Re: [PATCH v2 bpf-next 1/2] bpf: Fix out-of-bounds read in check_atomic_load/store()
From: Eduard Zingerman
Date: Fri Mar 21 2025 - 18:19:59 EST
On Fri, 2025-03-21 at 19:59 +0900, Kohei Enju wrote:
> syzbot reported the following splat [0].
>
> In check_atomic_load/store(), register validity is not checked before
> atomic_ptr_type_ok(). This causes the out-of-bounds read in is_ctx_reg()
> called from atomic_ptr_type_ok() when the register number is MAX_BPF_REG
> or greater.
>
> Let's call check_load_mem()/check_store_reg() before atomic_ptr_type_ok()
> to avoid the OOB read.
[...]
> Memory state around the buggy address:
> ffff888141b0d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff888141b0d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >ffff888141b0d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ^
> ffff888141b0d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff888141b0d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>
> Reported-by: syzbot+a5964227adc0f904549c@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=a5964227adc0f904549c
> Tested-by: syzbot+a5964227adc0f904549c@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: e24bbad29a8d ("bpf: Introduce load-acquire and store-release instructions")
> Fixes: ff3afe5da998 ("selftests/bpf: Add selftests for load-acquire and store-release instructions")
> Signed-off-by: Kohei Enju <enjuk@xxxxxxxxxx>
> ---
Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
[...]