From patchwork Thu Oct 10 11:14:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Massimiliano Pellizzer X-Patchwork-Id: 1995403 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XPRwh2yd8z1xsv for ; Thu, 10 Oct 2024 22:14:27 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1syr7b-0007CP-H6; Thu, 10 Oct 2024 11:14:19 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1syr7Y-0007C1-Ce for kernel-team@lists.ubuntu.com; Thu, 10 Oct 2024 11:14:16 +0000 Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 8745C3F1F4 for ; Thu, 10 Oct 2024 11:14:15 +0000 (UTC) Received: by mail-ed1-f70.google.com with SMTP id 4fb4d7f45d1cf-5c937403b2bso390695a12.1 for ; Thu, 10 Oct 2024 04:14:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728558855; x=1729163655; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RZDkTnIRKs5sIY/2l/FM0tZlltQWrwnyMIucQTXc3QE=; b=aIro7IQGYj6gYa8rHy4zNsrG0ryizc9zzG+pKpU/SVSKjmpMMt8dR5Xr959Gj8hlEG u/ZYEQ+ZC2fQhtRSag0rDK6TjC7viFXQCmvZ1jIBExPOMvwFYva8D+lTKp+hpj8vzXnC igIckRHRtLfgD4dmFswB3ORR7Zzir2Xn0anXb4hHvcFOfwqHfMUQICuKt+rEATHuSkkH UGDrRXi+KVrf/f2Bo4FgpRAJVHuF6HElOQszeuE6vazIzAgfrX8vZ4spozEX5FcVW9m/ OfisTDSg7ybr0yaHHUZbHpCNWhf7xjOEm1sRIZJEcLaVDB7UlQazIdkyNsRTS6X38ufj ALJw== X-Gm-Message-State: AOJu0Yy315UaLFfIUbgvDv80iCQ+MyL1Tmsf3c/c6NkCRLjMMPVnx7F8 eMMN/KMS3m7jqINSCZmE0YmQdaWE0ZnLI3VXIYwUod13oB8uPkoctqN9q8Wabon+lJypPOTv4I7 UC6pbPKBz0U7YhtCIpusLzJbe2d8aJ4cZGv8liuk+Qe8B8mnyLJRBXeyzJVvnJcb+PbrhWxtHOB RY6ZtB5uSeqA== X-Received: by 2002:a17:907:7b9e:b0:a8d:fa3:bb24 with SMTP id a640c23a62f3a-a998d19fc52mr497344366b.23.1728558854717; Thu, 10 Oct 2024 04:14:14 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFnTnnNeILfQ4G1GJpHTQ5dapqy5JLfu/F5YC5PDOsK+8vqtGrC3wNPcrx92eOQXSVCm1lA4g== X-Received: by 2002:a17:907:7b9e:b0:a8d:fa3:bb24 with SMTP id a640c23a62f3a-a998d19fc52mr497342266b.23.1728558854183; Thu, 10 Oct 2024 04:14:14 -0700 (PDT) Received: from localhost.localdomain (net-93-66-98-69.cust.vodafonedsl.it. [93.66.98.69]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a99a80dc36bsm73756766b.157.2024.10.10.04.14.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Oct 2024 04:14:13 -0700 (PDT) From: Massimiliano Pellizzer To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/1] bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro() Date: Thu, 10 Oct 2024 13:14:05 +0200 Message-ID: <20241010111405.27935-2-massimiliano.pellizzer@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241010111405.27935-1-massimiliano.pellizzer@canonical.com> References: <20241010111405.27935-1-massimiliano.pellizzer@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Christophe Leroy [ Upstream commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 ] set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: https://github.com/KSPP/linux/issues/7 Signed-off-by: Christophe Leroy Cc: linux-hardening@vger.kernel.org Reviewed-by: Kees Cook Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin (backported from commit 05412471beba313ecded95aa17b25fe84bb2551a linux-6.9.y) [mpellizzer: backported solving minor merge conflict due to surrounding instructions which do not affect the fix] CVE-2024-42068 Signed-off-by: Massimiliano Pellizzer --- include/linux/filter.h | 5 +++-- kernel/bpf/core.c | 4 +++- kernel/bpf/verifier.c | 8 ++++++-- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/include/linux/filter.h b/include/linux/filter.h index 0bec300b2e516..8134c256b276a 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -787,14 +787,15 @@ bpf_ctx_narrow_access_offset(u32 off, u32 size, u32 size_default) #define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0])) -static inline void bpf_prog_lock_ro(struct bpf_prog *fp) +static inline int __must_check bpf_prog_lock_ro(struct bpf_prog *fp) { #ifndef CONFIG_BPF_JIT_ALWAYS_ON if (!fp->jited) { set_vm_flush_reset_perms(fp); - set_memory_ro((unsigned long)fp, fp->pages); + return set_memory_ro((unsigned long)fp, fp->pages); } #endif + return 0; } static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr) diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index dde21d23f2202..b9b45378bff54 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -1787,7 +1787,9 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err) } finalize: - bpf_prog_lock_ro(fp); + *err = bpf_prog_lock_ro(fp); + if (*err) + return fp; /* The tail call compatibility check can only be done at * this late stage as we need to determine, if we deal diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 5a375e28bfeaf..7776b1a6a24ce 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -9142,10 +9142,14 @@ static int jit_subprogs(struct bpf_verifier_env *env) * populate kallsysm */ for (i = 0; i < env->subprog_cnt; i++) { - bpf_prog_lock_ro(func[i]); - bpf_prog_kallsyms_add(func[i]); + err = bpf_prog_lock_ro(func[i]); + if (err) + goto out_free; } + for (i = 0; i < env->subprog_cnt; i++) + bpf_prog_kallsyms_add(func[i]); + /* Last step: make now unused interpreter insns from main * prog consistent for later dump requests, so they can * later look the same as if they were interpreted only.