[syzbot] [bpf?] UBSAN: array-index-out-of-bounds in check_stack_range_initialized

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 0740b6427e90 Merge branch 'bpf-arena-followups'
git tree: bpf
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12fed769180000
kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
dashboard link: https://syzkaller.appspot.com/bug?extid=33f4297b5f927648741a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1763a479180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15c38711180000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c9e6e9f97566/disk-0740b642.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/78476a588b62/vmlinux-0740b642.xz
kernel image: https://storage.googleapis.com/syzbot-assets/50cd6fab9ead/bzImage-0740b642.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+33f429...@syzkaller.appspotmail.com

------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in kernel/bpf/verifier.c:7190:12
index -1 is out of range for type 'u8[8]' (aka 'unsigned char[8]')
CPU: 0 PID: 5071 Comm: syz-executor474 Not tainted 6.8.0-syzkaller-05226-g0740b6427e90 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:415
check_stack_range_initialized+0x1668/0x19a0 kernel/bpf/verifier.c:7190
check_helper_mem_access+0x2eb/0xfa0 kernel/bpf/verifier.c:7294
check_helper_call+0x263c/0x7220 kernel/bpf/verifier.c:10252
do_check+0x9e29/0x10530 kernel/bpf/verifier.c:17801
do_check_common+0x14bd/0x1dd0 kernel/bpf/verifier.c:20500
do_check_main kernel/bpf/verifier.c:20591 [inline]
bpf_check+0x136ab/0x19010 kernel/bpf/verifier.c:21261
bpf_prog_load+0x1667/0x20f0 kernel/bpf/syscall.c:2895
__sys_bpf+0x4ee/0x810 kernel/bpf/syscall.c:5631
__do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f8416194629
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdc6f0fdb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007ffdc6f0ff88 RCX: 00007f8416194629
RDX: 0000000000000090 RSI: 00000000200000c0 RDI: 0000000000000005
RBP: 00007f8416207610 R08: 0000000000000000 R09: 00007ffdc6f0ff88
R10: 00000000fffffff8 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffdc6f0ff78 R14: 0000000000000001 R15: 0000000000000001
</TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Edward Adam Davis]

please test oob in check_stack_range_initialized

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 1dd3b99d1bb9..358a90c88905 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7177,6 +7177,9 @@ static int check_stack_range_initialized(
return 0;
}

+ printk("mio: %d, mao: %d, as: %d, %s\n", min_off, max_off, access_size, __func__);
+ if (!min_off)
+ min_off = 1;
for (i = min_off; i < max_off + access_size; i++) {
u8 *stype;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: array-index-out-of-bounds in check_stack_range_initialized

mio: -8, mao: -8, as: -2147483647, check_stack_range_initialized
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in kernel/bpf/verifier.c:7193:12

index -1 is out of range for type 'u8[8]' (aka 'unsigned char[8]')

CPU: 0 PID: 5496 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-05230-g114b5b3b4bde-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:415

check_stack_range_initialized+0x13d8/0x1630 kernel/bpf/verifier.c:7193
check_helper_mem_access+0x2eb/0xfa0 kernel/bpf/verifier.c:7297
check_helper_call+0x263c/0x7220 kernel/bpf/verifier.c:10255
do_check+0x9e29/0x10530 kernel/bpf/verifier.c:17804
do_check_common+0x14bd/0x1dd0 kernel/bpf/verifier.c:20503
do_check_main kernel/bpf/verifier.c:20594 [inline]
bpf_check+0x136ab/0x19010 kernel/bpf/verifier.c:21264

bpf_prog_load+0x1667/0x20f0 kernel/bpf/syscall.c:2895
__sys_bpf+0x4ee/0x810 kernel/bpf/syscall.c:5631
__do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75

RIP: 0033:0x7fb440a7dda9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb4417ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fb440babf80 RCX: 00007fb440a7dda9

RDX: 0000000000000090 RSI: 00000000200000c0 RDI: 0000000000000005

RBP: 00007fb440aca47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fb440babf80 R15: 00007ffc0626c2f8

</TASK>
---[ end trace ]---

Tested on:

commit: 114b5b3b bpf, arm64: fix bug in BPF_LDX_MEMSX
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14084006180000

kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
dashboard link: https://syzkaller.appspot.com/bug?extid=33f4297b5f927648741a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=16c4aa31180000

[Edward Adam Davis]

please test oob in check_stack_range_initialized

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master


diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c

index 1dd3b99d1bb9..ed0878f4373a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7177,6 +7177,11 @@ static int check_stack_range_initialized(
return 0;
}

+ if (INT_MIN - access_size > max_off) {
+ verbose(env, "invalid access size\n");
+ return -EACCES;
+ }
+

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+33f429...@syzkaller.appspotmail.com

Tested on:

commit: 114b5b3b bpf, arm64: fix bug in BPF_LDX_MEMSX
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=15a0023a180000

kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
dashboard link: https://syzkaller.appspot.com/bug?extid=33f4297b5f927648741a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=103be279180000

Note: testing is done by a robot and is best-effort only.

[Edward Adam Davis]

please test oob in check_stack_range_initialized

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master


diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c

index 1dd3b99d1bb9..6306925c5e47 100644

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7177,6 +7177,11 @@ static int check_stack_range_initialized(
return 0;
}

+ if (INT_MIN - access_size > max_off) {
+ verbose(env, "invalid access size\n");
+ return -EACCES;
+ }
+
for (i = min_off; i < max_off + access_size; i++) {
u8 *stype;

@@ -8589,6 +8594,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
return 0;
}

