WSL2-Linux-Kernel/arch
Eric Dumazet 3f4d5e727a bpf, arm64: Clear prog->jited_len along prog->jited
[ Upstream commit 10f3b29c65 ]

syzbot reported an illegal copy_to_user() attempt
from bpf_prog_get_info_by_fd() [1]

There was no repro yet on this bug, but I think
that commit 0aef499f31 ("mm/usercopy: Detect vmalloc overruns")
is exposing a prior bug in bpf arm64.

bpf_prog_get_info_by_fd() looks at prog->jited_len
to determine if the JIT image can be copied out to user space.

My theory is that syzbot managed to get a prog where prog->jited_len
has been set to 43, while prog->bpf_func has ben cleared.

It is not clear why copy_to_user(uinsns, NULL, ulen) is triggering
this particular warning.

I thought find_vma_area(NULL) would not find a vm_struct.
As we do not hold vmap_area_lock spinlock, it might be possible
that the found vm_struct was garbage.

[1]
usercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)!
kernel BUG at mm/usercopy.c:101!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0
Hardware name: linux,dummy-virt (DT)
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usercopy_abort+0x90/0x94 mm/usercopy.c:101
lr : usercopy_abort+0x90/0x94 mm/usercopy.c:89
sp : ffff80000b773a20
x29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48
x26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000
x23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001
x20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd
x17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420
x14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031
x11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865
x8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830
x5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000
x2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064
Call trace:
 usercopy_abort+0x90/0x94 mm/usercopy.c:89
 check_heap_object mm/usercopy.c:186 [inline]
 __check_object_size mm/usercopy.c:252 [inline]
 __check_object_size+0x198/0x36c mm/usercopy.c:214
 check_object_size include/linux/thread_info.h:199 [inline]
 check_copy_size include/linux/thread_info.h:235 [inline]
 copy_to_user include/linux/uaccess.h:159 [inline]
 bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993
 bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253
 __sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956
 __do_sys_bpf kernel/bpf/syscall.c:5021 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5019 [inline]
 __arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52
 el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142
 do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206
 el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624
 el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581
Code: aa0003e3 d00038c0 91248000 97fff65f (d4210000)

Fixes: db496944fd ("bpf: arm64: add JIT support for multi-function programs")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Song Liu <songliubraving@fb.com>
Link: https://lore.kernel.org/bpf/20220531215113.1100754-1-eric.dumazet@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-06-14 18:36:17 +02:00
..
alpha alpha: fix alloc_zeroed_user_highpage_movable() 2022-06-09 10:22:43 +02:00
arc ARC: entry: fix syscall_trace_exit argument 2022-04-27 14:39:00 +02:00
arm ARM: dts: aspeed: ast2600-evb: Enable RX delay for MAC0/MAC1 2022-06-14 18:36:07 +02:00
arm64 bpf, arm64: Clear prog->jited_len along prog->jited 2022-06-14 18:36:17 +02:00
csky csky: patch_text: Fixup last cpu should be master 2022-06-09 10:23:26 +02:00
h8300 Merge branch 'akpm' (patches from Andrew) 2021-09-08 12:55:35 -07:00
hexagon uaccess: fix integer overflow on access_ok() 2022-03-28 09:58:45 +02:00
ia64 ia64: define get_cycles macro for arch-override 2022-05-30 09:29:12 +02:00
m68k m68knommu: fix undefined reference to `mach_get_rtc_pll' 2022-06-14 18:36:15 +02:00
microblaze uaccess: fix nios2 and microblaze get_user_8() 2022-04-08 14:23:18 +02:00
mips mips: cpc: Fix refcount leak in mips_cpc_default_phys_base 2022-06-14 18:36:14 +02:00
nds32 nds32: fix access_ok() checks in get/put_user 2022-03-28 09:58:46 +02:00
nios2 nios2: use fallback for random_get_entropy() instead of zero 2022-05-30 09:29:14 +02:00
openrisc openrisc: start CPU timer early in boot 2022-06-09 10:22:38 +02:00
parisc parisc/stifb: Implement fb_is_primary_device() 2022-06-09 10:22:26 +02:00
powerpc powerpc/kasan: Force thread size increase with KASAN 2022-06-14 18:36:16 +02:00
riscv RISC-V: use memcpy for kexec_file mode 2022-06-14 18:36:15 +02:00
s390 s390/mcck: isolate SIE instruction when setting CIF_MCCK_GUEST flag 2022-06-14 18:36:13 +02:00
sh Documentation, arch: Remove leftovers from CIFS_WEAK_PW_HASH 2022-01-27 11:05:21 +01:00
sparc signal: Deliver SIGTRAP on perf event asynchronously if blocked 2022-06-09 10:22:48 +02:00
um um: chan_user: Fix winch_tramp() return value 2022-06-09 10:23:27 +02:00
x86 kexec_file: drop weak attribute from arch_kexec_apply_relocations[_add] 2022-06-09 10:23:27 +02:00
xtensa xtensa/simdisk: fix proc_read_simdisk() 2022-06-09 10:23:28 +02:00
.gitignore
Kconfig stack: Constrain and fix stack offset randomization with Clang builds 2022-04-08 14:23:06 +02:00