Bug 219181

Summary: KASAN: null-ptr-deref in bpf_core_calc_relo_insn
Product: Linux Reporter: RuiTong Liu (cnitlrt)
Component: KernelAssignee: Virtual assignee for kernel bugs (linux-kernel)
Status: NEW ---    
Severity: normal CC: cnitlrt
Priority: P3    
Hardware: All   
OS: Linux   
Kernel Version: <=linux-6.11-rc4 Subsystem:
Regression: No Bisected commit-id:
Attachments: the poc file

Description RuiTong Liu 2024-08-20 08:28:42 UTC 
Created attachment 306758 [details]
the poc file

I found a bug in the Linux kernel version 6.11.0-rc4 using syzkaller. Here is the crash information

```
[   89.482115] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
[   89.482639] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[   89.482979] CPU: 1 UID: 0 PID: 214 Comm: test Not tainted 6.11.0-rc4 #1
[   89.483276] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   89.483632] RIP: 0010:bpf_core_calc_relo_insn+0x11e/0x1e90
[   89.483885] Code: 48 8b 85 28 fd ff ff 4c 89 ef 44 8b 70 04 44 89 f6 e8 96 a5 f8 ff 48 89 c2 49 89 c4 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14c
[   89.484686] RSP: 0018:ffff888108f373d0 EFLAGS: 00010246
[   89.484924] RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: ffffffff816c8b8b
[   89.485247] RDX: 0000000000000000 RSI: ffffffff816c8bea RDI: 0000000000000004
[   89.485563] RBP: ffff888108f376c0 R08: ffff888108f37778 R09: ffff88810991c000
[   89.485880] R10: 0000000000000004 R11: ffff888103ab1c90 R12: 0000000000000000
[   89.486197] R13: ffff888103ddfe00 R14: 0000000000000004 R15: ffff88810991c000
[   89.486514] FS:  00007f94a2d15640(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
[   89.486874] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   89.487128] CR2: 0000000020000480 CR3: 0000000106058000 CR4: 00000000003006f0
[   89.487439] Call Trace:
[   89.487553]  <TASK>
[   89.487654]  ? show_regs+0x93/0xa0
[   89.487815]  ? die_addr+0x50/0xd0
[   89.487972]  ? exc_general_protection+0x19f/0x320
[   89.488185]  ? asm_exc_general_protection+0x26/0x30
[   89.488405]  ? btf_type_by_id+0xeb/0x1a0
[   89.488584]  ? btf_type_by_id+0x14a/0x1a0
[   89.488766]  ? bpf_core_calc_relo_insn+0x11e/0x1e90
[   89.488989]  ? __printk_safe_exit+0x9/0x20
[   89.489175]  ? stack_depot_save_flags+0x616/0x7c0
[   89.489392]  ? bpf_prog_load+0x151c/0x2450
[   89.489594]  ? kasan_save_stack+0x34/0x50
[   89.489792]  ? kasan_save_stack+0x24/0x50
[   89.489987]  ? __pfx_bpf_core_calc_relo_insn+0x10/0x10
[   89.490231]  ? bpf_check+0x6744/0xba00
[   89.490415]  ? bpf_prog_load+0x151c/0x2450
[   89.490612]  ? __sys_bpf+0x12be/0x5290
[   89.490795]  ? __x64_sys_bpf+0x78/0xc0
[   89.490979]  ? do_syscall_64+0xa6/0x1a0
[   89.491167]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.491417]  ? __pfx_vsnprintf+0x10/0x10
[   89.491611]  ? sort_r+0x45/0x5f0
[   89.491774]  ? _copy_to_user+0x77/0x90
[   89.491954]  ? bpf_verifier_vlog+0x25b/0x690
[   89.492150]  ? __pfx_sort+0x10/0x10
[   89.492314]  ? verbose+0xde/0x170
[   89.492470]  ? kasan_unpoison+0x27/0x60
[   89.492648]  ? __kasan_slab_alloc+0x30/0x70
[   89.492837]  ? __kmalloc_cache_noprof+0xf0/0x270
[   89.493050]  bpf_core_apply+0x48b/0xaf0
[   89.493228]  ? btf_name_by_offset+0x13a/0x180
[   89.493431]  ? __pfx_bpf_core_apply+0x10/0x10
[   89.493631]  ? __pfx_check_btf_line+0x10/0x10
