From: Andrei Matei <andreimatei1(a)gmail.com>
mainline inclusion
from mainline-v6.8-rc1
commit 1d38a9ee81570c4bd61f557832dead4d6f816760
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9EW
CVE: CVE-2023-52676
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
This patch promotes the arithmetic around checking stack bounds to be
done in the 64-bit domain, instead of the current 32bit. The arithmetic
implies adding together a 64-bit register with a int offset. The
register was checked to be below 1<<29 when it was variable, but not
when it was fixed. The offset either comes from an instruction (in which
case it is 16 bit), from another register (in which case the caller
checked it to be below 1<<29 [1]), or from the size of an argument to a
kfunc (in which case it can be a u32 [2]). Between the register being
inconsistently checked to be below 1<<29, and the offset being up to an
u32, it appears that we were open to overflowing the `int`s which were
currently used for arithmetic.
[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235f…
[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235f…
Reported-by: Andrii Nakryiko <andrii.nakryiko(a)gmail.com>
Signed-off-by: Andrei Matei <andreimatei1(a)gmail.com>
Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org>
Acked-by: Andrii Nakryiko <andrii(a)kernel.org>
Link: https://lore.kernel.org/bpf/20231207041150.229139-4-andreimatei1@gmail.com
Conflicts:
kernel/bpf/verifier.c
[The conflict is because some modifications were merged by the commit
8463d83a25f00 ("bpf: Fix accesses to uninit stack slots")]
Signed-off-by: Pu Lehui <pulehui(a)huawei.com>
---
kernel/bpf/verifier.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index b45dbd8b6348..34292a48e59c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3917,7 +3917,7 @@ static int check_stack_access_within_bounds(
struct bpf_reg_state *regs = cur_regs(env);
struct bpf_reg_state *reg = regs + regno;
struct bpf_func_state *state = func(env, reg);
- int min_off, max_off;
+ s64 min_off, max_off;
int err;
char *err_extra;
@@ -3930,7 +3930,7 @@ static int check_stack_access_within_bounds(
err_extra = " write to";
if (tnum_is_const(reg->var_off)) {
- min_off = reg->var_off.value + off;
+ min_off = (s64)reg->var_off.value + off;
max_off = min_off + access_size;
} else {
if (reg->smax_value >= BPF_MAX_VAR_OFF ||
--
2.34.1
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: 37e0a494c2c8c6f0570068ab47a3e8319dbac30b
commit: 7e2ab91ea07673f855f16b54b7c6e6853b2efc1c [13138/22448] livepatch/x86: support livepatch without ftrace
config: x86_64-randconfig-073-20240521 (https://download.01.org/0day-ci/archive/20240521/202405211203.buT47nPT-lkp@…)
compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240521/202405211203.buT47nPT-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202405211203.buT47nPT-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> kernel/livepatch/core.c:75:16: warning: no previous prototype for function 'klp_check_patch_kprobed' [-Wmissing-prototypes]
75 | struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch)
| ^
kernel/livepatch/core.c:75:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
75 | struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch)
| ^
| static
kernel/livepatch/core.c:402:5: warning: no previous prototype for function 'klp_try_disable_patch' [-Wmissing-prototypes]
402 | int klp_try_disable_patch(void *data)
| ^
kernel/livepatch/core.c:402:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
402 | int klp_try_disable_patch(void *data)
| ^
| static
kernel/livepatch/core.c:441:13: warning: no previous prototype for function 'arch_klp_code_modify_prepare' [-Wmissing-prototypes]
441 | void __weak arch_klp_code_modify_prepare(void)
| ^
kernel/livepatch/core.c:441:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
441 | void __weak arch_klp_code_modify_prepare(void)
| ^
| static
kernel/livepatch/core.c:445:13: warning: no previous prototype for function 'arch_klp_code_modify_post_process' [-Wmissing-prototypes]
445 | void __weak arch_klp_code_modify_post_process(void)
| ^
kernel/livepatch/core.c:445:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
445 | void __weak arch_klp_code_modify_post_process(void)
| ^
| static
kernel/livepatch/core.c:617:5: warning: no previous prototype for function 'klp_try_enable_patch' [-Wmissing-prototypes]
617 | int klp_try_enable_patch(void *data)
| ^
kernel/livepatch/core.c:617:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
617 | int klp_try_enable_patch(void *data)
| ^
| static
kernel/livepatch/core.c:1013:12: warning: no previous prototype for function 'arch_klp_func_can_patch' [-Wmissing-prototypes]
1013 | int __weak arch_klp_func_can_patch(struct klp_func *func)
| ^
kernel/livepatch/core.c:1013:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
1013 | int __weak arch_klp_func_can_patch(struct klp_func *func)
| ^
| static
6 warnings generated.
