CVE-2022-49228

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a btf decl_tag bug when tagging a function

syzbot reported a btf decl_tag bug with stack trace below:

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:btftypevlen include/linux/btf.h:231 [inline] RIP: 0010:btfdecltagresolve+0x83e/0xaa0 kernel/bpf/btf.c:3910 ... Call Trace: <TASK> btfresolve+0x251/0x1020 kernel/bpf/btf.c:4198 btfcheckalltypes kernel/bpf/btf.c:4239 [inline] btfparsetypesec kernel/bpf/btf.c:4280 [inline] btfparse kernel/bpf/btf.c:4513 [inline] btfnewfd+0x19fe/0x2370 kernel/bpf/btf.c:6047 bpfbtfload kernel/bpf/syscall.c:4039 [inline] _sysbpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679 _dosysbpf kernel/bpf/syscall.c:4738 [inline] _sesysbpf kernel/bpf/syscall.c:4736 [inline] _x64sysbpf+0x75/0xb0 kernel/bpf/syscall.c:4736 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x44/0xae

The kasan error is triggered with an illegal BTF like below: type 0: void type 1: int type 2: decltag to func type 3 type 3: func to funcproto type 8 The total number of types is 4 and the type 3 is illegal since its func_proto type is out of range.

Currently, the target type of decltag can be struct/union, var or func. Both struct/union and var implemented their own 'resolve' callback functions and hence handled properly in kernel. But func type doesn't have 'resolve' callback function. When btfdecltagresolve() tries to check func type, it tries to get vlen of its func_proto type, which triggered the above kasan error.

To fix the issue, btfdecltagresolve() needs to do btffunccheck() before trying to accessing funcproto type. In the current implementation, func type is checked with btffunccheck() in the main checking function btfcheckalltypes(). To fix the above kasan issue, let us implement 'resolve' callback func type properly. The 'resolve' callback will be also called in btfcheckalltypes() for func types.