+ printk("1meta:%p, maptr:%p, ks:%d, kv:%d,%s\n",
+ meta, meta->map_ptr, meta->map_ptr->key_size, meta->map_ptr->value_size, __func__);
if (type_is_pkt_pointer(type) &&
!may_access_direct_pkt_data(env, meta, BPF_READ)) {
verbose(env, "helper access to the packet is not allowed\n");
@@ -8704,6 +8711,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
verbose(env, "invalid map_ptr to access map->key\n");
return -EACCES;
}
+ printk("meta:%p, maptr:%p, ks:%d, reg->map_ptr:%p, %s\n",
+ meta, meta->map_ptr, meta->map_ptr->key_size, reg->map_ptr, __func__);
err = check_helper_mem_access(env, regno,
meta->map_ptr->key_size, false,
NULL);
@@ -8721,6 +8730,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
return -EACCES;
}
meta->raw_mode = arg_type & MEM_UNINIT;
+ printk("meta:%p, maptr:%p, vs:%d, reg->map_ptr:%p, %s\n",
+ meta, meta->map_ptr, meta->map_ptr->value_size, reg->map_ptr, __func__);
err = check_helper_mem_access(env, regno,
meta->map_ptr->value_size, false,
meta);
@@ -10248,6 +10259,8 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn

meta.func_id = func_id;
/* check args */
+ printk("meta:%p, maptr:%p, ks:%d, kv:%d,%s\n",
+ meta, meta->map_ptr, meta->map_ptr->key_size, meta->map_ptr->value_size, __func__);
for (i = 0; i < MAX_BPF_FUNC_REG_ARGS; i++) {
err = check_func_arg(env, i, &meta, fn, insn_idx);
if (err)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

kernel/bpf/verifier.c:10263:13: error: member reference type 'struct bpf_call_arg_meta' is not a pointer; did you mean to use '.'?
kernel/bpf/verifier.c:10263:28: error: member reference type 'struct bpf_call_arg_meta' is not a pointer; did you mean to use '.'?
kernel/bpf/verifier.c:10263:53: error: member reference type 'struct bpf_call_arg_meta' is not a pointer; did you mean to use '.'?

Tested on:

commit: 114b5b3b bpf, arm64: fix bug in BPF_LDX_MEMSX
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master

kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
dashboard link: https://syzkaller.appspot.com/bug?extid=33f4297b5f927648741a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11495c6e180000

[Edward Adam Davis]

please test oob in check_stack_range_initialized

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master


diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c

index 1dd3b99d1bb9..7ba5b4131929 100644

+ &meta, meta.map_ptr, meta.map_ptr->key_size, meta.map_ptr->value_size, __func__);

[Alexei Starovoitov]

Hi Andrei,

looks like the refactoring of stack access introduced a bug.
See the reproducer below.
positive offsets are not caught by check_stack_access_within_bounds().
So both slot and spi become negative and access
stack[spi].slot_type[slot % BPF_REG_SIZE]
returns garbage.

[Andrei Matei]

Thanks for the report! Will look in a bit.

