CVE-2023-53645

In the Linux kernel, the following vulnerability has been resolved:

bpf: Make bpfrefcountacquire fallible for non-owning refs

This patch fixes an incorrect assumption made in the original bpfrefcount series [0], specifically that the BPF program calling bpfrefcountacquire on some node can always guarantee that the node is alive. In that series, the patch adding failure behavior to rbtreeadd and listpush{front, back} breaks this assumption for non-owning references.

Consider the following program:

n = bpfkptrxchg(&mapval, NULL); /* skip error checking */

bpfspinlock(&l); if(bpfrbtreeadd(&t, &n->rb, less)) { bpfrefcountacquire(n); /* Failed to add, do something else with the node */ } bpfspinunlock(&l);

It's incorrect to assume that bpfrefcountacquire will always succeed in this scenario. bpfrefcountacquire is being called in a critical section here, but the lock being held is associated with rbtree t, which isn't necessarily the lock associated with the tree that the node is already in. So after bpfrbtreeadd fails to add the node and calls bpfobjdrop in it, the program has no ownership of the node's lifetime. Therefore the node's refcount can be decr'd to 0 at any time after the failing rbtreeadd. If this happens before the refcountacquire above, the node might be free'd, and regardless refcount_acquire will be incrementing a 0 refcount.

Later patches in the series exercise this scenario, resulting in the expected complaint from the kernel (without this patch's changes):

refcountt: addition on 0; use-after-free. WARNING: CPU: 1 PID: 207 at lib/refcount.c:25 refcountwarnsaturate+0xbc/0x110 Modules linked in: bpftestmod(O) CPU: 1 PID: 207 Comm: testprogs Tainted: G O 6.3.0-rc7-02231-g723de1a718a2-dirty #371 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcountwarnsaturate+0xbc/0x110 Code: 6f 64 f6 02 01 e8 84 a3 5c ff 0f 0b eb 9d 80 3d 5e 64 f6 02 00 75 94 48 c7 c7 e0 13 d2 82 c6 05 4e 64 f6 02 01 e8 64 a3 5c ff <0f> 0b e9 7a ff ff ff 80 3d 38 64 f6 02 00 0f 85 6d ff ff ff 48 c7 RSP: 0018:ffff88810b9179b0 EFLAGS: 00010082 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: 0000000000000202 RSI: 0000000000000008 RDI: ffffffff857c3680 RBP: ffff88810027d3c0 R08: ffffffff8125f2a4 R09: ffff88810b9176e7 R10: ffffed1021722edc R11: 746e756f63666572 R12: ffff88810027d388 R13: ffff88810027d3c0 R14: ffffc900005fe030 R15: ffffc900005fe048 FS: 00007fee0584a700(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005634a96f6c58 CR3: 0000000108ce9002 CR4: 0000000000770ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> bpfrefcountacquireimpl+0xb5/0xc0

(rest of output snipped)

The patch addresses this by changing bpfrefcountacquireimpl to use refcountincnotzero instead of refcountinc and marking bpfrefcountacquire KFRET_NULL.

For owning references, though, we know the above scenario is not possible and thus that bpfrefcountacquire will always succeed. Some verifier bookkeeping is added to track "is input owning ref?" for bpfrefcountacquire calls and return false from iskfuncretnull for bpfrefcountacquire on owning refs despite it being marked KFRET_NULL.

Existing selftests using bpfrefcountacquire are modified where necessary to NULL-check its return value.