bpf: Fix a kernel verifier crash in stacksafe()

PlaidCat · PlaidCat · commit e30bf1231357 · 2024-12-19T10:08:48.000-05:00
jira LE-2177 cve CVE-2024-45020 Rebuild_History Non-Buildable kernel-5.14.0-503.19.1.el9_5 commit-author Yonghong Song <yonghong.song@linux.dev> commit bed2eb9 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-503.19.1.el9_5/bed2eb96.failed Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code: if (exact != NOT_EXACT && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; The 'i' iterates old->allocated_stack. If cur->allocated_stack < old->allocated_stack the out-of-bound access will happen. To fix the issue add 'i >= cur->allocated_stack' check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal. Fixes: 2793a8b ("bpf: exact states comparison for iterator convergence checks") Cc: Eduard Zingerman <eddyz87@gmail.com> Reported-by: Daniel Hodges <hodgesd@meta.com> Acked-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org> (cherry picked from commit bed2eb9) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # kernel/bpf/verifier.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-503.19.1.el9_5/bed2eb96.failed b/ciq/ciq_backports/kernel-5.14.0-503.19.1.el9_5/bed2eb96.failed
@@ -0,0 +1,67 @@
+bpf: Fix a kernel verifier crash in stacksafe()
+
+jira LE-2177
+cve CVE-2024-45020
+Rebuild_History Non-Buildable kernel-5.14.0-503.19.1.el9_5
+commit-author Yonghong Song <yonghong.song@linux.dev>
+commit bed2eb964c70b780fb55925892a74f26cb590b25
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-503.19.1.el9_5/bed2eb96.failed
+
+Daniel Hodges reported a kernel verifier crash when playing with sched-ext.
+Further investigation shows that the crash is due to invalid memory access
+in stacksafe(). More specifically, it is the following code:
+
+    if (exact != NOT_EXACT &&
+        old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
+        cur->stack[spi].slot_type[i % BPF_REG_SIZE])
+            return false;
+
+The 'i' iterates old->allocated_stack.
+If cur->allocated_stack < old->allocated_stack the out-of-bound
+access will happen.
+
+To fix the issue add 'i >= cur->allocated_stack' check such that if
+the condition is true, stacksafe() should fail. Otherwise,
+cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.
+
+Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
+	Cc: Eduard Zingerman <eddyz87@gmail.com>
+	Reported-by: Daniel Hodges <hodgesd@meta.com>
+	Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+	Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
+Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@linux.dev
+	Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+(cherry picked from commit bed2eb964c70b780fb55925892a74f26cb590b25)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	kernel/bpf/verifier.c
+diff --cc kernel/bpf/verifier.c
+index 2ca877463352,d8520095ca03..000000000000
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@@ -16463,12 -16883,14 +16463,19 @@@ static bool stacksafe(struct bpf_verifi
+  
+  		spi = i / BPF_REG_SIZE;
+  
+++<<<<<<< HEAD
+ +		if (exact &&
+ +		    old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
+ +		    cur->stack[spi].slot_type[i % BPF_REG_SIZE])
+++=======
++ 		if (exact != NOT_EXACT &&
++ 		    (i >= cur->allocated_stack ||
++ 		     old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
++ 		     cur->stack[spi].slot_type[i % BPF_REG_SIZE]))
+++>>>>>>> bed2eb964c70 (bpf: Fix a kernel verifier crash in stacksafe())
+  			return false;
+  
+ -		if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ)
+ -		    && exact == NOT_EXACT) {
+ +		if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) && !exact) {
+  			i += BPF_REG_SIZE - 1;
+  			/* explored state didn't use this */
+  			continue;
+* Unmerged path kernel/bpf/verifier.c