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

ocol family
[ 11.721719][ T1] NET: Registered PF_ROSE protocol family
[ 11.729719][ T1] NET: Registered PF_AX25 protocol family
[ 11.735660][ T1] can: controller area network core
[ 11.742759][ T1] NET: Registered PF_CAN protocol family
[ 11.748916][ T1] can: raw protocol
[ 11.752863][ T1] can: broadcast manager protocol
[ 11.757998][ T1] can: netlink gateway - max_hops=1
[ 11.763319][ T1] can: SAE J1939
[ 11.766850][ T1] can: isotp protocol (max_pdu_size 8300)
[ 11.773552][ T1] Bluetooth: RFCOMM TTY layer initialized
[ 11.779399][ T1] Bluetooth: RFCOMM socket layer initialized
[ 11.785432][ T1] Bluetooth: RFCOMM ver 1.11
[ 11.790172][ T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 11.796312][ T1] Bluetooth: BNEP filters: protocol multicast
[ 11.802789][ T1] Bluetooth: BNEP socket layer initialized
[ 11.809184][ T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[ 11.815016][ T1] Bluetooth: CMTP socket layer initialized
[ 11.820951][ T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 11.827828][ T1] Bluetooth: HIDP socket layer initialized
[ 11.837659][ T1] NET: Registered PF_RXRPC protocol family
[ 11.843508][ T1] Key type rxrpc registered
[ 11.848040][ T1] Key type rxrpc_s registered
[ 11.853631][ T1] NET: Registered PF_KCM protocol family
[ 11.860130][ T1] lec:lane_module_init: lec.c: initialized
[ 11.865944][ T1] mpoa:atm_mpoa_init: mpc.c: initialized
[ 11.872062][ T1] l2tp_core: L2TP core driver, V2.0
[ 11.877329][ T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 11.882971][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 11.889548][ T1] l2tp_netlink: L2TP netlink interface
[ 11.895277][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 11.902381][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 11.910064][ T1] NET: Registered PF_PHONET protocol family
[ 11.916248][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 11.934795][ T1] DCCP: Activated CCID 2 (TCP-like)
[ 11.940297][ T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 11.947385][ T1] DCCP is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 11.958542][ T1] sctp: Hash tables configured (bind 32/56)
[ 11.966039][ T1] NET: Registered PF_RDS protocol family
[ 11.972547][ T1] Registered RDS/infiniband transport
[ 11.979222][ T1] Registered RDS/tcp transport
[ 11.984224][ T1] tipc: Activated (version 2.0.0)
[ 11.990037][ T1] NET: Registered PF_TIPC protocol family
[ 11.996601][ T1] tipc: Started in single node mode
[ 12.002800][ T1] NET: Registered PF_SMC protocol family
[ 12.009698][ T1] 9pnet: Installing 9P2000 support
[ 12.015903][ T1] NET: Registered PF_CAIF protocol family
[ 12.026175][ T1] NET: Registered PF_IEEE802154 protocol family
[ 12.032826][ T1] Key type dns_resolver registered
[ 12.038192][ T1] Key type ceph registered
[ 12.043168][ T1] libceph: loaded (mon/osd proto 15/24)
[ 12.050090][ T1] batman_adv: B.A.T.M.A.N. advanced 2024.1 (compatibility version 15) loaded
[ 12.060608][ T1] openvswitch: Open vSwitch switching datapath
[ 12.070242][ T1] NET: Registered PF_VSOCK protocol family
[ 12.076372][ T1] mpls_gso: MPLS GSO support
[ 12.097330][ T1] IPI shorthand broadcast: enabled
[ 12.102869][ T1] AVX2 version of gcm_enc/dec engaged.
[ 12.108892][ T1] AES CTR mode by8 optimization enabled
[ 13.500244][ T1] sched_clock: Marking stable (13460031426, 37162474)->(13499967596, -2773696)
[ 13.516849][ T1] Timer migration: 1 hierarchy levels; 8 children per group; 0 crossnode level
[ 13.528203][ T1] registered taskstats version 1
[ 13.534887][ T1] general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI
[ 13.547040][ T1] KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
[ 13.555448][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-05231-ga51cd6bf8e10-dirty #0
[ 13.565246][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 13.575304][ T1] RIP: 0010:check_helper_call+0x113d/0x76b0
[ 13.581246][ T1] Code: 48 8d bc 24 70 01 00 00 e8 a0 fb 4c 00 4c 8b b4 24 70 01 00 00 49 8d 7e 1c 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <0f> b6 04 08 84 c0 0f 85 33 59 00 00 45 8b 66 1c 49 8d 7e 20 48 89
[ 13.601839][ T1] RSP: 0000:ffffc90000066000 EFLAGS: 00010207
[ 13.607897][ T1] RAX: 0000000000000003 RBX: 0000000000000000 RCX: dffffc0000000000
[ 13.615863][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c
[ 13.623838][ T1] RBP: ffffc90000066250 R08: ffffffff81ab3c9e R09: ffffffff81ab66aa
[ 13.631800][ T1] R10: 0000000000000002 R11: ffff8880162d0000 R12: ffffffff8baff368
[ 13.639935][ T1] R13: 1ffff9200000cc28 R14: 0000000000000000 R15: dffffc0000000000
[ 13.648268][ T1] FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
[ 13.660039][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 13.666609][ T1] CR2: ffff88823ffff000 CR3: 000000000df32000 CR4: 00000000003506f0
[ 13.674655][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 13.682811][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 13.690867][ T1] Call Trace:
[ 13.694157][ T1] <TASK>
[ 13.697082][ T1] ? __die_body+0x88/0xe0
[ 13.701706][ T1] ? die_addr+0x108/0x140
[ 13.706041][ T1] ? exc_general_protection+0x3dd/0x5d0
[ 13.711612][ T1] ? asm_exc_general_protection+0x26/0x30
[ 13.717553][ T1] ? check_helper_call+0x36ba/0x76b0
[ 13.723267][ T1] ? check_helper_call+0xcae/0x76b0
[ 13.728546][ T1] ? check_helper_call+0x113d/0x76b0
[ 13.733831][ T1] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 13.739891][ T1] ? __pfx_check_helper_call+0x10/0x10
[ 13.751844][ T1] ? reg_bounds_sanity_check+0x7b2/0xa20
[ 13.757490][ T1] ? tnum_const+0xd/0x20
[ 13.761901][ T1] do_check+0x9e29/0x10530
[ 13.766314][ T1] ? kmalloc_trace+0x1d9/0x360
[ 13.771068][ T1] ? do_check_common+0x190/0x1dd0
[ 13.776172][ T1] ? bpf_check+0x136ab/0x19010
[ 13.780919][ T1] ? kernel_init+0x1d/0x2a0
[ 13.785402][ T1] ? ret_from_fork+0x4b/0x80
[ 13.789980][ T1] ? __pfx_do_check+0x10/0x10
[ 13.794877][ T1] ? mark_reg_not_init+0xd4/0x4b0
[ 13.799933][ T1] ? __asan_memcpy+0x40/0x70
[ 13.804688][ T1] ? mark_reg_not_init+0xd4/0x4b0
[ 13.809695][ T1] do_check_common+0x14bd/0x1dd0
[ 13.814643][ T1] bpf_check+0x136ab/0x19010
[ 13.819224][ T1] ? __pfx_validate_chain+0x10/0x10
