mirror/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
33772ff3b887eb2f426ed66bcb1808837a40669c
linux/kernel
History
Hao Sun 22c7fa171a bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS 
For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off
for validation. However, variable offset ptr alu is not prohibited
for this ptr kind. So the variable offset is not checked.

The following prog is accepted:

  func#0 @0
  0: R1=ctx() R10=fp0
  0: (bf) r6 = r1                       ; R1=ctx() R6_w=ctx()
  1: (79) r7 = *(u64 *)(r6 +144)        ; R6_w=ctx() R7_w=flow_keys()
  2: (b7) r8 = 1024                     ; R8_w=1024
  3: (37) r8 /= 1                       ; R8_w=scalar()
  4: (57) r8 &= 1024                    ; R8_w=scalar(smin=smin32=0,
  smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))
  5: (0f) r7 += r8
  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1
  mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024
  mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1
  mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024
  6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off
  =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,
  var_off=(0x0; 0x400))
  6: (79) r0 = *(u64 *)(r7 +0)          ; R0_w=scalar()
  7: (95) exit

This prog loads flow_keys to r7, and adds the variable offset r8
to r7, and finally causes out-of-bounds access:

  BUG: unable to handle page fault for address: ffffc90014c80038
  [...]
  Call Trace:
   <TASK>
   bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
   __bpf_prog_run include/linux/filter.h:651 [inline]
   bpf_prog_run include/linux/filter.h:658 [inline]
   bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]
   bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991
   bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359
   bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
   __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475
   __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
   __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
   __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83
   entry_SYSCALL_64_after_hwframe+0x63/0x6b

Fix this by rejecting ptr alu with variable offset on flow_keys.
Applying the patch rejects the program with "R7 pointer arithmetic
on flow_keys prohibited".

Fixes: d58e468b11 ("flow_dissector: implements flow dissector BPF hook")
Signed-off-by: Hao Sun <sunhao.th@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/bpf/20240115082028.9992-1-sunhao.th@gmail.com
2024-01-16 17:12:29 +01:00
..
bpf
bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS
2024-01-16 17:12:29 +01:00
cgroup
Merge tag 'cgroup-for-6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup
2024-01-08 20:04:02 -08:00
configs
hardening: Provide Kconfig fragments for basic options
2023-09-22 09:50:55 -07:00
debug
kdb: Corrects comment for kdballocenv
2023-11-06 17:13:55 +00:00
dma
mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER
2024-01-08 15:27:15 -08:00
entry
entry: Move syscall_enter_from_user_mode() to header file
2023-12-21 23:12:18 +01:00
events
Merge tag 'mm-stable-2024-01-08-15-31' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2024-01-09 11:18:47 -08:00
futex
plist: Split out plist_types.h
2023-12-20 19:26:31 -05:00
gcov
gcov: annotate struct gcov_iterator with __counted_by
2023-10-18 14:43:22 -07:00
irq
