[PATCH] include: linux: Fix flex array member not at the end in bpf_empty_prog_array

Philipp Hortmann posted 1 patch 1 month, 4 weeks ago
include/linux/bpf.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] include: linux: Fix flex array member not at the end in bpf_empty_prog_array
Posted by Philipp Hortmann 1 month, 4 weeks ago
Struct bpf_prog_array has a flex array member at the end and needs
therefore to be last in struct bpf_empty_prog_array.

Signed-off-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>
---
 include/linux/bpf.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 19d8ca8ac960..1ce319045048 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -2018,8 +2018,8 @@ struct bpf_prog_array {
 };
 
 struct bpf_empty_prog_array {
-	struct bpf_prog_array hdr;
 	struct bpf_prog *null_prog;
+	struct bpf_prog_array hdr;
 };
 
 /* to avoid allocating empty bpf_prog_array for cgroups that
-- 
2.43.0
Re: [PATCH] include: linux: Fix flex array member not at the end in bpf_empty_prog_array
Posted by kernel test robot 1 month, 3 weeks ago

Hello,

kernel test robot noticed "BUG:KASAN:global-out-of-bounds_in__cgroup_bpf_check_dev_permission" on:

commit: fa410b506a9aa6faf7277cd478e670670d73a206 ("[PATCH] include: linux: Fix flex array member not at the end in bpf_empty_prog_array")
url: https://github.com/intel-lab-lkp/linux/commits/Philipp-Hortmann/include-linux-Fix-flex-array-member-not-at-the-end-in-bpf_empty_prog_array/20241001-022346
base: https://git.kernel.org/cgit/linux/kernel/git/bpf/bpf-next.git master
patch link: https://lore.kernel.org/all/20240930181700.22839-1-philipp.g.hortmann@gmail.com/
patch subject: [PATCH] include: linux: Fix flex array member not at the end in bpf_empty_prog_array

in testcase: boot

compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)


+--------------------------------------------------------------------+------------+------------+
|                                                                    | 93eeaab456 | fa410b506a |
+--------------------------------------------------------------------+------------+------------+
| BUG:KASAN:global-out-of-bounds_in__cgroup_bpf_check_dev_permission | 0          | 12         |
+--------------------------------------------------------------------+------------+------------+


If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202410062215.255fb5b7-oliver.sang@intel.com


[ 23.682727][ T112] BUG: KASAN: global-out-of-bounds in __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545) 
[   23.683467][  T112] Read of size 8 at addr ffffffffa8495ff8 by task (modprobe)/112
[   23.684089][  T112]
[   23.684349][  T112] CPU: 1 UID: 0 PID: 112 Comm: (modprobe) Not tainted 6.11.0-10575-gfa410b506a9a #1
[   23.685081][  T112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[   23.685872][  T112] Call Trace:
[   23.686179][  T112]  <TASK>
[ 23.686457][ T112] dump_stack_lvl (lib/dump_stack.c:123 (discriminator 1)) 
[ 23.686839][ T112] print_address_description+0x2c/0x3a0 
[ 23.687351][ T112] ? __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545) 
[ 23.687856][ T112] print_report (mm/kasan/report.c:489) 
[ 23.688241][ T112] ? kasan_addr_to_slab (mm/kasan/common.c:37) 
[ 23.688648][ T112] ? __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545) 
[ 23.689148][ T112] kasan_report (mm/kasan/report.c:603) 
[ 23.689523][ T112] ? __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545) 
[ 23.690028][ T112] __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545) 
[ 23.690524][ T112] ? __pfx_make_vfsuid (fs/mnt_idmapping.c:82) 
[ 23.690932][ T112] ? read_word_at_a_time (include/asm-generic/rwonce.h:86) 
[ 23.691342][ T112] ? __pfx___cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:1534) 
[ 23.691867][ T112] ? __pfx_make_vfsuid (fs/mnt_idmapping.c:82) 
[ 23.692282][ T112] ? generic_permission (fs/namei.c:353 fs/namei.c:414) 
[ 23.692700][ T112] devcgroup_check_permission (security/device_cgroup.c:864) 
[ 23.693150][ T112] inode_permission (fs/namei.c:540 fs/namei.c:510) 
[ 23.693549][ T112] ? try_to_unlazy (fs/namei.c:793) 
[ 23.693941][ T112] may_open (fs/namei.c:3365) 
[ 23.694288][ T112] do_open (fs/namei.c:3772) 
[ 23.694638][ T112] path_openat (fs/namei.c:3934) 
[ 23.695008][ T112] ? __pfx_path_openat (fs/namei.c:3915) 
[ 23.695410][ T112] do_filp_open (fs/namei.c:3960) 
[ 23.695788][ T112] ? __pfx_do_filp_open (fs/namei.c:3954) 
[ 23.696201][ T112] ? alloc_fd (fs/file.c:556 (discriminator 10)) 
[ 23.696580][ T112] ? getname_flags (include/linux/audit.h:316) 
[ 23.697003][ T112] do_sys_openat2 (fs/open.c:1415) 
[ 23.697390][ T112] ? __pfx_do_sys_openat2 (fs/open.c:1401) 
[ 23.697810][ T112] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91) 
[ 23.698231][ T112] ? sched_clock (arch/x86/include/asm/preempt.h:94 arch/x86/kernel/tsc.c:285) 
[ 23.698602][ T112] ? sched_clock_cpu (kernel/sched/clock.c:394) 
[ 23.698999][ T112] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91) 
[ 23.699420][ T112] ? sched_clock (arch/x86/include/asm/preempt.h:94 arch/x86/kernel/tsc.c:285) 
[ 23.699793][ T112] ? sched_clock_cpu (kernel/sched/clock.c:394) 
[ 23.700190][ T112] __x64_sys_openat (fs/open.c:1441) 
[ 23.700608][ T112] ? __pfx_sched_clock_cpu (kernel/sched/clock.c:389) 
[ 23.701030][ T112] ? __pfx___x64_sys_openat (fs/open.c:1441) 
[ 23.701462][ T112] ? kmem_cache_free (mm/slub.c:2308 mm/slub.c:4580 mm/slub.c:4682) 
[ 23.701869][ T112] ? irqtime_account_irq (kernel/sched/cputime.c:64) 
[ 23.702291][ T112] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 23.702666][ T112] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[   23.703132][  T112] RIP: 0033:0x7efe9635df01
[ 23.703505][ T112] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d ea 26 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
All code
========
   0:	75 57                	jne    0x59
   2:	89 f0                	mov    %esi,%eax
   4:	25 00 00 41 00       	and    $0x410000,%eax
   9:	3d 00 00 41 00       	cmp    $0x410000,%eax
   e:	74 49                	je     0x59
  10:	80 3d ea 26 0e 00 00 	cmpb   $0x0,0xe26ea(%rip)        # 0xe2701
  17:	74 6d                	je     0x86
  19:	89 da                	mov    %ebx,%edx
  1b:	48 89 ee             	mov    %rbp,%rsi
  1e:	bf 9c ff ff ff       	mov    $0xffffff9c,%edi
  23:	b8 01 01 00 00       	mov    $0x101,%eax
  28:	0f 05                	syscall 
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	0f 87 93 00 00 00    	ja     0xc9
  36:	48 8b 54 24 28       	mov    0x28(%rsp),%rdx
  3b:	64                   	fs
  3c:	48                   	rex.W
  3d:	2b                   	.byte 0x2b
  3e:	14 25                	adc    $0x25,%al

