bpf, verifier: Fix memory leak in array reallocation for stack state
authorKees Cook <keescook@chromium.org>
Sat, 29 Oct 2022 02:54:30 +0000 (19:54 -0700)
committerDaniel Borkmann <daniel@iogearbox.net>
Tue, 1 Nov 2022 13:29:16 +0000 (14:29 +0100)
If an error (NULL) is returned by krealloc(), callers of realloc_array()
were setting their allocation pointers to NULL, but on error krealloc()
does not touch the original allocation. This would result in a memory
resource leak. Instead, free the old allocation on the error handling
path.

The memory leak information is as follows as also reported by Zhengchao:

  unreferenced object 0xffff888019801800 (size 256):
  comm "bpf_repo", pid 6490, jiffies 4294959200 (age 17.170s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000b211474b>] __kmalloc_node_track_caller+0x45/0xc0
    [<0000000086712a0b>] krealloc+0x83/0xd0
    [<00000000139aab02>] realloc_array+0x82/0xe2
    [<00000000b1ca41d1>] grow_stack_state+0xfb/0x186
    [<00000000cd6f36d2>] check_mem_access.cold+0x141/0x1341
    [<0000000081780455>] do_check_common+0x5358/0xb350
    [<0000000015f6b091>] bpf_check.cold+0xc3/0x29d
    [<000000002973c690>] bpf_prog_load+0x13db/0x2240
    [<00000000028d1644>] __sys_bpf+0x1605/0x4ce0
    [<00000000053f29bd>] __x64_sys_bpf+0x75/0xb0
    [<0000000056fedaf5>] do_syscall_64+0x35/0x80
    [<000000002bd58261>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fixes: c69431aab67a ("bpf: verifier: Improve function state reallocation")
Reported-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reported-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Bill Wendling <morbo@google.com>
Cc: Lorenz Bauer <oss@lmb.io>
Link: https://lore.kernel.org/bpf/20221029025433.2533810-1-keescook@chromium.org
kernel/bpf/verifier.c

index 7f0a9f6cb8897848e713d3192d27c2f499a4a014..dd9019c8b0db0414f7c20d231f87ccc25d1946c4 100644 (file)
@@ -1027,12 +1027,17 @@ out:
  */
 static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size)
 {
+       void *new_arr;
+
        if (!new_n || old_n == new_n)
                goto out;
 
-       arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
-       if (!arr)
+       new_arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
+       if (!new_arr) {
+               kfree(arr);
                return NULL;
+       }
+       arr = new_arr;
 
        if (new_n > old_n)
                memset(arr + old_n * size, 0, (new_n - old_n) * size);