[ 13.824407][ T1] ? validate_chain+0x11b/0x58e0
[ 13.829323][ T1] ? validate_chain+0x11b/0x58e0
[ 13.834278][ T1] ? validate_chain+0x11b/0x58e0
[ 13.839287][ T1] ? validate_chain+0x11b/0x58e0
[ 13.844302][ T1] ? __pfx_bpf_check+0x10/0x10
[ 13.849168][ T1] ? __pfx_validate_chain+0x10/0x10
[ 13.854372][ T1] ? mark_lock+0x9a/0x350
[ 13.858697][ T1] ? mark_lock+0x9a/0x350
[ 13.863019][ T1] ? __lock_acquire+0x1346/0x1fd0
[ 13.868213][ T1] ? mark_lock+0x9a/0x350
[ 13.872597][ T1] ? __lock_acquire+0x1346/0x1fd0
[ 13.877768][ T1] ? mark_lock+0x9a/0x350
[ 13.882276][ T1] ? __lock_acquire+0x1346/0x1fd0
[ 13.887379][ T1] ? __pfx_lock_acquire+0x10/0x10
[ 13.892384][ T1] ? ktime_get_with_offset+0x105/0x330
[ 13.897995][ T1] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 13.904156][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 13.910768][ T1] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 13.917288][ T1] ? ktime_get_with_offset+0x105/0x330
[ 13.922910][ T1] ? seqcount_lockdep_reader_access+0x157/0x220
[ 13.929217][ T1] ? lockdep_hardirqs_on+0x99/0x150
[ 13.934406][ T1] ? seqcount_lockdep_reader_access+0x1d7/0x220
[ 13.940657][ T1] ? __pfx_seqcount_lockdep_reader_access+0x10/0x10
[ 13.947674][ T1] ? pcpu_alloc+0xf1a/0x1670
[ 13.952256][ T1] ? bpf_obj_name_cpy+0x18a/0x1d0
[ 13.957261][ T1] ? bpf_lsm_bpf_prog_load+0x9/0x10
[ 13.962451][ T1] ? security_bpf_prog_load+0x87/0xb0
[ 13.967821][ T1] bpf_prog_load+0x1667/0x20f0
[ 13.972819][ T1] ? __pfx_bpf_prog_load+0x10/0x10
[ 13.978234][ T1] ? kasan_quarantine_put+0xdc/0x230
[ 13.983684][ T1] ? map_update_elem+0x363/0x6f0
[ 13.988601][ T1] ? copy_from_kernel_nofault_allowed+0xa9/0x130
[ 13.994944][ T1] ? bpf_lsm_bpf+0x9/0x10
[ 13.999430][ T1] ? security_bpf+0x87/0xb0
[ 14.003930][ T1] __sys_bpf+0x4ee/0x810
[ 14.008173][ T1] ? __pfx___sys_bpf+0x10/0x10
[ 14.012929][ T1] kern_sys_bpf+0x185/0x6b0
[ 14.017420][ T1] ? __pfx_kern_sys_bpf+0x10/0x10
[ 14.022429][ T1] ? load+0xf4/0xfd0
[ 14.026397][ T1] ? kmalloc_trace+0x1d9/0x360
[ 14.031153][ T1] ? load+0x40e/0xfd0
[ 14.035426][ T1] load+0x550/0xfd0
[ 14.039405][ T1] ? __pfx_load+0x10/0x10
[ 14.043720][ T1] ? kasan_save_track+0x51/0x80
[ 14.048558][ T1] ? kasan_save_track+0x3f/0x80
[ 14.053476][ T1] ? __kasan_kmalloc+0x98/0xb0
[ 14.058229][ T1] ? __kmalloc_node+0x251/0x4e0
[ 14.063154][ T1] ? alloc_bulk+0x472/0x6f0
[ 14.067634][ T1] ? bpf_mem_alloc_init+0x47d/0xc50
[ 14.073107][ T1] ? cpumask_kfunc_init+0x98/0x150
[ 14.078385][ T1] ? do_one_initcall+0x238/0x830
[ 14.083663][ T1] ? do_initcall_level+0x157/0x210
[ 14.088981][ T1] ? do_initcalls+0x3f/0x80
[ 14.093672][ T1] ? kernel_init_freeable+0x435/0x5d0
[ 14.099031][ T1] ? kernel_init+0x1d/0x2a0
[ 14.103530][ T1] ? ret_from_fork+0x4b/0x80
[ 14.108136][ T1] ? ret_from_fork_asm+0x1a/0x30
[ 14.113154][ T1] ? mark_lock+0x9a/0x350
[ 14.117670][ T1] ? __lock_acquire+0x1346/0x1fd0
[ 14.122697][ T1] ? _raw_spin_unlock_irqrestore+0x8f/0x140
[ 14.128591][ T1] ? lockdep_hardirqs_on+0x99/0x150
[ 14.133952][ T1] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 14.139832][ T1] ? __pfx_add_device_randomness+0x10/0x10
[ 14.145719][ T1] ? __pfx_load+0x10/0x10
[ 14.150121][ T1] do_one_initcall+0x238/0x830
[ 14.154863][ T1] ? __pfx_load+0x10/0x10
[ 14.159166][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 14.166079][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 14.171368][ T1] ? __pfx_parse_args+0x10/0x10
[ 14.176223][ T1] ? do_initcalls+0x1c/0x80
[ 14.181017][ T1] ? rcu_is_watching+0x15/0xb0
[ 14.185910][ T1] do_initcall_level+0x157/0x210
[ 14.190924][ T1] do_initcalls+0x3f/0x80
[ 14.195251][ T1] kernel_init_freeable+0x435/0x5d0
[ 14.200463][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 14.206174][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 14.212486][ T1] ? __pfx_kernel_init+0x10/0x10
[ 14.217521][ T1] ? __pfx_kernel_init+0x10/0x10
[ 14.222482][ T1] ? __pfx_kernel_init+0x10/0x10
[ 14.227773][ T1] kernel_init+0x1d/0x2a0
[ 14.232101][ T1] ret_from_fork+0x4b/0x80
[ 14.236503][ T1] ? __pfx_kernel_init+0x10/0x10
[ 14.241421][ T1] ret_from_fork_asm+0x1a/0x30
[ 14.246167][ T1] </TASK>
[ 14.249165][ T1] Modules linked in:
[ 14.253332][ T1] ---[ end trace 0000000000000000 ]---
[ 14.259150][ T1] RIP: 0010:check_helper_call+0x113d/0x76b0
[ 14.265131][ T1] Code: 48 8d bc 24 70 01 00 00 e8 a0 fb 4c 00 4c 8b b4 24 70 01 00 00 49 8d 7e 1c 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <0f> b6 04 08 84 c0 0f 85 33 59 00 00 45 8b 66 1c 49 8d 7e 20 48 89
[ 14.285348][ T1] RSP: 0000:ffffc90000066000 EFLAGS: 00010207
[ 14.291474][ T1] RAX: 0000000000000003 RBX: 0000000000000000 RCX: dffffc0000000000
[ 14.299537][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c
[ 14.307519][ T1] RBP: ffffc90000066250 R08: ffffffff81ab3c9e R09: ffffffff81ab66aa
[ 14.315662][ T1] R10: 0000000000000002 R11: ffff8880162d0000 R12: ffffffff8baff368
[ 14.323705][ T1] R13: 1ffff9200000cc28 R14: 0000000000000000 R15: dffffc0000000000
[ 14.331703][ T1] FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
[ 14.340738][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 14.347336][ T1] CR2: 0000000000000000 CR3: 000000000df32000 CR4: 00000000003506f0
[ 14.355310][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 14.363321][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 14.371501][ T1] Kernel panic - not syncing: Fatal exception
[ 14.378082][ T1] Kernel Offset: disabled
[ 14.382392][ T1] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build516019239=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at baa80228d
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=baa80228d652d8b1341ecf7f1411c4e4caf75bd5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240318-105857'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=baa80228d652d8b1341ecf7f1411c4e4caf75bd5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240318-105857'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=baa80228d652d8b1341ecf7f1411c4e4caf75bd5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240318-105857'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"baa80228d652d8b1341ecf7f1411c4e4caf75bd5\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=15ca4c81180000


