• Eric Dumazet's avatar
    bpf, arm64: Clear prog->jited_len along prog->jited · 10f3b29c
    Eric Dumazet authored
    syzbot reported an illegal copy_to_user() attempt
    from bpf_prog_get_info_by_fd() [1]
    
    There was no repro yet on this bug, but I think
    that commit 0aef499f ("mm/usercopy: Detect vmalloc overruns")
    is exposing a prior bug in bpf arm64.
    
    bpf_prog_get_info_by_fd() looks at prog->jited_len
    to determine if the JIT image can be copied out to user space.
    
    My theory is that syzbot managed to get a prog where prog->jited_len
    has been set to 43, while prog->bpf_func has ben cleared.
    
    It is not clear why copy_to_user(uinsns, NULL, ulen) is triggering
    this particular warning.
    
    I thought find_vma_area(NULL) would not find a vm_struct.
    As we do not hold vmap_area_lock spinlock, it might be possible
    that the found vm_struct was garbage.
    
    [1]
    usercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)!
    kernel BUG at mm/usercopy.c:101!
    Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
    Modules linked in:
    CPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaaf #0
    Hardware name: linux,dummy-virt (DT)
    pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    pc : usercopy_abort+0x90/0x94 mm/usercopy.c:101
    lr : usercopy_abort+0x90/0x94 mm/usercopy.c:89
    sp : ffff80000b773a20
    x29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48
    x26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000
    x23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001
    x20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd
    x17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420
    x14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031
    x11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865
    x8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830
    x5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000
    x2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064
    Call trace:
     usercopy_abort+0x90/0x94 mm/usercopy.c:89
     check_heap_object mm/usercopy.c:186 [inline]
     __check_object_size mm/usercopy.c:252 [inline]
     __check_object_size+0x198/0x36c mm/usercopy.c:214
     check_object_size include/linux/thread_info.h:199 [inline]
     check_copy_size include/linux/thread_info.h:235 [inline]
     copy_to_user include/linux/uaccess.h:159 [inline]
     bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993
     bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253
     __sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956
     __do_sys_bpf kernel/bpf/syscall.c:5021 [inline]
     __se_sys_bpf kernel/bpf/syscall.c:5019 [inline]
     __arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019
     __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
     invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52
     el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142
     do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206
     el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624
     el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642
     el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581
    Code: aa0003e3 d00038c0 91248000 97fff65f (d4210000)
    
    Fixes: db496944 ("bpf: arm64: add JIT support for multi-function programs")
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarSong Liu <songliubraving@fb.com>
    Link: https://lore.kernel.org/bpf/20220531215113.1100754-1-eric.dumazet@gmail.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    10f3b29c
bpf_jit_comp.c 39.2 KB