On 03/21/2019 09:31 AM, Xu Yu wrote: > Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug. > Call trace: > dump_stack+0xbf/0x12e > print_address_description+0x6a/0x280 > kasan_report+0x237/0x360 > sanitize_ptr_alu+0x85a/0x8d0 > adjust_ptr_min_max_vals+0x8f2/0x1ca0 > adjust_reg_min_max_vals+0x8ed/0x22e0 > do_check+0x1ca6/0x5d00 > bpf_check+0x9ca/0x2570 > bpf_prog_load+0xc91/0x1030 > __se_sys_bpf+0x61e/0x1f00 > do_syscall_64+0xc8/0x550 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > Fault injection trace: > kfree+0xea/0x290 > free_func_state+0x4a/0x60 > free_verifier_state+0x61/0xe0 > push_stack+0x216/0x2f0 <- inject failslab > sanitize_ptr_alu+0x2b1/0x8d0 > adjust_ptr_min_max_vals+0x8f2/0x1ca0 > adjust_reg_min_max_vals+0x8ed/0x22e0 > do_check+0x1ca6/0x5d00 > bpf_check+0x9ca/0x2570 > bpf_prog_load+0xc91/0x1030 > __se_sys_bpf+0x61e/0x1f00 > do_syscall_64+0xc8/0x550 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > When kzalloc() fails in push_stack(), free_verifier_state() will free > current verifier state. As push_stack() returns, dst_reg was restored > if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg > is also freed, and error occurs when dereferencing dst_reg. > > Simply fix it by checking whether cur_state is NULL before retoring > dst_reg. > > Signed-off-by: Xu Yu <xuyu@xxxxxxxxxxxxxxxxx> > --- > kernel/bpf/verifier.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index ce166a0..018ce4f 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -3368,7 +3368,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, > *dst_reg = *ptr_reg; > } > ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); > - if (!ptr_is_dst_reg) > + if (!ptr_is_dst_reg && env->cur_state) > *dst_reg = tmp; Good catch, test should be more obvious rewritten as: if (!ptr_is_dst_reg && ret) Could you resubmit with that? > return !ret ? -EFAULT : 0; > } > Thanks, Daniel