Tested on:

commit: a51cd6bf arm64: bpf: fix 32bit unconditional bswap

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master

kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
dashboard link: https://syzkaller.appspot.com/bug?extid=33f4297b5f927648741a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=134ceaa5180000

[Edward Adam Davis]

please test oob in check_stack_range_initialized

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c

index 1dd3b99d1bb9..80b9ae2b90bb 100644

+ printk("meta:%p, maptr:%p, %s\n",
+ &meta, meta.map_ptr, __func__);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

ly
[ 13.243082][ T1] X25: Linux Version 0.2
[ 13.292064][ T1] NET: Registered PF_NETROM protocol family
[ 13.343313][ T1] NET: Registered PF_ROSE protocol family

[ 13.349296][ T1] NET: Registered PF_AX25 protocol family

[ 13.355995][ T1] can: controller area network core
[ 13.361609][ T1] NET: Registered PF_CAN protocol family
[ 13.367325][ T1] can: raw protocol
[ 13.371880][ T1] can: broadcast manager protocol
[ 13.376970][ T1] can: netlink gateway - max_hops=1
[ 13.382696][ T1] can: SAE J1939
[ 13.386246][ T1] can: isotp protocol (max_pdu_size 8300)
[ 13.392393][ T1] Bluetooth: RFCOMM TTY layer initialized
[ 13.398148][ T1] Bluetooth: RFCOMM socket layer initialized
[ 13.405038][ T1] Bluetooth: RFCOMM ver 1.11
[ 13.409743][ T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 13.415895][ T1] Bluetooth: BNEP filters: protocol multicast
[ 13.422062][ T1] Bluetooth: BNEP socket layer initialized
[ 13.427913][ T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[ 13.433798][ T1] Bluetooth: CMTP socket layer initialized
[ 13.439683][ T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 13.446589][ T1] Bluetooth: HIDP socket layer initialized
[ 13.455663][ T1] NET: Registered PF_RXRPC protocol family
[ 13.461694][ T1] Key type rxrpc registered
[ 13.466180][ T1] Key type rxrpc_s registered
[ 13.471908][ T1] NET: Registered PF_KCM protocol family
[ 13.478501][ T1] lec:lane_module_init: lec.c: initialized
[ 13.484387][ T1] mpoa:atm_mpoa_init: mpc.c: initialized
[ 13.490222][ T1] l2tp_core: L2TP core driver, V2.0
[ 13.495433][ T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 13.501085][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 13.507588][ T1] l2tp_netlink: L2TP netlink interface
[ 13.513727][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 13.520521][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 13.528163][ T1] NET: Registered PF_PHONET protocol family
[ 13.534342][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 13.553054][ T1] DCCP: Activated CCID 2 (TCP-like)
[ 13.558374][ T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 13.565874][ T1] DCCP is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 13.577035][ T1] sctp: Hash tables configured (bind 32/56)
[ 13.584677][ T1] NET: Registered PF_RDS protocol family
[ 13.591398][ T1] Registered RDS/infiniband transport
[ 13.597871][ T1] Registered RDS/tcp transport
[ 13.602694][ T1] tipc: Activated (version 2.0.0)
[ 13.608498][ T1] NET: Registered PF_TIPC protocol family
[ 13.615258][ T1] tipc: Started in single node mode
[ 13.621255][ T1] NET: Registered PF_SMC protocol family
[ 13.627139][ T1] 9pnet: Installing 9P2000 support
[ 13.633262][ T1] NET: Registered PF_CAIF protocol family
[ 13.643520][ T1] NET: Registered PF_IEEE802154 protocol family
[ 13.650024][ T1] Key type dns_resolver registered
[ 13.655322][ T1] Key type ceph registered
[ 13.660315][ T1] libceph: loaded (mon/osd proto 15/24)
[ 13.667023][ T1] batman_adv: B.A.T.M.A.N. advanced 2024.1 (compatibility version 15) loaded
[ 13.676163][ T1] openvswitch: Open vSwitch switching datapath
[ 13.685504][ T1] NET: Registered PF_VSOCK protocol family
[ 13.692734][ T1] mpls_gso: MPLS GSO support
[ 13.713085][ T1] IPI shorthand broadcast: enabled
[ 13.718324][ T1] AVX2 version of gcm_enc/dec engaged.
[ 13.724817][ T1] AES CTR mode by8 optimization enabled
[ 15.093071][ T1] sched_clock: Marking stable (15050030128, 39570184)->(15098082991, -8482679)
[ 15.103483][ T1] Timer migration: 1 hierarchy levels; 8 children per group; 0 crossnode level
[ 15.113749][ T1] registered taskstats version 1
[ 15.123705][ T1] meta:ffffc90000066170, maptr:0000000000000000, check_helper_call
[ 15.132660][ T1] general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI
[ 15.144894][ T1] KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
[ 15.153438][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-05232-gddb2ffdc474a-dirty #0
[ 15.163497][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 15.173648][ T1] RIP: 0010:check_helper_call+0x14ec/0x7620
[ 15.179554][ T1] Code: 8d bc 24 70 01 00 00 e8 62 f7 4c 00 4c 8b a4 24 70 01 00 00 49 8d 7c 24 1c 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <0f> b6 04 08 84 c0 0f 85 67 17 00 00 41 8b 5c 24 1c 49 8d 7c 24 20
[ 15.199330][ T1] RSP: 0000:ffffc90000066000 EFLAGS: 00010207
[ 15.205657][ T1] RAX: 0000000000000003 RBX: 0000000000008004 RCX: dffffc0000000000
[ 15.213721][ T1] RDX: ffff8880162d0000 RSI: 0000000000008004 RDI: 000000000000001c
[ 15.221695][ T1] RBP: ffffc90000066250 R08: ffffffff81ab43c7 R09: 1ffff9200000cb54
[ 15.229826][ T1] R10: dffffc0000000000 R11: fffff5200000cb55 R12: 0000000000000000
[ 15.238066][ T1] R13: 0000000000000001 R14: ffff88802e208000 R15: 0000000000008004
[ 15.246307][ T1] FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
[ 15.255391][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 15.261971][ T1] CR2: ffff88823ffff000 CR3: 000000000df32000 CR4: 00000000003506f0
[ 15.269930][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 15.277901][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 15.285863][ T1] Call Trace:
[ 15.289137][ T1] <TASK>
[ 15.292167][ T1] ? __die_body+0x88/0xe0
[ 15.296480][ T1] ? die_addr+0x108/0x140
[ 15.300794][ T1] ? exc_general_protection+0x3dd/0x5d0
[ 15.306433][ T1] ? asm_exc_general_protection+0x26/0x30
[ 15.312151][ T1] ? check_helper_call+0x13d7/0x7620
[ 15.317696][ T1] ? check_helper_call+0x14ec/0x7620
[ 15.323087][ T1] ? __pfx_check_helper_call+0x10/0x10