Merge tag 'mm-nonmm-stable-2023-11-02-14-08' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2023-11-02 20:53:31 -10:00
kcsan
mm: delete checks for xor_unlock_is_negative_byte()
2023-10-18 14:34:17 -07:00
livepatch
livepatch: Fix missing newline character in klp_resolve_symbols()
2023-09-20 11:24:18 +02:00
locking
Merge tag 'header_cleanup-2024-01-10' of https://evilpiepirate.org/git/bcachefs
2024-01-10 16:43:55 -08:00
module
Merge tag 'modules-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux
2024-01-10 18:00:18 -08:00
power
PM: hibernate: Repair excess function parameter description warning
2023-12-20 19:19:26 +01:00
printk
Merge tag 'tty-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
2023-11-03 15:44:25 -10:00
rcu
Merge tag 'rcu-fixes-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/frederic/linux-dynticks
2023-11-08 09:47:52 -08:00
sched
Merge tag 'header_cleanup-2024-01-10' of https://evilpiepirate.org/git/bcachefs
2024-01-10 16:43:55 -08:00
time
Merge tag 'timers-core-2024-01-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2024-01-08 18:44:11 -08:00
trace
Merge tag 'net-next-6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2024-01-11 10:07:29 -08:00
.gitignore
acct.c
fs: rename __mnt_{want,drop}_write*() helpers
2023-09-11 15:05:50 +02:00
async.c
Merge tag 'header_cleanup-2024-01-10' of https://evilpiepirate.org/git/bcachefs
2024-01-10 16:43:55 -08:00
audit_fsnotify.c
audit_tree.c
Merge tag 'mm-nonmm-stable-2023-11-02-14-08' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2023-11-02 20:53:31 -10:00
audit_watch.c
audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare()
2023-11-14 17:34:27 -05:00
audit.c
audit: Send netlink ACK before setting connection in auditd_set
2023-11-12 22:33:49 -05:00
audit.h
audit: correct audit_filter_inodes() definition
2023-07-21 12:17:25 -04:00
auditfilter.c
audit: move trailing statements to next line
2023-08-15 18:16:14 -04:00
auditsc.c
audit,io_uring: io_uring openat triggers audit reference count underflow
2023-10-13 18:34:46 +02:00
backtracetest.c
bounds.c
mm: multi-gen LRU: minimal implementation
2022-09-26 19:46:09 -07:00
capability.c
lsm: constify the 'target' parameter in security_capget()
2023-08-08 16:48:47 -04:00
cfi.c
cfi: Switch to -fsanitize=kcfi
2022-09-26 10:13:13 -07:00
compat.c
sched_getaffinity: don't assume 'cpumask_size()' is fully initialized
2023-03-14 19:32:38 -07:00
configs.c
context_tracking.c
locking/atomic: treewide: use raw_atomic*_<op>()
2023-06-05 09:57:20 +02:00
cpu_pm.c
cpuidle, cpu_pm: Remove RCU fiddling from cpu_pm_{enter,exit}()
2023-01-13 11:48:15 +01:00
cpu.c
Merge tag 'slab-for-6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab
2024-01-09 10:36:07 -08:00
crash_core.c
Merge tag 'mm-nonmm-stable-2024-01-09-10-33' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2024-01-09 11:46:20 -08:00
crash_dump.c
cred.c
cred: get rid of CONFIG_DEBUG_CREDENTIALS
2023-12-15 14:19:48 -08:00
delayacct.c
delayacct: track delays from IRQ/SOFTIRQ
2023-04-18 16:39:34 -07:00
dma.c
exec_domain.c
exit.c
Merge tag 'header_cleanup-2024-01-10' of https://evilpiepirate.org/git/bcachefs
2024-01-10 16:43:55 -08:00
exit.h
exit: add internal include file with helpers
2023-09-21 12:03:50 -06:00
extable.c
fail_function.c
kernel/fail_function: fix memory leak with using debugfs_lookup()
2023-02-08 13:36:22 +01:00
fork.c
Merge tag 'header_cleanup-2024-01-10' of https://evilpiepirate.org/git/bcachefs
2024-01-10 16:43:55 -08:00
freezer.c
