bpf: Fix state use-after-free on push_stack() err

Without this, `state->speculative` is used after the cleanup cycles in
push_stack() or push_async_cb() freed `env->cur_state` (i.e., `state`).
Avoid this by relying on the short-circuit logic to only access `state`
if the error is recoverable (and make sure it never is after push_*()
failed).

push_*() callers must always return an error for which
error_recoverable_with_nospec(err) is false if push_*() returns NULL,
otherwise we try to recover and access the stale `state`. This is only
violated by sanitize_ptr_alu(), thus also fix this case to return
-ENOMEM.

state->speculative does not make sense if the error path of push_*()
ran. In that case, `state->speculative &&
error_recoverable_with_nospec(err)` as a whole should already never
evaluate to true (because all cases where push_stack() fails must return
-ENOMEM/-EFAULT). As mentioned, this is only violated by the
push_stack() call in sanitize_speculative_path() which returns -EACCES
without [1] (through REASON_STACK in sanitize_err() after
sanitize_ptr_alu()). To fix this, return -ENOMEM for REASON_STACK (which
is also the behavior we will have after [1]).

Checked that it fixes the syzbot reproducer as expected.

[1] https://lore.kernel.org/all/20250603213232.339242-1-luis.gerhorst@fau.de/

Fixes: d6f1c85f2253 ("bpf: Fall back to nospec for Spectre v1")
Reported-by: syzbot+b5eb72a560b8149a1885@syzkaller.appspotmail.com
Reported-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/all/38862a832b91382cddb083dddd92643bed0723b8.camel@gmail.com/
Signed-off-by: Luis Gerhorst <luis.gerhorst@fau.de>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20250611210728.266563-1-luis.gerhorst@fau.de
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 1d3277bf935e513d711081985a1d77bf3ec1ae7c..14dd836acb132cd42f845df02331f3eb331686bb 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -14293,7 +14293,7 @@ static int sanitize_err(struct bpf_verifier_env *env,
        case REASON_STACK:
                verbose(env, "R%d could not be pushed for speculative verification, %s\n",
                        dst, err);
-               break;
+               return -ENOMEM;
        default:
                verbose(env, "verifier internal error: unknown reason (%d)\n",
                        reason);
@@ -19926,7 +19926,7 @@ static int do_check(struct bpf_verifier_env *env)
                        goto process_bpf_exit;
 
                err = do_check_insn(env, &do_print_state);
-               if (state->speculative && error_recoverable_with_nospec(err)) {
+               if (error_recoverable_with_nospec(err) && state->speculative) {
                        /* Prevent this speculative path from ever reaching the
                         * insn that would have been unsafe to execute.
                         */