diff mbox series

[bpf] bpf: fix OOB read when printing XDP link fdinfo

Message ID 20210716100452.113652-1-lmb@cloudflare.com (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series [bpf] bpf: fix OOB read when printing XDP link fdinfo | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Clearly marked for bpf
netdev/subject_prefix success Link
netdev/cc_maintainers warning 4 maintainers not CCed: songliubraving@fb.com yhs@fb.com kafai@fb.com kpsingh@kernel.org
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 11802 this patch: 11802
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 4 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 11304 this patch: 11304
netdev/header_inline success Link

Commit Message

Lorenz Bauer July 16, 2021, 10:04 a.m. UTC
We got the following UBSAN report on one of our testing machines:

    ================================================================================
    UBSAN: array-index-out-of-bounds in kernel/bpf/syscall.c:2389:24
    index 6 is out of range for type 'char *[6]'
    CPU: 43 PID: 930921 Comm: systemd-coredum Tainted: G           O      5.10.48-cloudflare-kasan-2021.7.0 #1
    Hardware name: <snip>
    Call Trace:
     dump_stack+0x7d/0xa3
     ubsan_epilogue+0x5/0x40
     __ubsan_handle_out_of_bounds.cold+0x43/0x48
     ? seq_printf+0x17d/0x250
     bpf_link_show_fdinfo+0x329/0x380
     ? bpf_map_value_size+0xe0/0xe0
     ? put_files_struct+0x20/0x2d0
     ? __kasan_kmalloc.constprop.0+0xc2/0xd0
     seq_show+0x3f7/0x540
     seq_read_iter+0x3f8/0x1040
     seq_read+0x329/0x500
     ? seq_read_iter+0x1040/0x1040
     ? __fsnotify_parent+0x80/0x820
     ? __fsnotify_update_child_dentry_flags+0x380/0x380
     vfs_read+0x123/0x460
     ksys_read+0xed/0x1c0
     ? __x64_sys_pwrite64+0x1f0/0x1f0
     do_syscall_64+0x33/0x40
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    <snip>
    ================================================================================
    ================================================================================
    UBSAN: object-size-mismatch in kernel/bpf/syscall.c:2384:2

From the report, we can infer that some array access in bpf_link_show_fdinfo at index 6
is out of bounds. The obvious candidate is bpf_link_type_strs[BPF_LINK_TYPE_XDP] with
BPF_LINK_TYPE_XDP == 6. It turns out that BPF_LINK_TYPE_XDP is missing from bpf_types.h
and therefore doesn't have an entry in bpf_link_type_strs:

    pos:	0
    flags:	02000000
    mnt_id:	13
    link_type:	(null)
    link_id:	4
    prog_tag:	bcf7977d3b93787c
    prog_id:	4
    ifindex:	1

Fixes: aa8d3a716b59 ("bpf, xdp: Add bpf_link-based XDP attachment API")
Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
---
 include/linux/bpf_types.h | 1 +
 1 file changed, 1 insertion(+)

