the error handling convention of c454a46b5efd ("bpf: Add bpf_line_info support") is just highly confusing. Simple validation errors defer the BTF reference count drop to __bpf_prog_put_noref() instead of just having it drop inside check_btf_info() as you did and only assigning env->prog->aux->btf in actual success case.
Hello: This patch was applied to bpf/bpf.git (refs/heads/master): On Sun, 7 Mar 2021 14:52:48 -0800 you wrote: > From: Alexei Starovoitov <ast@kernel.org> > > The syzbot got FD of vmlinux BTF and passed it into map_create which caused > crash in btf_type_id_size() when it tried to access resolved_ids. The vmlinux > BTF doesn't have 'resolved_ids' and 'resolved_sizes' initialized to save > memory. To avoid such issues disallow using vmlinux BTF in prog_load and > map_create commands. > > [...] Here is the summary with links: - [bpf] bpf: Dont allow vmlinux BTF to be used in map_create and prog_load. https://git.kernel.org/bpf/bpf/c/350a5c4dd245 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index c859bc46d06c..250503482cda 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -854,6 +854,11 @@ static int map_create(union bpf_attr *attr) err = PTR_ERR(btf); goto free_map; } + if (btf_is_kernel(btf)) { + btf_put(btf); + err = -EACCES; + goto free_map; + } map->btf = btf; if (attr->btf_value_type_id) { diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index c56e3fcb5f1a..4192a9e56654 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -9056,6 +9056,10 @@ static int check_btf_info(struct bpf_verifier_env *env, btf = btf_get_by_fd(attr->prog_btf_fd); if (IS_ERR(btf)) return PTR_ERR(btf); + if (btf_is_kernel(btf)) { + btf_put(btf); + return -EACCES; + } env->prog->aux->btf = btf; err = check_btf_func(env, attr, uattr);