[ 15.328743][ T1] ? tnum_const+0xd/0x20
[ 15.333063][ T1] do_check+0x9e29/0x10530
[ 15.337512][ T1] ? kmalloc_trace+0x1d9/0x360
[ 15.342265][ T1] ? do_check_common+0x190/0x1dd0
[ 15.347908][ T1] ? bpf_check+0x136ab/0x19010
[ 15.352746][ T1] ? kernel_init+0x1d/0x2a0
[ 15.357416][ T1] ? ret_from_fork+0x4b/0x80
[ 15.362091][ T1] ? __pfx_do_check+0x10/0x10
[ 15.366750][ T1] ? mark_reg_not_init+0xd4/0x4b0
[ 15.372015][ T1] ? __asan_memcpy+0x40/0x70
[ 15.376588][ T1] ? mark_reg_not_init+0xd4/0x4b0
[ 15.381594][ T1] do_check_common+0x14bd/0x1dd0
[ 15.386655][ T1] bpf_check+0x136ab/0x19010
[ 15.391261][ T1] ? __pfx_validate_chain+0x10/0x10
[ 15.396455][ T1] ? validate_chain+0x11b/0x58e0
[ 15.401383][ T1] ? validate_chain+0x11b/0x58e0
[ 15.406524][ T1] ? validate_chain+0x11b/0x58e0
[ 15.411641][ T1] ? validate_chain+0x11b/0x58e0
[ 15.416565][ T1] ? __pfx_bpf_check+0x10/0x10
[ 15.421319][ T1] ? __pfx_validate_chain+0x10/0x10
[ 15.426499][ T1] ? mark_lock+0x9a/0x350
[ 15.430811][ T1] ? mark_lock+0x9a/0x350
[ 15.435122][ T1] ? __lock_acquire+0x1346/0x1fd0
[ 15.440128][ T1] ? mark_lock+0x9a/0x350
[ 15.444451][ T1] ? __lock_acquire+0x1346/0x1fd0
[ 15.449546][ T1] ? mark_lock+0x9a/0x350
[ 15.453880][ T1] ? __lock_acquire+0x1346/0x1fd0
[ 15.458925][ T1] ? __pfx_lock_acquire+0x10/0x10
[ 15.463951][ T1] ? ktime_get_with_offset+0x105/0x330
[ 15.469575][ T1] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 15.476306][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 15.482659][ T1] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 15.488838][ T1] ? ktime_get_with_offset+0x105/0x330
[ 15.494460][ T1] ? seqcount_lockdep_reader_access+0x157/0x220
[ 15.500687][ T1] ? lockdep_hardirqs_on+0x99/0x150
[ 15.505871][ T1] ? seqcount_lockdep_reader_access+0x1d7/0x220
[ 15.512096][ T1] ? __pfx_seqcount_lockdep_reader_access+0x10/0x10
[ 15.518670][ T1] ? pcpu_alloc+0xf1a/0x1670
[ 15.523350][ T1] ? bpf_obj_name_cpy+0x18a/0x1d0
[ 15.528458][ T1] ? bpf_lsm_bpf_prog_load+0x9/0x10
[ 15.533651][ T1] ? security_bpf_prog_load+0x87/0xb0
[ 15.539207][ T1] bpf_prog_load+0x1667/0x20f0
[ 15.544077][ T1] ? __pfx_bpf_prog_load+0x10/0x10
[ 15.549174][ T1] ? kasan_quarantine_put+0xdc/0x230
[ 15.554552][ T1] ? map_update_elem+0x363/0x6f0
[ 15.559475][ T1] ? copy_from_kernel_nofault_allowed+0xa9/0x130
[ 15.565786][ T1] ? bpf_lsm_bpf+0x9/0x10
[ 15.570102][ T1] ? security_bpf+0x87/0xb0
[ 15.574700][ T1] __sys_bpf+0x4ee/0x810
[ 15.579189][ T1] ? __pfx___sys_bpf+0x10/0x10
[ 15.584016][ T1] kern_sys_bpf+0x185/0x6b0
[ 15.588592][ T1] ? __pfx_kern_sys_bpf+0x10/0x10
[ 15.593801][ T1] ? load+0xf4/0xfd0
[ 15.597854][ T1] ? kmalloc_trace+0x1d9/0x360
[ 15.602706][ T1] ? load+0x40e/0xfd0
[ 15.606676][ T1] load+0x550/0xfd0
[ 15.610560][ T1] ? __pfx_load+0x10/0x10
[ 15.615004][ T1] ? kasan_save_track+0x51/0x80
[ 15.619962][ T1] ? kasan_save_track+0x3f/0x80
[ 15.624889][ T1] ? __kasan_kmalloc+0x98/0xb0
[ 15.629899][ T1] ? __kmalloc_node+0x251/0x4e0
[ 15.634736][ T1] ? alloc_bulk+0x472/0x6f0
[ 15.639225][ T1] ? bpf_mem_alloc_init+0x47d/0xc50
[ 15.644423][ T1] ? cpumask_kfunc_init+0x98/0x150
[ 15.649710][ T1] ? do_one_initcall+0x238/0x830
[ 15.654739][ T1] ? do_initcall_level+0x157/0x210
[ 15.659948][ T1] ? do_initcalls+0x3f/0x80
[ 15.664643][ T1] ? kernel_init_freeable+0x435/0x5d0
[ 15.670263][ T1] ? kernel_init+0x1d/0x2a0
[ 15.674937][ T1] ? ret_from_fork+0x4b/0x80
[ 15.684622][ T1] ? ret_from_fork_asm+0x1a/0x30
[ 15.689876][ T1] ? mark_lock+0x9a/0x350
[ 15.694286][ T1] ? __lock_acquire+0x1346/0x1fd0
[ 15.699402][ T1] ? _raw_spin_unlock_irqrestore+0x8f/0x140
[ 15.705953][ T1] ? lockdep_hardirqs_on+0x99/0x150
[ 15.711328][ T1] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 15.717218][ T1] ? __pfx_add_device_randomness+0x10/0x10
[ 15.723251][ T1] ? __pfx_load+0x10/0x10
[ 15.727637][ T1] do_one_initcall+0x238/0x830
[ 15.732504][ T1] ? __pfx_load+0x10/0x10
[ 15.736814][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 15.743306][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 15.748700][ T1] ? __pfx_parse_args+0x10/0x10
[ 15.753887][ T1] ? do_initcalls+0x1c/0x80
[ 15.758588][ T1] ? rcu_is_watching+0x15/0xb0
[ 15.763350][ T1] do_initcall_level+0x157/0x210
[ 15.768389][ T1] do_initcalls+0x3f/0x80
[ 15.772732][ T1] kernel_init_freeable+0x435/0x5d0
[ 15.777955][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 15.783663][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 15.789977][ T1] ? __pfx_kernel_init+0x10/0x10
[ 15.794990][ T1] ? __pfx_kernel_init+0x10/0x10
[ 15.800002][ T1] ? __pfx_kernel_init+0x10/0x10
[ 15.804935][ T1] kernel_init+0x1d/0x2a0
[ 15.809370][ T1] ret_from_fork+0x4b/0x80
[ 15.813832][ T1] ? __pfx_kernel_init+0x10/0x10
[ 15.818780][ T1] ret_from_fork_asm+0x1a/0x30
[ 15.823558][ T1] </TASK>
[ 15.826588][ T1] Modules linked in:
[ 15.830703][ T1] ---[ end trace 0000000000000000 ]---
[ 15.836626][ T1] RIP: 0010:check_helper_call+0x14ec/0x7620
[ 15.843209][ T1] Code: 8d bc 24 70 01 00 00 e8 62 f7 4c 00 4c 8b a4 24 70 01 00 00 49 8d 7c 24 1c 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <0f> b6 04 08 84 c0 0f 85 67 17 00 00 41 8b 5c 24 1c 49 8d 7c 24 20
[ 15.863225][ T1] RSP: 0000:ffffc90000066000 EFLAGS: 00010207
[ 15.869311][ T1] RAX: 0000000000000003 RBX: 0000000000008004 RCX: dffffc0000000000
[ 15.877516][ T1] RDX: ffff8880162d0000 RSI: 0000000000008004 RDI: 000000000000001c
[ 15.885761][ T1] RBP: ffffc90000066250 R08: ffffffff81ab43c7 R09: 1ffff9200000cb54
[ 15.893940][ T1] R10: dffffc0000000000 R11: fffff5200000cb55 R12: 0000000000000000
[ 15.902193][ T1] R13: 0000000000000001 R14: ffff88802e208000 R15: 0000000000008004
[ 15.910257][ T1] FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
[ 15.919196][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 15.925873][ T1] CR2: 0000000000000000 CR3: 000000000df32000 CR4: 00000000003506f0
[ 15.933923][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 15.942979][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 15.951017][ T1] Kernel panic - not syncing: Fatal exception
[ 15.957777][ T1] Kernel Offset: disabled
[ 15.962097][ T1] Rebooting in 86400 seconds..

syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''

GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'

GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'

GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'

GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'

GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3260162229=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at baa80228d
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=baa80228d652d8b1341ecf7f1411c4e4caf75bd5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240318-105857'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=baa80228d652d8b1341ecf7f1411c4e4caf75bd5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240318-105857'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=baa80228d652d8b1341ecf7f1411c4e4caf75bd5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240318-105857'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"baa80228d652d8b1341ecf7f1411c4e4caf75bd5\"


Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=13b0b5c9180000


Tested on:

commit: ddb2ffdc libbpf: Define MFD_CLOEXEC if not available

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
dashboard link: https://syzkaller.appspot.com/bug?extid=33f4297b5f927648741a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1702b481180000

[Edward Adam Davis]

please test oob in check_stack_range_initialized

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c

index 1dd3b99d1bb9..29d7673d0e1f 100644

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7177,6 +7177,11 @@ static int check_stack_range_initialized(
return 0;
}

+ if (INT_MIN - access_size > max_off) {
+ verbose(env, "invalid access size\n");
+ return -EACCES;
+ }
+
for (i = min_off; i < max_off + access_size; i++) {
u8 *stype;

@@ -8589,6 +8594,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
return 0;
}

+ printk("1meta:%p, maptr:%p, %s\n",
+ meta, meta->map_ptr, __func__);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+33f429...@syzkaller.appspotmail.com

Tested on:

commit: 122fdbd2 bpf: verifier: reject addr_space_cast insn wi..

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=13dbb1be180000

kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
dashboard link: https://syzkaller.appspot.com/bug?extid=33f4297b5f927648741a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=122ebbb9180000

[Andrei Matei]

+ Edward

On Thu, Mar 21, 2024 at 3:33 AM Alexei Starovoitov
<alexei.st...@gmail.com> wrote:
>

> Hi Andrei,
>
> looks like the refactoring of stack access introduced a bug.
> See the reproducer below.
> positive offsets are not caught by check_stack_access_within_bounds().

check_stack_access_within_bounds() tries to catch positive offsets;
It does: [1]

err = check_stack_slot_within_bounds(env, min_off, state, type);
if (!err && max_off > 0)
err = -EINVAL; /* out of stack access into non-negative offsets */

Notice the max_off > 0 in there.
And we have various tests that seem to check that positive offsets are
rejected. Do you know what the bug is?
I'm thinking maybe there's some overflow going on, except that UBSAN
reported an index of -1 as being the problem.

Edward, I see that you've been tickling the robot trying to narrow the issue;
perhaps you've figured it out?

If the bug is not immediately apparent to anyone, I would really appreciate a
bit of tutoring around how to reproduce and get verifier logs. I have tried a
bunch of cases of constant- and variable-offset accesses, and couldn't repro. I
can run syzkaller's repro on its own vm image, and indeed it crashes. But I'm
not sure how to get verifier logs out of the C reproducer. Alternatively, I'm
not sure how to figure out the actual BPF program corresponding to the "syz
repro" in [2] and turn it into a test_progs test. How do you guys do it?

Thanks a lot!

[1] https://github.com/torvalds/linux/blob/70293240c5ce675a67bfc48f419b093023b862b3/kernel/bpf/verifier.c#L6695
[2] https://syzkaller.appspot.com/x/repro.syz?x=1763a479180000

[Alexei Starovoitov]

On Sat, Mar 23, 2024 at 5:50 PM Andrei Matei <andrei...@gmail.com> wrote:
>
> + Edward
>
> On Thu, Mar 21, 2024 at 3:33 AM Alexei Starovoitov
> <alexei.st...@gmail.com> wrote:
> >
> > Hi Andrei,
> >
> > looks like the refactoring of stack access introduced a bug.
> > See the reproducer below.
> > positive offsets are not caught by check_stack_access_within_bounds().
>
> check_stack_access_within_bounds() tries to catch positive offsets;
> It does: [1]
>
> err = check_stack_slot_within_bounds(env, min_off, state, type);
> if (!err && max_off > 0)
> err = -EINVAL; /* out of stack access into non-negative offsets */
>
> Notice the max_off > 0 in there.
> And we have various tests that seem to check that positive offsets are
> rejected. Do you know what the bug is?
> I'm thinking maybe there's some overflow going on, except that UBSAN
> reported an index of -1 as being the problem.
>
> Edward, I see that you've been tickling the robot trying to narrow the issue;
> perhaps you've figured it out?
>
> If the bug is not immediately apparent to anyone, I would really appreciate a
> bit of tutoring around how to reproduce and get verifier logs.