vim +/klp_check_patch_kprobed +75 kernel/livepatch/core.c
7e8d223e3ef865 Cheng Jian 2019-01-28 69
c8f9d7a3aae362 Cheng Jian 2019-01-28 70 #ifdef CONFIG_LIVEPATCH_RESTRICT_KPROBE
c8f9d7a3aae362 Cheng Jian 2019-01-28 71 /*
c8f9d7a3aae362 Cheng Jian 2019-01-28 72 * Check whether a function has been registered with kprobes before patched.
c8f9d7a3aae362 Cheng Jian 2019-01-28 73 * We can't patched this function util we unregisted the kprobes.
c8f9d7a3aae362 Cheng Jian 2019-01-28 74 */
c8f9d7a3aae362 Cheng Jian 2019-01-28 @75 struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch)
c8f9d7a3aae362 Cheng Jian 2019-01-28 76 {
c8f9d7a3aae362 Cheng Jian 2019-01-28 77 struct klp_object *obj;
c8f9d7a3aae362 Cheng Jian 2019-01-28 78 struct klp_func *func;
c8f9d7a3aae362 Cheng Jian 2019-01-28 79 struct kprobe *kp;
c8f9d7a3aae362 Cheng Jian 2019-01-28 80 int i;
c8f9d7a3aae362 Cheng Jian 2019-01-28 81
c8f9d7a3aae362 Cheng Jian 2019-01-28 82 klp_for_each_object(patch, obj) {
c8f9d7a3aae362 Cheng Jian 2019-01-28 83 klp_for_each_func(obj, func) {
c8f9d7a3aae362 Cheng Jian 2019-01-28 84 for (i = 0; i < func->old_size; i++) {
c8f9d7a3aae362 Cheng Jian 2019-01-28 85 kp = get_kprobe((void *)func->old_addr + i);
c8f9d7a3aae362 Cheng Jian 2019-01-28 86 if (kp) {
c8f9d7a3aae362 Cheng Jian 2019-01-28 87 pr_err("func %s has been probed, (un)patch failed\n",
c8f9d7a3aae362 Cheng Jian 2019-01-28 88 func->old_name);
c8f9d7a3aae362 Cheng Jian 2019-01-28 89 return kp;
c8f9d7a3aae362 Cheng Jian 2019-01-28 90 }
c8f9d7a3aae362 Cheng Jian 2019-01-28 91 }
c8f9d7a3aae362 Cheng Jian 2019-01-28 92 }
c8f9d7a3aae362 Cheng Jian 2019-01-28 93 }
c8f9d7a3aae362 Cheng Jian 2019-01-28 94
c8f9d7a3aae362 Cheng Jian 2019-01-28 95 return NULL;
c8f9d7a3aae362 Cheng Jian 2019-01-28 96 }
c8f9d7a3aae362 Cheng Jian 2019-01-28 97 #else
c8f9d7a3aae362 Cheng Jian 2019-01-28 98 static inline struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch)
c8f9d7a3aae362 Cheng Jian 2019-01-28 99 {
c8f9d7a3aae362 Cheng Jian 2019-01-28 100 return NULL;
c8f9d7a3aae362 Cheng Jian 2019-01-28 101 }
c8f9d7a3aae362 Cheng Jian 2019-01-28 102 #endif /* CONFIG_LIVEPATCH_RESTRICT_KPROBE */
c8f9d7a3aae362 Cheng Jian 2019-01-28 103
:::::: The code at line 75 was first introduced by commit
:::::: c8f9d7a3aae362482f81ba7c6819d410d66619ab livepatch/core: Restrict livepatch patched/unpatched when plant kprobe
:::::: TO: Cheng Jian <cj.chengjian(a)huawei.com>
:::::: CC: Xie XiuQi <xiexiuqi(a)huawei.com>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki