hamza.kesraoui/sst-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
254abd3d87
sst-linux/kernel
History
Maciej Fijalkowski 98c03d0593 bpf: fix OOB devmap writes when deleting elements 
commit ab244dd7cf4c291f82faacdc50b45cc0f55b674d upstream.

Jordy reported issue against XSKMAP which also applies to DEVMAP - the
index used for accessing map entry, due to being a signed integer,
causes the OOB writes. Fix is simple as changing the type from int to
u32, however, when compared to XSKMAP case, one more thing needs to be
addressed.

When map is released from system via dev_map_free(), we iterate through
all of the entries and an iterator variable is also an int, which
implies OOB accesses. Again, change it to be u32.

Example splat below:

[  160.724676] BUG: unable to handle page fault for address: ffffc8fc2c001000
[  160.731662] #PF: supervisor read access in kernel mode
[  160.736876] #PF: error_code(0x0000) - not-present page
[  160.742095] PGD 0 P4D 0
[  160.744678] Oops: Oops: 0000 [#1] PREEMPT SMP
[  160.749106] CPU: 1 UID: 0 PID: 520 Comm: kworker/u145:12 Not tainted 6.12.0-rc1+ #487
[  160.757050] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019
[  160.767642] Workqueue: events_unbound bpf_map_free_deferred
[  160.773308] RIP: 0010:dev_map_free+0x77/0x170
[  160.777735] Code: 00 e8 fd 91 ed ff e8 b8 73 ed ff 41 83 7d 18 19 74 6e 41 8b 45 24 49 8b bd f8 00 00 00 31 db 85 c0 74 48 48 63 c3 48 8d 04 c7 <48> 8b 28 48 85 ed 74 30 48 8b 7d 18 48 85 ff 74 05 e8 b3 52 fa ff
[  160.796777] RSP: 0018:ffffc9000ee1fe38 EFLAGS: 00010202
[  160.802086] RAX: ffffc8fc2c001000 RBX: 0000000080000000 RCX: 0000000000000024
[  160.809331] RDX: 0000000000000000 RSI: 0000000000000024 RDI: ffffc9002c001000
[  160.816576] RBP: 0000000000000000 R08: 0000000000000023 R09: 0000000000000001
[  160.823823] R10: 0000000000000001 R11: 00000000000ee6b2 R12: dead000000000122
[  160.831066] R13: ffff88810c928e00 R14: ffff8881002df405 R15: 0000000000000000
[  160.838310] FS:  0000000000000000(0000) GS:ffff8897e0c40000(0000) knlGS:0000000000000000
[  160.846528] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  160.852357] CR2: ffffc8fc2c001000 CR3: 0000000005c32006 CR4: 00000000007726f0
[  160.859604] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  160.866847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  160.874092] PKRU: 55555554
[  160.876847] Call Trace:
[  160.879338]  <TASK>
[  160.881477]  ? __die+0x20/0x60
[  160.884586]  ? page_fault_oops+0x15a/0x450
[  160.888746]  ? search_extable+0x22/0x30
[  160.892647]  ? search_bpf_extables+0x5f/0x80
[  160.896988]  ? exc_page_fault+0xa9/0x140
[  160.900973]  ? asm_exc_page_fault+0x22/0x30
[  160.905232]  ? dev_map_free+0x77/0x170
[  160.909043]  ? dev_map_free+0x58/0x170
[  160.912857]  bpf_map_free_deferred+0x51/0x90
[  160.917196]  process_one_work+0x142/0x370
[  160.921272]  worker_thread+0x29e/0x3b0
[  160.925082]  ? rescuer_thread+0x4b0/0x4b0
[  160.929157]  kthread+0xd4/0x110
[  160.932355]  ? kthread_park+0x80/0x80
[  160.936079]  ret_from_fork+0x2d/0x50
[  160.943396]  ? kthread_park+0x80/0x80
[  160.950803]  ret_from_fork_asm+0x11/0x20
[  160.958482]  </TASK>

