)]}' { "commit": "64f3f5392bbe5ffd7184b20121dfd6d9befbea41", "tree": "9c6c0122ff4146b2b47949dcbbb968304e8dc40c", "parents": [ "e920f7970619ea05b8a668017a6940ba3f570edd" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Thu Aug 25 23:26:47 2022 +0200" }, "committer": { "name": "Meena Shanmugam", "email": "meenashanmugam@google.com", "time": "Sun Sep 18 23:26:01 2022 +0000" }, "message": "bpf: Don\u0027t use tnum_range on array range checking for poke descriptors\n\ncommit a657182a5c5150cdfacb6640aad1d2712571a409 upstream.\n\nHsin-Wei reported a KASAN splat triggered by their BPF runtime fuzzer which\nis based on a customized syzkaller:\n\n BUG: KASAN: slab-out-of-bounds in bpf_int_jit_compile+0x1257/0x13f0\n Read of size 8 at addr ffff888004e90b58 by task syz-executor.0/1489\n CPU: 1 PID: 1489 Comm: syz-executor.0 Not tainted 5.19.0 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x9c/0xc9\n print_address_description.constprop.0+0x1f/0x1f0\n ? bpf_int_jit_compile+0x1257/0x13f0\n kasan_report.cold+0xeb/0x197\n ? kvmalloc_node+0x170/0x200\n ? bpf_int_jit_compile+0x1257/0x13f0\n bpf_int_jit_compile+0x1257/0x13f0\n ? arch_prepare_bpf_dispatcher+0xd0/0xd0\n ? rcu_read_lock_sched_held+0x43/0x70\n bpf_prog_select_runtime+0x3e8/0x640\n ? bpf_obj_name_cpy+0x149/0x1b0\n bpf_prog_load+0x102f/0x2220\n ? __bpf_prog_put.constprop.0+0x220/0x220\n ? find_held_lock+0x2c/0x110\n ? __might_fault+0xd6/0x180\n ? lock_downgrade+0x6e0/0x6e0\n ? lock_is_held_type+0xa6/0x120\n ? __might_fault+0x147/0x180\n __sys_bpf+0x137b/0x6070\n ? bpf_perf_link_attach+0x530/0x530\n ? new_sync_read+0x600/0x600\n ? __fget_files+0x255/0x450\n ? lock_downgrade+0x6e0/0x6e0\n ? fput+0x30/0x1a0\n ? ksys_write+0x1a8/0x260\n __x64_sys_bpf+0x7a/0xc0\n ? syscall_enter_from_user_mode+0x21/0x70\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7f917c4e2c2d\n\nThe problem here is that a range of tnum_range(0, map-\u003emax_entries - 1) has\nlimited ability to represent the concrete tight range with the tnum as the\nset of resulting states from value + mask can result in a superset of the\nactual intended range, and as such a tnum_in(range, reg-\u003evar_off) check may\nyield true when it shouldn\u0027t, for example tnum_range(0, 2) would result in\n00XX -\u003e v \u003d 0000, m \u003d 0011 such that the intended set of {0, 1, 2} is here\nrepresented by a less precise superset of {0, 1, 2, 3}. As the register is\nknown const scalar, really just use the concrete reg-\u003evar_off.value for the\nupper index check.\n\nBUG\u003db/247073268\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2022-2905 in the Linux kernel.\n\nFixes: d2e4c1e6c294 (\"bpf: Constant map key tracking for prog array pokes\")\nReported-by: Hsin-Wei Hung \u003chsinweih@uci.edu\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nCc: Shung-Hsi Yu \u003cshung-hsi.yu@suse.com\u003e\nAcked-by: John Fastabend \u003cjohn.fastabend@gmail.com\u003e\nLink: https://lore.kernel.org/r/984b37f9fdf7ac36831d2137415a4a915744c1b6.1661462653.git.daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\ncos-patch: security-moderate\nChange-Id: If3e3575f5e8aba151621cb838f9ee7de7187f56a\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/37014\nReviewed-by: Oleksandr Tymoshenko \u003covt@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "60192830766cc24a3037dacffcffa4fa70324abc", "old_mode": 33188, "old_path": "kernel/bpf/verifier.c", "new_id": "e72bae368218daf3e074a0cac42d5d659ca930fb", "new_mode": 33188, "new_path": "kernel/bpf/verifier.c" } ] }