Merge tag 'v6.7-rc6' into sched/core, to pick up fixes
2023-12-23 15:52:13 +01:00
gen_kheaders.sh
Revert "kheaders: substituting --sort in archive creation"
2023-05-28 16:20:21 +09:00
groups.c
groups: Convert group_info.usage to refcount_t
2023-09-29 11:28:39 -07:00
hung_task.c
kernel/hung_task.c: set some hung_task.c variables storage-class-specifier to static
2023-04-08 13:45:37 -07:00
iomem.c
kernel/iomem.c: remove __weak ioremap_cache helper
2023-08-21 13:37:28 -07:00
irq_work.c
trace: Add trace_ipi_send_cpu()
2023-03-24 11:01:29 +01:00
jump_label.c
jump_label: Prevent key->enabled int overflow
2022-12-01 15:53:05 -08:00
kallsyms_internal.h
kallsyms: Reduce the memory occupied by kallsyms_seqs_of_names[]
2022-11-12 18:47:36 -08:00
kallsyms_selftest.c
Merge tag 'modules-6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux
2023-08-29 17:32:32 -07:00
kallsyms_selftest.h
kallsyms: Add self-test facility
2022-11-15 00:42:02 -08:00
kallsyms.c
kallsyms: Change func signature for cleanup_symbol_name()
2023-08-25 15:00:36 -07:00
kcmp.c
file: convert to SLAB_TYPESAFE_BY_RCU
2023-10-19 11:02:48 +02:00
Kconfig.freezer
Kconfig.hz
Kconfig.kexec
kexec: select CRYPTO from KEXEC_FILE instead of depending on it
2023-12-20 13:46:19 -08:00
Kconfig.locks
Kconfig.preempt
kcov.c
kcov: add prototypes for helper functions
2023-06-09 17:44:17 -07:00
kexec_core.c
kexec_core: fix the assignment to kimage->control_page
2023-12-29 12:22:29 -08:00
kexec_elf.c
kexec_file.c
kexec_file: fix incorrect temp_start value in locate_mem_hole_top_down()
2023-12-29 12:22:25 -08:00
kexec_internal.h
panic, kexec: make __crash_kexec() NMI safe
2022-09-11 21:55:06 -07:00
kexec.c
kernel: kexec: copy user-array safely
2023-10-09 16:59:47 +10:00
kheaders.c
kheaders: Use array declaration instead of char
2023-03-24 20:10:59 -07:00
kprobes.c
kprobes: consistent rcu api usage for kretprobe holder
2023-12-01 14:53:55 +09:00
ksyms_common.c
kallsyms: make kallsyms_show_value() as generic function
2023-06-08 12:27:20 -07:00
ksysfs.c
crash: hotplug support for kexec_load()
2023-08-24 16:25:14 -07:00
kthread.c
Merge tag 'mm-nonmm-stable-2023-11-02-14-08' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2023-11-02 20:53:31 -10:00
latencytop.c
latencytop: use the last element of latency_record of system
2022-09-11 21:55:12 -07:00
Makefile
kernel/numa.c: Move logging out of numa.h
2023-12-20 19:26:30 -05:00
module_signature.c
notifier.c
notifiers: add tracepoints to the notifiers infrastructure
2023-04-08 13:45:38 -07:00
nsproxy.c
nsproxy: Convert nsproxy.count to refcount_t
2023-08-21 11:29:12 -07:00
numa.c
kernel/numa.c: Move logging out of numa.h
2023-12-20 19:26:30 -05:00
padata.c
padata: Fix refcnt handling in padata_free_shell()
2023-10-27 18:04:24 +08:00
panic.c
panic: use atomic_try_cmpxchg in panic() and nmi_panic()
2023-10-04 10:41:56 -07:00
params.c
params: Fix multi-line comment style
2023-12-01 09:51:44 -08:00
pid_namespace.c
wait: Remove uapi header file from main header file
2023-12-20 19:26:31 -05:00
pid_sysctl.h
memfd: replace ratcheting feature from vm.memfd_noexec with hierarchy
2023-08-21 13:37:59 -07:00
pid.c
file: remove __receive_fd()
2023-12-12 14:24:14 +01:00
profile.c
kernel/profile.c: simplify duplicated code in profile_setup()
2022-09-11 21:55:12 -07:00
ptrace.c
Merge tag 'mm-nonmm-stable-2024-01-09-10-33' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2024-01-09 11:46:20 -08:00
range.c
reboot.c
