CVE-2022-49228

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix a btf decl_tag bug when tagging a function<br /> <br /> syzbot reported a btf decl_tag bug with stack trace below:<br /> <br /> general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN<br /> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br /> RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline]<br /> RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910<br /> ...<br /> Call Trace:<br /> <br /> btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198<br /> btf_check_all_types kernel/bpf/btf.c:4239 [inline]<br /> btf_parse_type_sec kernel/bpf/btf.c:4280 [inline]<br /> btf_parse kernel/bpf/btf.c:4513 [inline]<br /> btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047<br /> bpf_btf_load kernel/bpf/syscall.c:4039 [inline]<br /> __sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679<br /> __do_sys_bpf kernel/bpf/syscall.c:4738 [inline]<br /> __se_sys_bpf kernel/bpf/syscall.c:4736 [inline]<br /> __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> The kasan error is triggered with an illegal BTF like below:<br /> type 0: void<br /> type 1: int<br /> type 2: decl_tag to func type 3<br /> type 3: func to func_proto type 8<br /> The total number of types is 4 and the type 3 is illegal<br /> since its func_proto type is out of range.<br /> <br /> Currently, the target type of decl_tag can be struct/union, var or func.<br /> Both struct/union and var implemented their own &amp;#39;resolve&amp;#39; callback functions<br /> and hence handled properly in kernel.<br /> But func type doesn&amp;#39;t have &amp;#39;resolve&amp;#39; callback function. When<br /> btf_decl_tag_resolve() tries to check func type, it tries to get<br /> vlen of its func_proto type, which triggered the above kasan error.<br /> <br /> To fix the issue, btf_decl_tag_resolve() needs to do btf_func_check()<br /> before trying to accessing func_proto type.<br /> In the current implementation, func type is checked with<br /> btf_func_check() in the main checking function btf_check_all_types().<br /> To fix the above kasan issue, let us implement &amp;#39;resolve&amp;#39; callback<br /> func type properly. The &amp;#39;resolve&amp;#39; callback will be also called<br /> in btf_check_all_types() for func types.