Comments

Andrii Nakryiko July 16, 2021, 8:43 p.m. UTC | #1
On Fri, Jul 16, 2021 at 3:05 AM Lorenz Bauer <lmb@cloudflare.com> wrote:
>
> We got the following UBSAN report on one of our testing machines:
>
>     ================================================================================
>     UBSAN: array-index-out-of-bounds in kernel/bpf/syscall.c:2389:24
>     index 6 is out of range for type 'char *[6]'
>     CPU: 43 PID: 930921 Comm: systemd-coredum Tainted: G           O      5.10.48-cloudflare-kasan-2021.7.0 #1
>     Hardware name: <snip>
>     Call Trace:
>      dump_stack+0x7d/0xa3
>      ubsan_epilogue+0x5/0x40
>      __ubsan_handle_out_of_bounds.cold+0x43/0x48
>      ? seq_printf+0x17d/0x250
>      bpf_link_show_fdinfo+0x329/0x380
>      ? bpf_map_value_size+0xe0/0xe0
>      ? put_files_struct+0x20/0x2d0
>      ? __kasan_kmalloc.constprop.0+0xc2/0xd0
>      seq_show+0x3f7/0x540
>      seq_read_iter+0x3f8/0x1040
>      seq_read+0x329/0x500
>      ? seq_read_iter+0x1040/0x1040
>      ? __fsnotify_parent+0x80/0x820
>      ? __fsnotify_update_child_dentry_flags+0x380/0x380
>      vfs_read+0x123/0x460
>      ksys_read+0xed/0x1c0
>      ? __x64_sys_pwrite64+0x1f0/0x1f0
>      do_syscall_64+0x33/0x40
>      entry_SYSCALL_64_after_hwframe+0x44/0xa9
>     <snip>
>     ================================================================================
>     ================================================================================
>     UBSAN: object-size-mismatch in kernel/bpf/syscall.c:2384:2
>
> From the report, we can infer that some array access in bpf_link_show_fdinfo at index 6
> is out of bounds. The obvious candidate is bpf_link_type_strs[BPF_LINK_TYPE_XDP] with
> BPF_LINK_TYPE_XDP == 6. It turns out that BPF_LINK_TYPE_XDP is missing from bpf_types.h
> and therefore doesn't have an entry in bpf_link_type_strs:
>
>     pos:        0
>     flags:      02000000
>     mnt_id:     13
>     link_type:  (null)
>     link_id:    4
>     prog_tag:   bcf7977d3b93787c
>     prog_id:    4
>     ifindex:    1
>
> Fixes: aa8d3a716b59 ("bpf, xdp: Add bpf_link-based XDP attachment API")
> Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
> ---

Well, oops. Thanks for the fix!

Acked-by: Andrii Nakryiko <andrii@kernel.org>

It would be great to have a compilation error for something like this.
I wonder if we can do something to detect this going forward?

>  include/linux/bpf_types.h | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h
> index a9db1eae6796..be95f2722ad9 100644
> --- a/include/linux/bpf_types.h
> +++ b/include/linux/bpf_types.h
> @@ -135,3 +135,4 @@ BPF_LINK_TYPE(BPF_LINK_TYPE_ITER, iter)
>  #ifdef CONFIG_NET
>  BPF_LINK_TYPE(BPF_LINK_TYPE_NETNS, netns)
>  #endif
> +BPF_LINK_TYPE(BPF_LINK_TYPE_XDP, xdp)
> --
> 2.30.2
>
Daniel Borkmann July 16, 2021, 9 p.m. UTC | #2
On 7/16/21 10:43 PM, Andrii Nakryiko wrote:
