On Fri, Jul 9, 2021 at 4:11 AM He Fengqing <hefengqing@xxxxxxxxxx> wrote: > > > > 在 2021/7/8 11:09, Alexei Starovoitov 写道: > > On Wed, Jul 7, 2021 at 8:00 PM He Fengqing <hefengqing@xxxxxxxxxx> wrote: > >> > >> Ok, I will change this in next version. > > > > before you spam the list with the next version > > please explain why any of these changes are needed? > > I don't see an explanation in the patches and I don't see a bug in the code. > > Did you check what is the prog clone ? > > When is it constructed? Why verifier has anything to do with it? > > . > > > > > I'm sorry, I didn't describe these errors clearly. > > bpf_check(bpf_verifier_env) > | > |->do_misc_fixups(env) > | | > | |->bpf_patch_insn_data(env) > | | | > | | |->bpf_patch_insn_single(env->prog) > | | | | > | | | |->bpf_prog_realloc(env->prog) > | | | | | > | | | | |->construct new_prog > | | | | | free old_prog(env->prog) > | | | | | > | | | | |->return new_prog; > | | | | > | | | |->return new_prog; > | | | > | | |->adjust_insn_aux_data > | | | | > | | | |->return ENOMEM; > | | | > | | |->return NULL; > | | > | |->return ENOMEM; > > bpf_verifier_env->prog had been freed in bpf_prog_realloc function. > > > There are two errors here, the first is memleak in the > bpf_patch_insn_data function, and the second is use after free in the > bpf_check function. > > memleak in bpf_patch_insn_data: > > Look at the call chain above, if adjust_insn_aux_data function return > ENOMEM, bpf_patch_insn_data will return NULL, but we do not free the > new_prog. > > So in the patch 2, before bpf_patch_insn_data return NULL, we free the > new_prog. > > use after free in bpf_check: > > If bpf_patch_insn_data function return NULL, we will not assign new_prog > to the bpf_verifier_env->prog, but bpf_verifier_env->prog has been freed > in the bpf_prog_realloc function. Then in bpf_check function, we will > use bpf_verifier_env->prog after do_misc_fixups function. > > In the patch 3, I added a free_old parameter to bpf_prog_realloc, in > this scenario we don't free old_prog. Instead, we free it in the > do_misc_fixups function when bpf_patch_insn_data return a valid new_prog. Thanks for explaining. Why not to make adjust_insn_aux_data() in bpf_patch_insn_data() first then? Just changing the order will resolve both issues, no?
