On 03/21/2019 09:31 AM, Xu Yu wrote:
Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug.
Call trace:
dump_stack+0xbf/0x12e
print_address_description+0x6a/0x280
kasan_report+0x237/0x360
sanitize_ptr_alu+0x85a/0x8d0
adjust_ptr_min_max_vals+0x8f2/0x1ca0
adjust_reg_min_max_vals+0x8ed/0x22e0
do_check+0x1ca6/0x5d00
bpf_check+0x9ca/0x2570
bpf_prog_load+0xc91/0x1030
__se_sys_bpf+0x61e/0x1f00
do_syscall_64+0xc8/0x550
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fault injection trace:
Âkfree+0xea/0x290
Âfree_func_state+0x4a/0x60
Âfree_verifier_state+0x61/0xe0
Âpush_stack+0x216/0x2f0 <- inject failslab
Âsanitize_ptr_alu+0x2b1/0x8d0
Âadjust_ptr_min_max_vals+0x8f2/0x1ca0
Âadjust_reg_min_max_vals+0x8ed/0x22e0
Âdo_check+0x1ca6/0x5d00
Âbpf_check+0x9ca/0x2570
Âbpf_prog_load+0xc91/0x1030
Â__se_sys_bpf+0x61e/0x1f00
Âdo_syscall_64+0xc8/0x550
Âentry_SYSCALL_64_after_hwframe+0x49/0xbe
When kzalloc() fails in push_stack(), free_verifier_state() will free
current verifier state. As push_stack() returns, dst_reg was restored
if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg
is also freed, and error occurs when dereferencing dst_reg.
Simply fix it by checking whether cur_state is NULL before retoring
dst_reg.
Signed-off-by: Xu Yu <xuyu@xxxxxxxxxxxxxxxxx>
---
kernel/bpf/verifier.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ce166a0..018ce4f 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3368,7 +3368,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
*dst_reg = *ptr_reg;
}
ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
- if (!ptr_is_dst_reg)
+ if (!ptr_is_dst_reg && env->cur_state)
*dst_reg = tmp;
Good catch, test should be more obvious rewritten as:
if (!ptr_is_dst_reg && ret)
Could you resubmit with that?
return !ret ? -EFAULT : 0;
}
Thanks,
Daniel