• Eric Dumazet's avatar
    bpf: Fix error path in htab_map_alloc() · 8aaeed81
    Eric Dumazet authored
    syzbot was able to trigger a use-after-free in htab_map_alloc() [1]
    
    htab_map_alloc() lacks a call to lockdep_unregister_key() in its error path.
    
    lockdep_register_key() and lockdep_unregister_key() can not fail,
    it seems better to use them right after htab allocation and before
    htab freeing, avoiding more goto/labels in htab_map_alloc()
    
    [1]
    BUG: KASAN: use-after-free in lockdep_register_key+0x356/0x3e0 kernel/locking/lockdep.c:1182
    Read of size 8 at addr ffff88805fa67ad8 by task syz-executor.3/2356
    
    CPU: 1 PID: 2356 Comm: syz-executor.3 Not tainted 5.9.0-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x107/0x163 lib/dump_stack.c:118
     print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385
     __kasan_report mm/kasan/report.c:545 [inline]
     kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
     lockdep_register_key+0x356/0x3e0 kernel/locking/lockdep.c:1182
     htab_init_buckets kernel/bpf/hashtab.c:144 [inline]
     htab_map_alloc+0x6c5/0x14a0 kernel/bpf/hashtab.c:521
     find_and_alloc_map kernel/bpf/syscall.c:122 [inline]
     map_create kernel/bpf/syscall.c:825 [inline]
     __do_sys_bpf+0xa80/0x5180 kernel/bpf/syscall.c:4381
     do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x45deb9
    Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007f0eafee1c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
    RAX: ffffffffffffffda RBX: 0000000000001a00 RCX: 000000000045deb9
    RDX: 0000000000000040 RSI: 0000000020000040 RDI: 405a020000000000
    RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
    R13: 00007ffd3cf9eabf R14: 00007f0eafee29c0 R15: 000000000118bf2c
    
    Allocated by task 2053:
     kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
     kasan_set_track mm/kasan/common.c:56 [inline]
     __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461
     kmalloc include/linux/slab.h:554 [inline]
     kzalloc include/linux/slab.h:666 [inline]
     htab_map_alloc+0xdf/0x14a0 kernel/bpf/hashtab.c:454
     find_and_alloc_map kernel/bpf/syscall.c:122 [inline]
     map_create kernel/bpf/syscall.c:825 [inline]
     __do_sys_bpf+0xa80/0x5180 kernel/bpf/syscall.c:4381
     do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Freed by task 2053:
     kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
     kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
     kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
     __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422
     slab_free_hook mm/slub.c:1544 [inline]
     slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577
     slab_free mm/slub.c:3142 [inline]
     kfree+0xdb/0x360 mm/slub.c:4124
     htab_map_alloc+0x3f9/0x14a0 kernel/bpf/hashtab.c:549
     find_and_alloc_map kernel/bpf/syscall.c:122 [inline]
     map_create kernel/bpf/syscall.c:825 [inline]
     __do_sys_bpf+0xa80/0x5180 kernel/bpf/syscall.c:4381
     do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    The buggy address belongs to the object at ffff88805fa67800
     which belongs to the cache kmalloc-1k of size 1024
    The buggy address is located 728 bytes inside of
     1024-byte region [ffff88805fa67800, ffff88805fa67c00)
    The buggy address belongs to the page:
    page:000000003c5582c4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5fa60
    head:000000003c5582c4 order:3 compound_mapcount:0 compound_pincount:0
    flags: 0xfff00000010200(slab|head)
    raw: 00fff00000010200 ffffea0000bc1200 0000000200000002 ffff888010041140
    raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
     ffff88805fa67980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff88805fa67a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                        ^
     ffff88805fa67b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff88805fa67b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    
    Fixes: c50eb518 ("bpf: Use separate lockdep class for each hashtab")
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Link: https://lore.kernel.org/bpf/20201102114100.3103180-1-eric.dumazet@gmail.com
    8aaeed81
hashtab.c 55.8 KB