> On Fri, Jul 16, 2021 at 3:05 AM Lorenz Bauer <lmb@cloudflare.com> wrote:
>>
>> We got the following UBSAN report on one of our testing machines:
>>
>>      ================================================================================
>>      UBSAN: array-index-out-of-bounds in kernel/bpf/syscall.c:2389:24
>>      index 6 is out of range for type 'char *[6]'
>>      CPU: 43 PID: 930921 Comm: systemd-coredum Tainted: G           O      5.10.48-cloudflare-kasan-2021.7.0 #1
>>      Hardware name: <snip>
>>      Call Trace:
>>       dump_stack+0x7d/0xa3
>>       ubsan_epilogue+0x5/0x40
>>       __ubsan_handle_out_of_bounds.cold+0x43/0x48
>>       ? seq_printf+0x17d/0x250
>>       bpf_link_show_fdinfo+0x329/0x380
>>       ? bpf_map_value_size+0xe0/0xe0
>>       ? put_files_struct+0x20/0x2d0
>>       ? __kasan_kmalloc.constprop.0+0xc2/0xd0
>>       seq_show+0x3f7/0x540
>>       seq_read_iter+0x3f8/0x1040
>>       seq_read+0x329/0x500
>>       ? seq_read_iter+0x1040/0x1040
>>       ? __fsnotify_parent+0x80/0x820
>>       ? __fsnotify_update_child_dentry_flags+0x380/0x380
>>       vfs_read+0x123/0x460
>>       ksys_read+0xed/0x1c0
>>       ? __x64_sys_pwrite64+0x1f0/0x1f0
>>       do_syscall_64+0x33/0x40
>>       entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>      <snip>
>>      ================================================================================
>>      ================================================================================
>>      UBSAN: object-size-mismatch in kernel/bpf/syscall.c:2384:2
>>
>>  From the report, we can infer that some array access in bpf_link_show_fdinfo at index 6
>> is out of bounds. The obvious candidate is bpf_link_type_strs[BPF_LINK_TYPE_XDP] with
>> BPF_LINK_TYPE_XDP == 6. It turns out that BPF_LINK_TYPE_XDP is missing from bpf_types.h
>> and therefore doesn't have an entry in bpf_link_type_strs:
>>
>>      pos:        0
>>      flags:      02000000
>>      mnt_id:     13
>>      link_type:  (null)
>>      link_id:    4
>>      prog_tag:   bcf7977d3b93787c
>>      prog_id:    4
>>      ifindex:    1
>>
>> Fixes: aa8d3a716b59 ("bpf, xdp: Add bpf_link-based XDP attachment API")
>> Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
>> ---
> 
> Well, oops. Thanks for the fix!
> 
> Acked-by: Andrii Nakryiko <andrii@kernel.org>
> 
> It would be great to have a compilation error for something like this.
> I wonder if we can do something to detect this going forward?
> 
>>   include/linux/bpf_types.h | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h
>> index a9db1eae6796..be95f2722ad9 100644
>> --- a/include/linux/bpf_types.h
>> +++ b/include/linux/bpf_types.h
>> @@ -135,3 +135,4 @@ BPF_LINK_TYPE(BPF_LINK_TYPE_ITER, iter)
>>   #ifdef CONFIG_NET
>>   BPF_LINK_TYPE(BPF_LINK_TYPE_NETNS, netns)
>>   #endif
>> +BPF_LINK_TYPE(BPF_LINK_TYPE_XDP, xdp)