[   89.493830]  ? bpf_check_uarg_tail_zero+0x142/0x1c0
[   89.494051]  ? __pfx_bpf_check_uarg_tail_zero+0x10/0x10
[   89.494286]  bpf_check+0x6744/0xba00
[   89.494458]  ? kasan_save_stack+0x34/0x50
[   89.494653]  ? kasan_save_stack+0x24/0x50
[   89.494848]  ? kasan_save_track+0x14/0x30
[   89.495039]  ? __kasan_kmalloc+0x7f/0x90
[   89.495232]  ? __pfx_bpf_check+0x10/0x10
[   89.495426]  ? pcpu_chunk_relocate+0x145/0x1c0
[   89.495640]  ? mutex_unlock+0x7e/0xd0
[   89.495820]  ? kasan_unpoison+0x27/0x60
[   89.496008]  ? __kasan_slab_alloc+0x30/0x70
[   89.496208]  ? __kmalloc_cache_noprof+0xf0/0x270
[   89.496430]  ? kasan_save_track+0x14/0x30
[   89.496622]  ? __kasan_kmalloc+0x7f/0x90
[   89.496810]  ? selinux_bpf_prog_load+0x15b/0x1c0
[   89.497024]  bpf_prog_load+0x151c/0x2450
[   89.497206]  ? __pfx_bpf_prog_load+0x10/0x10
[   89.497405]  ? avc_has_perm+0x175/0x2f0
[   89.497585]  ? __pte_offset_map+0x12f/0x1f0
[   89.497774]  ? bpf_check_uarg_tail_zero+0x142/0x1c0
[   89.497994]  ? selinux_bpf+0xdd/0x120
[   89.498163]  ? security_bpf+0x8d/0xb0
[   89.498333]  __sys_bpf+0x12be/0x5290
[   89.498500]  ? folio_add_lru+0x58/0x80
[   89.498675]  ? __pfx___sys_bpf+0x10/0x10
[   89.498855]  ? __pfx_down_read_trylock+0x10/0x10
[   89.499069]  ? __pfx___handle_mm_fault+0x10/0x10
[   89.499283]  ? do_user_addr_fault+0x595/0x1220
[   89.499524]  __x64_sys_bpf+0x78/0xc0
[   89.499738]  ? exc_page_fault+0xae/0x180
[   89.499928]  do_syscall_64+0xa6/0x1a0
[   89.500109]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.500361] RIP: 0033:0x44ceed
[   89.500512] Code: c3 e8 d7 1e 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 018
[   89.501348] RSP: 002b:00007f94a2d15178 EFLAGS: 00000287 ORIG_RAX: 0000000000000141
[   89.501695] RAX: ffffffffffffffda RBX: 00007f94a2d15640 RCX: 000000000044ceed
[   89.502013] RDX: 0000000000000090 RSI: 0000000020000480 RDI: 0000000000000005
[   89.502323] RBP: 00007f94a2d151a0 R08: 0000000000000000 R09: 0000000000000000
[   89.502635] R10: 0000000000000000 R11: 0000000000000287 R12: 00007f94a2d15640
[   89.502949] R13: 0000000000000000 R14: 00000000004160d0 R15: 00007f94a2cf5000
[   89.503269]  </TASK>
[   89.503376] Modules linked in:
[   89.503586] ---[ end trace 0000000000000000 ]---
[   89.503793] RIP: 0010:bpf_core_calc_relo_insn+0x11e/0x1e90
[   89.504045] Code: 48 8b 85 28 fd ff ff 4c 89 ef 44 8b 70 04 44 89 f6 e8 96 a5 f8 ff 48 89 c2 49 89 c4 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14c
[   89.504860] RSP: 0018:ffff888108f373d0 EFLAGS: 00010246
[   89.505112] RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: ffffffff816c8b8b
[   89.505441] RDX: 0000000000000000 RSI: ffffffff816c8bea RDI: 0000000000000004
[   89.505768] RBP: ffff888108f376c0 R08: ffff888108f37778 R09: ffff88810991c000
[   89.506099] R10: 0000000000000004 R11: ffff888103ab1c90 R12: 0000000000000000
[   89.506427] R13: ffff888103ddfe00 R14: 0000000000000004 R15: ffff88810991c000
[   89.506754] FS:  00007f94a2d15640(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
[   89.507129] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   89.507398] CR2: 0000000020000480 CR3: 0000000106058000 CR4: 00000000003006f0
```
I use gdb debug it,and found that the lack of a NULL check before using local_type has led to a null pointer dereference vulnerability.
