This is a note to let you know that I've just added the patch titled
bpf: Fix crash due to out of bounds access into reg2btf_ids.
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bpf-fix-crash-due-to-out-of-bounds-access-into-reg2btf_ids.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Fri Apr 29 11:02:06 AM CEST 2022
From: Hao Luo <haoluo@xxxxxxxxxx>
Date: Thu, 28 Apr 2022 16:57:51 -0700
Subject: bpf: Fix crash due to out of bounds access into reg2btf_ids.
To: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
Cc: Alexei Starovoitov <ast@xxxxxxxxxx>, Andrii Nakryiko <andrii@xxxxxxxxxx>, Daniel Borkmann <daniel@xxxxxxxxxxxxx>, laura@xxxxxxxxxxxx, Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>, stable@xxxxxxxxxxxxxxx, Hao Luo <haoluo@xxxxxxxxxx>
Message-ID: <20220428235751.103203-11-haoluo@xxxxxxxxxx>
From: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
commit 45ce4b4f9009102cd9f581196d480a59208690c1 upstream
When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added
kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier
reg type to the appropriate btf_vmlinux BTF ID, however
commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after
the base register types, and defined other variants using type flag
composition. However, now, the direct usage of reg->type to index into
reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to
out of bounds access and kernel crash on dereference of bad pointer.
[backport note: commit 3363bd0cfbb80 ("bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM
argument support") was introduced after 5.15 and contains an out of bound
reg2btf_ids access. Since that commit hasn't been backported, this patch
doesn't include fix to that access. If we backport that commit in future,
we need to fix its faulting access as well.]
Fixes: c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
Signed-off-by: Hao Luo <haoluo@xxxxxxxxxx>
Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
Link: https://lore.kernel.org/bpf/20220216201943.624869-1-memxor@xxxxxxxxx
Cc: stable@xxxxxxxxxxxxxxx # v5.15+
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
kernel/bpf/btf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -5510,9 +5510,9 @@ static int btf_check_func_arg_match(stru
if (reg->type == PTR_TO_BTF_ID) {
reg_btf = reg->btf;
reg_ref_id = reg->btf_id;
- } else if (reg2btf_ids[reg->type]) {
+ } else if (reg2btf_ids[base_type(reg->type)]) {
reg_btf = btf_vmlinux;
- reg_ref_id = *reg2btf_ids[reg->type];
+ reg_ref_id = *reg2btf_ids[base_type(reg->type)];
} else {
bpf_log(log, "kernel function %s args#%d expected pointer to %s %s but R%d is not a pointer to btf_id\n",
func_name, i,
Patches currently in stable-queue which might be from haoluo@xxxxxxxxxx are
queue-5.15/bpf-replace-ret_xxx_or_null-with-ret_xxx-ptr_maybe_null.patch
queue-5.15/bpf-introduce-mem_rdonly-flag.patch
queue-5.15/bpf-make-per_cpu_ptr-return-rdonly-ptr_to_mem.patch
queue-5.15/bpf-introduce-composable-reg-ret-and-arg-types.patch
queue-5.15/bpf-add-mem_rdonly-for-helper-args-that-are-pointers-to-rdonly-mem.patch
queue-5.15/bpf-replace-arg_xxx_or_null-with-arg_xxx-ptr_maybe_null.patch
queue-5.15/bpf-replace-ptr_to_xxx_or_null-with-ptr_to_xxx-ptr_maybe_null.patch
queue-5.15/bpf-fix-crash-due-to-out-of-bounds-access-into-reg2btf_ids.patch
queue-5.15/bpf-convert-ptr_to_mem_or_null-to-composable-types.patch
queue-5.15/bpf-selftests-test-ptr_to_rdonly_mem.patch
