CVE-2022-50650

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix reference state management for synchronous callbacks

Currently, verifier verifies callback functions (sync and async) as if they will be executed once, (i.e. it explores execution state as if the function was being called once). The next insn to explore is set to start of subprog and the exit from nested frame is handled using curframe > 0 and preparefuncexit. In case of async callback it uses a customized variant of push_stack simulating a kind of branch to set up custom state and execution context for the async callback.

While this approach is simple and works when callback really will be executed only once, it is unsafe for all of our current helpers which are for_each style, i.e. they execute the callback multiple times.

A callback releasing acquired references of the caller may do so multiple times, but currently verifier sees it as one call inside the frame, which then returns to caller. Hence, it thinks it released some reference that the cb e.g. got access through callback_ctx (register filled inside cb from spilled typed register on stack).

Similarly, it may see that an acquire call is unpaired inside the callback, so the caller will copy the reference state of callback and then will have to release the register with new refobjids. But again, the callback may execute multiple times, but the verifier will only account for acquired references for a single symbolic execution of the callback, which will cause leaks.

Note that for async callback case, things are different. While currently we have bpftimersetcallback which only executes it once, even for multiple executions it would be safe, as reference state is NULL and checkreferenceleak would force program to release state before BPFEXIT. The state is also unaffected by analysis for the caller frame. Hence async callback is safe.

Since we want the reference state to be accessible, e.g. for pointers loaded from stack through callbackctx's PTRTOSTACK, we still have to copy caller's referencestate to callback's bpffuncstate, but we enforce that whatever references it adds to that referencestate has been released before it hits BPFEXIT. This requires introducing a new callbackref member in the reference state to distinguish between caller vs callee references. Hence, checkreferenceleak now errors out if it sees we are in callbackfn and we have not released callback_ref refs. Since there can be multiple nested callbacks, like frame 0 -> cb1 -> cb2 etc. we need to also distinguish between whether this particular ref belongs to this callback frame or parent, and only error for our own, so we store state->frameno (which is always non-zero for callbacks).

In short, callbacks can read parent referencestate, but cannot mutate it, to be able to use pointers acquired by the caller. They must only undo their changes (by releasing their own acquiredrefs before BPFEXIT) on top of caller referencestate before returning (at which point the caller and callback state will match anyway, so no need to copy it back to caller).