Comment 1 RuiTong Liu 2024-08-20 08:39:07 UTC 
I use gdb debug it,and found that the lack of a NULL check before using local_type has led to a null pointer dereference vulnerability.
```
───────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────────────────────
 RAX  0xdffffc0000000000
 RBX  0xdffffc0000000000
 RCX  0xffffffff816c8b8b (btf_type_by_id+235) ◂— 0x404be85576e53944
 RDX  0x0
 RDI  0x4
 RSI  0xffffffff816c8bea (btf_type_by_id+330) ◂— 0xe0894c5d5be43145
 R8   0xffff88811669f778 ◂— 0x0
 R9   0xffff888115f48000 ◂— 0x0
 R10  0x4
 R11  0xffff888104562080 ◂— 0x0
 R12  0x0
 R13  0xffff8881135b7000 —▸ 0xffff8881166280c2 ◂— 0x0
 R14  0x4
 R15  0xffff888115f48000 ◂— 0x0
 RBP  0xffff88811669f6c0 —▸ 0xffff88811669f798 —▸ 0xffffffff8160fcb0 (check_btf_line) ◂— 0x56415741e5894855
 RSP  0xffff88811669f3d0 ◂— 0x1ffff11022cd3e92
*RIP  0xffffffff8173e51e (bpf_core_calc_relo_insn+286) ◂— 0x83e0894c0214b60f
────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────────────────────
   0xffffffff8173e505 <bpf_core_calc_relo_insn+261>    call   btf_type_by_id            <btf_type_by_id>
 
   0xffffffff8173e50a <bpf_core_calc_relo_insn+266>    mov    rdx, rax
   0xffffffff8173e50d <bpf_core_calc_relo_insn+269>    mov    r12, rax
   0xffffffff8173e510 <bpf_core_calc_relo_insn+272>    movabs rax, 0xdffffc0000000000
   0xffffffff8173e51a <bpf_core_calc_relo_insn+282>    shr    rdx, 3                        <fixed_percpu_data+3>
 ► 0xffffffff8173e51e <bpf_core_calc_relo_insn+286>    movzx  edx, byte ptr [rdx + rax]
   0xffffffff8173e522 <bpf_core_calc_relo_insn+290>    mov    rax, r12
   0xffffffff8173e525 <bpf_core_calc_relo_insn+293>    and    eax, 7                        <fixed_percpu_data+7>
   0xffffffff8173e528 <bpf_core_calc_relo_insn+296>    add    eax, 3                        <fixed_percpu_data+3>
   0xffffffff8173e52b <bpf_core_calc_relo_insn+299>    cmp    al, dl
   0xffffffff8173e52d <bpf_core_calc_relo_insn+301>    jl     bpf_core_calc_relo_insn+311            <bpf_core_calc_relo_insn+311>
─────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/ubuntu/linux-6.11-rc4/tools/lib/bpf/relo_core.c:1300
   1295         char spec_buf[256];
   1296         int i, j, err;
   1297 
   1298         local_id = relo->type_id;
   1299         local_type = btf_type_by_id(local_btf, local_id);
 ► 1300         local_name = btf__name_by_offset(local_btf, local_type->name_off);
   1301         if (!local_name)
   1302                 return -EINVAL;
   1303 
   1304         err = bpf_core_parse_spec(prog_name, local_btf, relo, local_spec);
   1305         if (err) {
─────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────────────
```