Skip to content

bpf: Fix kernel address leakage in atomic fetch

Jiri Olsa requested to merge jolsa1/centos-stream-9:bpf/atomic_cve into main

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2046636

CVE: CVE-2022-0264

commit 7d3baf0afa3aa9102d6a521a8e4c41888bb79882
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Tue Dec 7 12:51:56 2021 +0000

    bpf: Fix kernel address leakage in atomic fetch

    The change in commit 37086bfdc737 ("bpf: Propagate stack bounds to registers
    in atomics w/ BPF_FETCH") around check_mem_access() handling is buggy since
    this would allow for unprivileged users to leak kernel pointers. For example,
    an atomic fetch/and with -1 on a stack destination which holds a spilled
    pointer will migrate the spilled register type into a scalar, which can then
    be exported out of the program (since scalar != pointer) by dumping it into
    a map value.

    The original implementation of XADD was preventing this situation by using
    a double call to check_mem_access() one with BPF_READ and a subsequent one
    with BPF_WRITE, in both cases passing -1 as a placeholder value instead of
    register as per XADD semantics since it didn't contain a value fetch. The
    BPF_READ also included a check in check_stack_read_fixed_off() which rejects
    the program if the stack slot is of __is_pointer_value() if dst_regno < 0.
    The latter is to distinguish whether we're dealing with a regular stack spill/
    fill or some arithmetical operation which is disallowed on non-scalars, see
    also 6e7e63cbb023 ("bpf: Forbid XADD on spilled pointers for unprivileged
    users") for more context on check_mem_access() and its handling of placeholder
    value -1.

    One minimally intrusive option to fix the leak is for the BPF_FETCH case to
    initially check the BPF_READ case via check_mem_access() with -1 as register,
    followed by the actual load case with non-negative load_reg to propagate
    stack bounds to registers.

    Fixes: 37086bfdc737 ("bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH")
    Reported-by: <n4ke4mry@gmail.com>
    Acked-by: Brendan Jackman <jackmanb@google.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Edited by Jiri Olsa

Merge request reports