CVE-2022-49228 Information
Description
In the Linux kernel the following vulnerability has been resolved:
bpf: Fix a btf decl_tag bug when tagging a function
syzbot reported a btf decl_tag bug with stack trace below:
general protection fault probably for non-canonical address 0xdffffc0000000000: 0000 [1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 0
Hardware name: Google Google Compute Engine/Google Compute Engine BIOS Google 01/01/2011
RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline]
RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910
…
Call Trace:
The kasan error is triggered with an illegal BTF like below: type 0: void type 1: int type 2: decl_tag to func type 3 type 3: func to func_proto type 8 The total number of types is 4 and the type 3 is illegal since its func_proto type is out of range.
Currently the target type of decl_tag can be struct/union var or func. Both struct/union and var implemented their own ‘resolve’ callback functions and hence handled properly in kernel. But func type doesn’t have ‘resolve’ callback function. When btf_decl_tag_resolve() tries to check func type it tries to get vlen of its func_proto type which triggered the above kasan error.
To fix the issue btf_decl_tag_resolve() needs to do btf_func_check() before trying to accessing func_proto type. In the current implementation func type is checked with btf_func_check() in the main checking function btf_check_all_types(). To fix the above kasan issue let us implement ‘resolve’ callback func type properly. The ‘resolve’ callback will be also called in btf_check_all_types() for func types.
Reference
https://git.kernel.org/stable/c/796d5666f6422ddadc938fb888044fcc16f2dbe3 https://git.kernel.org/stable/c/a3bcd2110c087bc62e90fddd4a93237b049d6e68 https://git.kernel.org/stable/c/d7e7b42f4f956f2c68ad8cda87d750093dbba737
Share on: