CVE-2022-49341

In the Linux kernel, the following vulnerability has been resolved:

bpf, arm64: Clear prog->jited_len along prog->jited

syzbot reported an illegal copytouser() attempt from bpfproggetinfoby_fd() [1]

There was no repro yet on this bug, but I think that commit 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns") is exposing a prior bug in bpf arm64.

bpfproggetinfobyfd() looks at prog->jitedlen to determine if the JIT image can be copied out to user space.

My theory is that syzbot managed to get a prog where prog->jitedlen has been set to 43, while prog->bpffunc has ben cleared.

It is not clear why copytouser(uinsns, NULL, ulen) is triggering this particular warning.

I thought findvmaarea(NULL) would not find a vmstruct. As we do not hold vmaparealock spinlock, it might be possible that the found vmstruct was garbage.

[1] usercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)! kernel BUG at mm/usercopy.c:101! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0 Hardware name: linux,dummy-virt (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usercopyabort+0x90/0x94 mm/usercopy.c:101 lr : usercopyabort+0x90/0x94 mm/usercopy.c:89 sp : ffff80000b773a20 x29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48 x26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000 x23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001 x20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd x17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420 x14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031 x11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865 x8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830 x5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000 x2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064 Call trace: usercopyabort+0x90/0x94 mm/usercopy.c:89 checkheapobject mm/usercopy.c:186 [inline] _checkobjectsize mm/usercopy.c:252 [inline] _checkobjectsize+0x198/0x36c mm/usercopy.c:214 checkobjectsize include/linux/threadinfo.h:199 [inline] checkcopysize include/linux/threadinfo.h:235 [inline] copytouser include/linux/uaccess.h:159 [inline] bpfproggetinfobyfd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993 bpfobjgetinfobyfd+0x12c/0x510 kernel/bpf/syscall.c:4253 _sysbpf+0x900/0x2150 kernel/bpf/syscall.c:4956 _dosysbpf kernel/bpf/syscall.c:5021 [inline] _sesysbpf kernel/bpf/syscall.c:5019 [inline] _arm64sysbpf+0x28/0x40 kernel/bpf/syscall.c:5019 _invokesyscall arch/arm64/kernel/syscall.c:38 [inline] invokesyscall+0x48/0x114 arch/arm64/kernel/syscall.c:52 el0svccommon.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142 doel0svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206 el0svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624 el0t64synchandler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642 el0t64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581 Code: aa0003e3 d00038c0 91248000 97fff65f (d4210000)