From patchwork Wed Nov  2 08:16:20 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Baisong Zhong <zhongbaisong@huawei.com>
X-Patchwork-Id: 14074
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp3481239wru;
        Wed, 2 Nov 2022 01:19:12 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM6iecYMQQVw1DV1bbyiZIhXZoTqko7O936Ps5dC5rujJ1frfIOMPQF1JNd9LIO6ukXZ9fPt
X-Received: by 2002:a17:90b:19d1:b0:213:7030:6bd9 with SMTP id
 nm17-20020a17090b19d100b0021370306bd9mr24683444pjb.43.1667377152335;
        Wed, 02 Nov 2022 01:19:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1667377152; cv=none;
        d=google.com; s=arc-20160816;
        b=08vsuRKsimwo6FUiXXSKIw1eqYu/MZ+3mh6PtHN6DF6IMIdU4GPjFQ4ygntlkjWUme
         bAtBPr5L3XBtQ/9BAWAkaHZnxl4h4spTMeU1FAD4fzwkrEy9SBiNQQgyKL9WclXzlHkc
         xieRFWZDwGVFKRCf8uUBrIxdXJj5GPN4FvNCi1frHLcWHDkxuxVzJkizchVFq5o2sz2r
         jVGFrlAg8RkpDGcqgyw7C9AnM3AZpMNmxrXj+Xs3I4AgNDGINDOhFmUA7jokE+akmxa9
         IHzJaSwNKgGShHhjwIi6CroXvZKkbGY7x6Uwu3JZVecKgwFjqaV/J6CbRIBdpQcVhnvT
         6ZdQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=yFOQLH1O+sSCK/RAGFvYBnCUOgWWUEDRvCwynRN9ekY=;
        b=muRqIas0WsCb/xA2tgYz17L2EuFPq0BAARUL5aWU6OjgqGb+X8FSSDPpJ3QqyPvFya
         phGV/d/C6+Hkb9cEZn8hjdewpuZ2iWvCdD7v1I+gjyL1rUwSaOXPhJkGWI8TH5rV+oBh
         Su45gMPG+7zJknpOTH3rSUPJKqAuivb82DOQhtUAqXPy2/r5hmn5PEOhc2jYhh0TxPOS
         SslvmTHIX5S4dWaCqZx5MhD4fH2ICnYHruinLgr2EbQFFExqq6EHxAy/kAO+hEdk00o0
         WkaJjqaYfKhCFyKHBrJwPK26xq4Uh7mtMmHnoD/fl7lFOO57sVrYa54s+0qPmpqjbp6Q
         Z8Ow==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 ls3-20020a17090b350300b001fe2de6a2c9si1935743pjb.4.2022.11.02.01.18.59;
        Wed, 02 Nov 2022 01:19:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230106AbiKBIQd (ORCPT <rfc822;rua109.linux@gmail.com>
        + 99 others); Wed, 2 Nov 2022 04:16:33 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50816 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230171AbiKBIQ0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Nov 2022 04:16:26 -0400
Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 996852529C;
        Wed,  2 Nov 2022 01:16:23 -0700 (PDT)
Received: from canpemm500005.china.huawei.com (unknown [172.30.72.53])
        by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4N2KQb6XN0zJnS6;
        Wed,  2 Nov 2022 16:13:27 +0800 (CST)
Received: from huawei.com (10.175.104.82) by canpemm500005.china.huawei.com
 (7.192.104.229) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 2 Nov
 2022 16:16:21 +0800
From: Baisong Zhong <zhongbaisong@huawei.com>
To: <edumazet@google.com>, <keescook@chromium.org>, <kuba@kernel.org>,
        <ast@kernel.org>, <daniel@iogearbox.net>, <davem@davemloft.net>,
        <pabeni@redhat.com>
CC: <linux-kernel@vger.kernel.org>, <bpf@vger.kernel.org>,
        <glider@google.com>, <elver@google.com>, <netdev@vger.kernel.org>,
        <zhongbaisong@huawei.com>
Subject: [PATCH -next,v2] bpf,
 test_run: fix alignment problem in bpf_prog_test_run_skb()
Date: Wed, 2 Nov 2022 16:16:20 +0800
Message-ID: <20221102081620.1465154-1-zhongbaisong@huawei.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-Originating-IP: [10.175.104.82]
X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To
 canpemm500005.china.huawei.com (7.192.104.229)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1748265211376281154?=
X-GMAIL-MSGID: =?utf-8?q?1748371664776887894?=

we got a syzkaller problem because of aarch64 alignment fault
if KFENCE enabled.

When the size from user bpf program is an odd number, like
399, 407, etc, it will cause the struct skb_shared_info's
unaligned access. As seen below:

BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032

Use-after-free read at 0xffff6254fffac077 (in kfence-#213):
 __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline]
 arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline]
 arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline]
 atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline]
 __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032
 skb_clone+0xf4/0x214 net/core/skbuff.c:1481
 ____bpf_clone_redirect net/core/filter.c:2433 [inline]
 bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420
 bpf_prog_d3839dd9068ceb51+0x80/0x330
 bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline]
 bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53
 bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594
 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]
 __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]
 __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381

kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512

allocated by task 15074 on cpu 0 at 1342.585390s:
 kmalloc include/linux/slab.h:568 [inline]
 kzalloc include/linux/slab.h:675 [inline]
 bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191
 bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512
 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]
 __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]
 __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381
 __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381

To fix the problem, we adjust @size so that (@size + @hearoom) is a
multiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info
is aligned to a cache line.

Fixes: 1cf1cae963c2 ("bpf: introduce BPF_PROG_TEST_RUN command")
Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com>
---
v2: use SKB_DATA_ALIGN instead kmalloc_size_roundup
---
 net/bpf/test_run.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 4b855af267b1..bfdd7484b93f 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -259,6 +259,7 @@ static void *bpf_test_init(const union bpf_attr *kattr, u32 size,
 	if (user_size > size)
 		return ERR_PTR(-EMSGSIZE);
 
+	size = SKB_DATA_ALIGN(size);
 	data = kzalloc(size + headroom + tailroom, GFP_USER);
 	if (!data)
 		return ERR_PTR(-ENOMEM);