Lorenz, does this compile when you don't have CONFIG_NET configured? I would assume
this needs to go right below the netns one depending on CONFIG_NET.. at least the
bpf_xdp_link_lops are in net/core/dev.c which is only built under CONFIG_NET.

Thanks,
Daniel
Lorenz Bauer July 19, 2021, 8:45 a.m. UTC | #3
On Fri, 16 Jul 2021 at 21:44, Andrii Nakryiko <andrii.nakryiko@gmail.com> wrote:
>
> Well, oops. Thanks for the fix!
>
> Acked-by: Andrii Nakryiko <andrii@kernel.org>
>
> It would be great to have a compilation error for something like this.
> I wonder if we can do something to detect this going forward?

I had a second patch that introduced MAX_BPF_LINK_TYPE, etc. and then
added explicit array initializers:

     [MAX_BPF_LINK_TYPE] = NULL,

That turns the OOB read into a NULL read. But it has to be done for
every inclusion of bpf_types.h so it's
a bit cumbersome. Maybe add MAX_BPF_LINK_TYPE and then add an entry in
bpf_types.h for it as well?

--
Lorenz Bauer  |  Systems Engineer
6th Floor, County Hall/The Riverside Building, SE1 7PB, UK

www.cloudflare.com
Lorenz Bauer July 19, 2021, 8:48 a.m. UTC | #4
On Fri, 16 Jul 2021 at 22:01, Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> On 7/16/21 10:43 PM, Andrii Nakryiko wrote:
> > On Fri, Jul 16, 2021 at 3:05 AM Lorenz Bauer <lmb@cloudflare.com> wrote:
> >>
> >> We got the following UBSAN report on one of our testing machines:
> >>
> >>      ================================================================================
> >>      UBSAN: array-index-out-of-bounds in kernel/bpf/syscall.c:2389:24
> >>      index 6 is out of range for type 'char *[6]'
> >>      CPU: 43 PID: 930921 Comm: systemd-coredum Tainted: G           O      5.10.48-cloudflare-kasan-2021.7.0 #1
> >>      Hardware name: <snip>
> >>      Call Trace:
> >>       dump_stack+0x7d/0xa3
> >>       ubsan_epilogue+0x5/0x40
> >>       __ubsan_handle_out_of_bounds.cold+0x43/0x48
> >>       ? seq_printf+0x17d/0x250
> >>       bpf_link_show_fdinfo+0x329/0x380
> >>       ? bpf_map_value_size+0xe0/0xe0
> >>       ? put_files_struct+0x20/0x2d0
> >>       ? __kasan_kmalloc.constprop.0+0xc2/0xd0
> >>       seq_show+0x3f7/0x540
> >>       seq_read_iter+0x3f8/0x1040
> >>       seq_read+0x329/0x500
> >>       ? seq_read_iter+0x1040/0x1040
> >>       ? __fsnotify_parent+0x80/0x820
> >>       ? __fsnotify_update_child_dentry_flags+0x380/0x380
> >>       vfs_read+0x123/0x460
> >>       ksys_read+0xed/0x1c0
> >>       ? __x64_sys_pwrite64+0x1f0/0x1f0
> >>       do_syscall_64+0x33/0x40
> >>       entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >>      <snip>
> >>      ================================================================================
> >>      ================================================================================
> >>      UBSAN: object-size-mismatch in kernel/bpf/syscall.c:2384:2
> >>
> >>  From the report, we can infer that some array access in bpf_link_show_fdinfo at index 6
> >> is out of bounds. The obvious candidate is bpf_link_type_strs[BPF_LINK_TYPE_XDP] with
> >> BPF_LINK_TYPE_XDP == 6. It turns out that BPF_LINK_TYPE_XDP is missing from bpf_types.h
> >> and therefore doesn't have an entry in bpf_link_type_strs:
> >>
> >>      pos:        0
> >>      flags:      02000000
> >>      mnt_id:     13
> >>      link_type:  (null)
> >>      link_id:    4
> >>      prog_tag:   bcf7977d3b93787c
> >>      prog_id:    4
> >>      ifindex:    1
> >>
> >> Fixes: aa8d3a716b59 ("bpf, xdp: Add bpf_link-based XDP attachment API")
> >> Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
> >> ---
> >
> > Well, oops. Thanks for the fix!
> >
> > Acked-by: Andrii Nakryiko <andrii@kernel.org>
> >
> > It would be great to have a compilation error for something like this.
> > I wonder if we can do something to detect this going forward?
> >
> >>   include/linux/bpf_types.h | 1 +
> >>   1 file changed, 1 insertion(+)
> >>
> >> diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h
> >> index a9db1eae6796..be95f2722ad9 100644
> >> --- a/include/linux/bpf_types.h
> >> +++ b/include/linux/bpf_types.h
> >> @@ -135,3 +135,4 @@ BPF_LINK_TYPE(BPF_LINK_TYPE_ITER, iter)
> >>   #ifdef CONFIG_NET
> >>   BPF_LINK_TYPE(BPF_LINK_TYPE_NETNS, netns)
> >>   #endif
> >> +BPF_LINK_TYPE(BPF_LINK_TYPE_XDP, xdp)
>
> Lorenz, does this compile when you don't have CONFIG_NET configured? I would assume
> this needs to go right below the netns one depending on CONFIG_NET.. at least the
> bpf_xdp_link_lops are in net/core/dev.c which is only built under CONFIG_NET.

It does compile, since the only use of the macro is to stringify a
link type for fdinfo. I'll move it into CONFIG_NET to be consistent
with netdev though.
diff mbox series

Patch

diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h
index a9db1eae6796..be95f2722ad9 100644
--- a/include/linux/bpf_types.h
+++ b/include/linux/bpf_types.h
@@ -135,3 +135,4 @@  BPF_LINK_TYPE(BPF_LINK_TYPE_ITER, iter)
 #ifdef CONFIG_NET
 BPF_LINK_TYPE(BPF_LINK_TYPE_NETNS, netns)
 #endif
+BPF_LINK_TYPE(BPF_LINK_TYPE_XDP, xdp)