Fixes: 546ac1ffb7 ("bpf: add devmap, a map for storing net device references")
CC: stable@vger.kernel.org
Reported-by: Jordy Zomer <jordyzomer@google.com>
Suggested-by: Jordy Zomer <jordyzomer@google.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Link: https://lore.kernel.org/r/20241122121030.716788-3-maciej.fijalkowski@intel.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-12-14 19:54:35 +01:00
..
bpf bpf: fix OOB devmap writes when deleting elements 2024-12-14 19:54:35 +01:00
cgroup cgroup/bpf: only cgroup v2 can be attached by bpf programs 2024-12-14 19:53:21 +01:00
configs
debug kdb: Use the passed prompt in kdb_position_cursor() 2024-08-03 08:49:47 +02:00
dma dma-mapping: benchmark: Don't starve others when doing the test 2024-09-12 11:10:23 +02:00
entry
events uprobes: fix kernel info leak via "[uprobes]" vma 2024-10-17 15:22:05 +02:00
futex
gcov
irq genirq/irqdesc: Honor caller provided affinity in alloc_desc() 2024-08-14 13:52:58 +02:00
kcsan
livepatch
locking lockdep: fix deadlock issue between lockdep and rcu 2024-10-17 15:21:27 +02:00
module module: Fix KCOV-ignored file name 2024-10-17 15:21:27 +02:00
power
printk seqlock/latch: Provide raw_read_seqcount_latch_retry() 2024-12-14 19:53:19 +01:00
rcu rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() 2024-12-14 19:53:56 +01:00
sched sched: psi: fix bogus pressure spikes from aggregation race 2024-10-17 15:22:06 +02:00
time ntp: Remove invalid cast in time offset math 2024-12-14 19:54:26 +01:00
trace tracing: Fix cmp_entries_dup() to respect sort() comparison rules 2024-12-14 19:54:32 +01:00
.gitignore
acct.c
async.c
audit_fsnotify.c
audit_tree.c
audit_watch.c
audit.c
audit.h
auditfilter.c ima: Avoid blocking in RCU read-side critical section 2024-07-11 12:47:16 +02:00
auditsc.c
backtracetest.c
bounds.c
capability.c
cfi.c
compat.c
configs.c
context_tracking.c
cpu_pm.c
cpu.c cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked() 2024-07-05 09:31:56 +02:00
crash_core.c
crash_dump.c
cred.c
delayacct.c
dma.c
exec_domain.c
exit.c mm: optimize the redundant loop of mm_update_owner_next() 2024-07-11 12:47:13 +02:00
extable.c
fail_function.c
fork.c posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone 2024-11-14 13:15:16 +01:00
freezer.c
gen_kheaders.sh kheaders: explicitly define file modes for archived headers 2024-06-27 13:46:24 +02:00
groups.c
hung_task.c
iomem.c
irq_work.c
jump_label.c jump_label: Fix static_key_slow_dec() yet again 2024-10-17 15:21:29 +02:00
kallsyms_internal.h
kallsyms.c
kcmp.c
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
kcov.c kcov: properly check for softirq context 2024-08-14 13:52:58 +02:00
kexec_core.c
kexec_elf.c
kexec_file.c
kexec_internal.h
kexec.c
kheaders.c
kmod.c
kprobes.c kprobes: Fix to check symbol prefixes correctly 2024-08-14 13:52:54 +02:00
ksysfs.c
kthread.c kthread: unpark only parked kthread 2024-10-17 15:22:28 +02:00
latencytop.c
Makefile
module_signature.c
notifier.c
nsproxy.c
numa.c
padata.c padata: use integer wrap around to prevent deadlock on seq_nr overflow 2024-10-17 15:21:24 +02:00
panic.c
params.c
pid_namespace.c pid: Replace struct pid 1-element array with flex-array 2024-08-29 17:30:18 +02:00
pid.c pid: Replace struct pid 1-element array with flex-array 2024-08-29 17:30:18 +02:00
profile.c profiling: remove profile=sleep support 2024-08-14 13:52:50 +02:00
ptrace.c
range.c
reboot.c
regset.c
relay.c
resource_kunit.c
resource.c resource: fix region_intersects() vs add_memory_driver_managed() 2024-10-17 15:21:55 +02:00
rseq.c
scftorture.c
scs.c
seccomp.c
signal.c signal: restore the override_rlimit logic 2024-11-14 13:15:18 +01:00
smp.c smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu() 2024-09-12 11:10:24 +02:00
smpboot.c
smpboot.h
softirq.c
stackleak.c
stacktrace.c
static_call_inline.c static_call: Replace pointless WARN_ON() in static_call_module_notify() 2024-10-17 15:21:29 +02:00
static_call.c
stop_machine.c
sys_ni.c syscalls: fix compat_sys_io_pgetevents_time64 usage 2024-07-05 09:31:59 +02:00
sys.c
sysctl-test.c
sysctl.c
task_work.c task_work: Introduce task_work_cancel() again 2024-08-03 08:49:34 +02:00
taskstats.c
torture.c
tracepoint.c
tsacct.c
ucount.c ucounts: fix counter leak in inc_rlimit_get_ucounts() 2024-11-14 13:15:19 +01:00
uid16.c
uid16.h
umh.c
up.c
user_namespace.c
user-return-notifier.c
user.c
usermode_driver.c
utsname_sysctl.c
utsname.c
watch_queue.c
watchdog_hld.c watchdog/perf: properly initialize the turbo mode timestamp and rearm counter 2024-08-03 08:49:42 +02:00
watchdog.c
workqueue_internal.h
workqueue.c workqueue: Improve scalability of workqueue watchdog touch 2024-09-12 11:10:27 +02:00