The repro is right there in the email I forwarded:

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15c38711180000

[Andrei Matei]

I understand, but how does one go from this to either BPF assembly,
or to running it in such a way that you also get verifier logs?

[Alexei Starovoitov]

Adding logs to repro.c is too hard, but you can
hack the kernel with printk-s.

Like the following:

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index de7813947981..d158b83ed16c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7179,6 +7179,7 @@ static int check_stack_range_initialized(
return -EFAULT;
}

+ printk("slot %d %d spi %d\n", slot, slot % BPF_REG_SIZE, spi);
stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];


shows that spi and slot get negative: -1, -2, ...

[Andrei Matei]

Fixing in https://lore.kernel.org/bpf/20240324230323.109...@gmail.com/

FWIW, I managed to decode the BPF program that syzkaller used:

0: (18) r0 = 0x0
2: (18) r1 = map[id:4]
4: (b7) r8 = 0
5: (7b) *(u64 *)(r10 -8) = r8
6: (bf) r2 = r10
7: (07) r2 += -8
8: (b7) r3 = 8
9: (b7) r4 = 0
10: (85) call bloom_map_peek_elem#322320
11: (95) exit

Where the map is a bloom filter (as Alexei somehow already knew on the patch
thread) with a humongous value size.

4: type 30 flags 0x0
key 0B value 2147483649B max_entries 255 memlock 720B

On Sat, Mar 23, 2024 at 10:55 PM Alexei Starovoitov

[Kaiming Huang]

Hi there,

I went across this bug using my static analysis tool as well and glad to find this email thread.

My understanding is that the root cause of this bug is not identified yet given the previous discussion in this thread.

This is the line of code that has the issue.

stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];

Based on my analysis result, it is the part "slot_type[slot % BPF_REG_SIZE]" may result in memory access with negative index, which should not be allowed. spi (as well as min_off, max_off, and slot) is(are) supposed to be negative based on my understanding of the workflow.

The slot_type is defined as below:

u8 slot_type[BPF_REG_SIZE];  //BPF_REG_SIZE is 8.

So the type of slot_type is u8[8].

However, given slot can be negative, say -1. The result of slot % BPF_REG_SIZE is -1. This might sounds counter-intuitive as % always gives positive result. But in C, % operation keeps the sign of dividend (and thus that's why I'm not sure whether the fix will catch this).

You can examine this by simply running this short piece of code. The result of the modulo operation is -1 on my end, and that is the reason that causes the OOB negative index, and this would be a off-by-one on the u8[8].

#include <stdio.h>
#define BPF_REG_SIZE 8
int main() {
    int i = -1;
    unsigned int j = i % BPF_REG_SIZE;
    printf("%d\n", j);
    return 0;
}

A more severe secnario is when interpreting the j in the above example as unsigned int, aka integer overflow/wrap-around, in that case, the value of j will be 4,294,967,295. If it is the case, then it is a classic OOB access on the u8[8].

Hopefully my illustrratiion makes sense, please let me know if you see any issues. Thanks.

Best regards,

Kaiming.

[Kaiming Huang]

Hi there,

I went across this bug using my static analysis tool as well and was

glad to find this email thread.

My understanding is that the root cause of this bug has not been

identified yet given the previous discussion in this thread.

This is the line of code that has the issue.

stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];

Based on my analysis result, it is the part "slot_type[slot %

BPF_REG_SIZE]" may result in memory access with a negative index,

which should not be allowed. spi (as well as min_off, max_off, and
slot) is(are) supposed to be negative based on my understanding of the

workflow. But the index of slot_type is not supposed to be negative.

The slot_type is defined as below:

u8 slot_type[BPF_REG_SIZE]; //BPF_REG_SIZE is 8

So the type of slot_type is u8[8].

However, given "slot" can be negative, say -1. The result of slot %

BPF_REG_SIZE is -1. This might sound counter-intuitive as % always
gives positive results. But in C, % operation keeps the sign of

dividend (and thus that's why I'm not sure whether the fix will catch
this).

You can examine this by simply running this short piece of code. The
result of the modulo operation is -1 on my end, and that is the reason

that causes the OOB negative index, and this would be an off-by-one on

the u8[8].

#include <stdio.h>
#define BPF_REG_SIZE 8
int main() {
int i = -1;
unsigned int j = i % BPF_REG_SIZE;
printf("%d\n", j);
return 0;
}

A more severe scenario is when interpreting the j in the above example

as unsigned int, aka integer overflow/wrap-around, in that case, the
value of j will be 4,294,967,295. If it is the case, then it is a
classic OOB access on the u8[8].

Hopefully my illustration makes sense, please let me know if you see

[Kaiming Huang]

Hi there,

Please discard my previous email as I figured it may be beneficial to
rephrase some of the content in it for clarity.

I went across this bug using my static analysis tool as well and was
glad to find this email thread.

My understanding is that the root cause of this bug has not been
identified yet given the previous discussion in this thread.

This is the line of code that has the issue.

stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];

Based on my analysis result, it is the part "slot_type[slot %
BPF_REG_SIZE]" may result in memory access with a negative index,

which should not be allowed. min_off and max_off are supposed to be

negative based on my understanding of the

workflow. But the spi, slot, and the index of slot_type are not

supposed to be negative.

The slot_type is defined as below:

u8 slot_type[BPF_REG_SIZE]; //BPF_REG_SIZE is 8

So the type of slot_type is u8[8].

However, the bug may alter the "slot" to be negative, say -1. Then
this would cause the result of slot %

BPF_REG_SIZE is -1. This might sound counter-intuitive as % always
gives positive results. But in C, % operation keeps the sign of

the dividend. The applied check checks whether access_size is
negative, I'm not sure whether the fix will catch
this sufficiently). Could the fix be potentially directly applied to
"slot" to ensure it is positive?

You can examine this by simply running this short piece of code. The
result of the modulo operation is -1 on my end, and that is the reason

that causes the OOB negative index -1, which was reported by the Syzkaller.

#include <stdio.h>
#define BPF_REG_SIZE 8
int main() {
int i = -1;
unsigned int j = i % BPF_REG_SIZE;
printf("%d\n", j);
return 0;
}

A more severe scenario, if possible, is when interpreting the j in the

above example
as unsigned int, aka integer overflow/wrap-around, in that case, the

value of j will be 4,294,967,295. If this is the case, then it is a
classic OOB access on the u8[8]. I don't know whether this part is feasible.

Hopefully, my illustration makes sense, please let me know if you see