Merge tag 'thermal-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
2024-01-09 16:20:17 -08:00
regset.c
relay.c
kernel: relay: remove relay_file_splice_read dead code, doesn't work
2023-12-29 12:22:27 -08:00
resource_kunit.c
resource.c
Merge tag 'mm-nonmm-stable-2024-01-09-10-33' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2024-01-09 11:46:20 -08:00
rseq.c
rseq: Extend struct rseq with per-memory-map concurrency ID
2022-12-27 12:52:12 +01:00
scftorture.c
scftorture: Pause testing after memory-allocation failure
2023-07-14 15:02:57 -07:00
scs.c
scs: add support for dynamic shadow call stacks
2022-11-09 18:06:35 +00:00
seccomp.c
file: remove __receive_fd()
2023-12-12 14:24:14 +01:00
signal.c
kernel/signal.c: simplify force_sig_info_to_task(), kill recalc_sigpending_and_wake()
2023-12-10 17:21:32 -08:00
smp.c
Merge tag 'csd-lock.2023.10.23a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu
2023-10-30 17:56:53 -10:00
smpboot.c
kthread: add kthread_stop_put
2023-10-04 10:41:57 -07:00
smpboot.h
softirq.c
sched/core: introduce sched_core_idle_cpu()
2023-07-13 15:21:50 +02:00
stackleak.c
stackleak: allow to specify arch specific stackleak poison function
2023-04-20 11:36:35 +02:00
stacktrace.c
stacktrace: fix kernel-doc typo
2023-12-29 12:22:29 -08:00
static_call_inline.c
static_call: Add call depth tracking support
2022-10-17 16:41:16 +02:00
static_call.c
stop_machine.c
sys_ni.c
Merge tag 'lsm-pr-20240105' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm
2024-01-09 12:57:46 -08:00
sys.c
prctl: Disable prctl(PR_SET_MDWE) on parisc
2023-11-18 19:35:31 +01:00
sysctl-test.c
sysctl.c
Merge tag 'asm-generic-6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic
2023-11-01 15:28:33 -10:00
task_work.c
task_work: add kerneldoc annotation for 'data' argument
2023-09-19 13:21:32 -07:00
taskstats.c
taskstats: fill_stats_for_tgid: use for_each_thread()
2023-10-04 10:41:57 -07:00
torture.c
torture: Print out torture module parameters
2023-09-24 17:24:01 +02:00
tracepoint.c
tracepoint: Allow livepatch module add trace event
2023-02-18 14:34:36 -05:00
tsacct.c
ucount.c
sysctl: Add size to register_sysctl
2023-08-15 15:26:17 -07:00
uid16.c
uid16.h
umh.c
sysctl: fix unused proc_cap_handler() function warning
2023-06-29 15:19:43 -07:00
up.c
smp: Change function signatures to use call_single_data_t
2023-09-13 14:59:24 +02:00
user_namespace.c
mnt_idmapping: decouple from namespaces
2023-11-28 14:08:47 +01:00
user-return-notifier.c
user.c
binfmt_misc: enable sandboxed mounts
2023-10-11 08:46:01 -07:00
usermode_driver.c
utsname_sysctl.c
utsname: simplify one-level sysctl registration for uts_kern_table
2023-04-13 11:49:35 -07:00
utsname.c
vhost_task.c
vhost: Fix worker hangs due to missed wake up calls
2023-06-08 15:43:09 -04:00
watch_queue.c
watch_queue: fix kcalloc() arguments order
2023-12-21 13:17:54 +01:00
watchdog_buddy.c
watchdog/hardlockup: move SMP barriers from common code to buddy code
2023-06-19 16:25:28 -07:00
watchdog_perf.c
watchdog/perf: add a weak function for an arch to detect if perf can use NMIs
2023-06-09 17:44:21 -07:00
watchdog.c
watchdog: if panicking and we dumped everything, don't re-enable dumping
2023-12-29 12:22:30 -08:00
workqueue_internal.h
workqueue: Drop the special locking rule for worker->flags and worker_pool->flags
2023-08-07 15:57:22 -10:00
workqueue.c
Merge branch 'for-6.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq into for-6.8
2023-11-22 06:18:49 -10:00