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	0f 87 93 00 00 00    	ja     0x9f
   c:	48 8b 54 24 28       	mov    0x28(%rsp),%rdx
  11:	64                   	fs
  12:	48                   	rex.W
  13:	2b                   	.byte 0x2b
  14:	14 25                	adc    $0x25,%al
[   23.704934][  T112] RSP: 002b:00007ffdf04d5790 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[   23.705595][  T112] RAX: ffffffffffffffda RBX: 0000000000000100 RCX: 00007efe9635df01
[   23.708307][  T112] RDX: 0000000000000100 RSI: 00007efe968bd74b RDI: 00000000ffffff9c
[   23.708942][  T112] RBP: 00007efe968bd74b R08: 0000000000000007 R09: 000055d1f2bf6cc0
[   23.709571][  T112] R10: 0000000000000000 R11: 0000000000000202 R12: 000055d1f2bf6cc0
[   23.710203][  T112] R13: 000055d1f2b45540 R14: 00007ffdf04d5d50 R15: 000055d1f2b42520
[   23.710833][  T112]  </TASK>
[   23.711116][  T112]
[   23.711351][  T112] The buggy address belongs to the variable:
[ 23.711816][ T112] bpf_empty_prog_array+0x18/0x40 
[   23.712227][  T112]
[   23.712471][  T112] The buggy address belongs to the physical page:
[   23.712963][  T112] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17e695
[   23.713649][  T112] flags: 0x17ffffc0002000(reserved|node=0|zone=2|lastcpupid=0x1fffff)
[   23.714299][  T112] raw: 0017ffffc0002000 ffffea0005f9a548 ffffea0005f9a548 0000000000000000
[   23.714968][  T112] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   23.715641][  T112] page dumped because: kasan: bad access detected
[   23.716134][  T112] page_owner info is not present (never set?)
[   23.716613][  T112]
[   23.716851][  T112] Memory state around the buggy address:
[   23.717296][  T112]  ffffffffa8495e80: 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
[   23.717932][  T112]  ffffffffa8495f00: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
[   23.718573][  T112] >ffffffffa8495f80: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 00 f9
[   23.719207][  T112]                                                                 ^
[   23.719841][  T112]  ffffffffa8496000: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
[   23.720480][  T112]  ffffffffa8496080: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
[   23.721119][  T112] ==================================================================
[   23.721795][  T112] Disabling lock debugging due to kernel taint



The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20241006/202410062215.255fb5b7-oliver.sang@intel.com



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Re: [PATCH] include: linux: Fix flex array member not at the end in bpf_empty_prog_array
Posted by Gustavo A. R. Silva 1 month, 3 weeks ago

On 30/09/24 12:16, Philipp Hortmann wrote:
> Struct bpf_prog_array has a flex array member at the end and needs
> therefore to be last in struct bpf_empty_prog_array.
> 
> Signed-off-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>

Acked-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Thanks!
--
Gustavo

> ---
>   include/linux/bpf.h | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index 19d8ca8ac960..1ce319045048 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -2018,8 +2018,8 @@ struct bpf_prog_array {
>   };
>   
>   struct bpf_empty_prog_array {
> -	struct bpf_prog_array hdr;
>   	struct bpf_prog *null_prog;
> +	struct bpf_prog_array hdr;
>   };
>   
>   /* to avoid allocating empty bpf_prog_array for cgroups that