CVE-2022-49840

In the Linux kernel, the following vulnerability has been resolved:

bpf, testrun: Fix alignment problem in bpfprogtestrun_skb()

We got a syzkaller problem because of aarch64 alignment fault if KFENCE enabled. When the size from user bpf program is an odd number, like 399, 407, etc, it will cause the struct skbsharedinfo's unaligned access. As seen below:

BUG: KFENCE: use-after-free read in _skbclone+0x23c/0x2a0 net/core/skbuff.c:1032

Use-after-free read at 0xffff6254fffac077 (in kfence-#213): __lseatomicadd arch/arm64/include/asm/atomiclse.h:26 [inline] archatomicadd arch/arm64/include/asm/atomic.h:28 [inline] archatomicinc include/linux/atomic-arch-fallback.h:270 [inline] atomicinc include/asm-generic/atomic-instrumented.h:241 [inline] __skbclone+0x23c/0x2a0 net/core/skbuff.c:1032 skbclone+0xf4/0x214 net/core/skbuff.c:1481 ____bpfcloneredirect net/core/filter.c:2433 [inline] bpfcloneredirect+0x78/0x1c0 net/core/filter.c:2420 bpfprogd3839dd9068ceb51+0x80/0x330 bpfdispatchernopfunc include/linux/bpf.h:728 [inline] bpftestrun+0x3c0/0x6c0 net/bpf/testrun.c:53 bpfprogtestrunskb+0x638/0xa7c net/bpf/testrun.c:594 bpfprogtestrun kernel/bpf/syscall.c:3148 [inline] __dosysbpf kernel/bpf/syscall.c:4441 [inline] __sesysbpf+0xad0/0x1634 kernel/bpf/syscall.c:4381

kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512

allocated by task 15074 on cpu 0 at 1342.585390s: kmalloc include/linux/slab.h:568 [inline] kzalloc include/linux/slab.h:675 [inline] bpftestinit.isra.0+0xac/0x290 net/bpf/testrun.c:191 bpfprogtestrunskb+0x11c/0xa7c net/bpf/testrun.c:512 bpfprogtest_run kernel/bpf/syscall.c:3148 [inline] __dosysbpf kernel/bpf/syscall.c:4441 [inline] __sesysbpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 __arm64sysbpf+0x50/0x60 kernel/bpf/syscall.c:4381

To fix the problem, we adjust @size so that (@size + @hearoom) is a multiple of SMPCACHEBYTES. So we make sure the struct skbsharedinfo is aligned to a cache line.