From: Kees Cook keescook@chromium.org
mainline inclusion from mainline-v6.1-rc5 commit 42378a9ca55347102bbf86708776061d8fe3ece2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I932VT CVE: CVE-2023-52452
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
If an error (NULL) is returned by krealloc(), callers of realloc_array() were setting their allocation pointers to NULL, but on error krealloc() does not touch the original allocation. This would result in a memory resource leak. Instead, free the old allocation on the error handling path.
The memory leak information is as follows as also reported by Zhengchao:
unreferenced object 0xffff888019801800 (size 256): comm "bpf_repo", pid 6490, jiffies 4294959200 (age 17.170s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000b211474b>] __kmalloc_node_track_caller+0x45/0xc0 [<0000000086712a0b>] krealloc+0x83/0xd0 [<00000000139aab02>] realloc_array+0x82/0xe2 [<00000000b1ca41d1>] grow_stack_state+0xfb/0x186 [<00000000cd6f36d2>] check_mem_access.cold+0x141/0x1341 [<0000000081780455>] do_check_common+0x5358/0xb350 [<0000000015f6b091>] bpf_check.cold+0xc3/0x29d [<000000002973c690>] bpf_prog_load+0x13db/0x2240 [<00000000028d1644>] __sys_bpf+0x1605/0x4ce0 [<00000000053f29bd>] __x64_sys_bpf+0x75/0xb0 [<0000000056fedaf5>] do_syscall_64+0x35/0x80 [<000000002bd58261>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fixes: c69431aab67a ("bpf: verifier: Improve function state reallocation") Reported-by: Zhengchao Shao shaozhengchao@huawei.com Reported-by: Kees Cook keescook@chromium.org Signed-off-by: Kees Cook keescook@chromium.org Signed-off-by: Daniel Borkmann daniel@iogearbox.net Reviewed-by: Bill Wendling morbo@google.com Cc: Lorenz Bauer oss@lmb.io Link: https://lore.kernel.org/bpf/20221029025433.2533810-1-keescook@chromium.org Conflicts: kernel/bpf/verifier.c Signed-off-by: Pu Lehui pulehui@huawei.com --- kernel/bpf/verifier.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 38a77a2c1992..ae75771cc199 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -725,16 +725,22 @@ static void *copy_array(void *dst, const void *src, size_t n, size_t size, gfp_t static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size) { size_t bytes; + void *new_arr;
if (!new_n || old_n == new_n) goto out;
- if (unlikely(check_mul_overflow(new_n, size, &bytes))) + if (unlikely(check_mul_overflow(new_n, size, &bytes))) { + kfree(arr); return NULL; + }
- arr = krealloc(arr, bytes, GFP_KERNEL); - if (!arr) + new_arr = krealloc(arr, bytes, GFP_KERNEL); + if (!new_arr) { + kfree(arr); return NULL; + } + arr = new_arr;
if (new_n > old_n) memset(arr + old_n * size, 0, (new_n - old_n) * size);