[syzbot] [bpf?] UBSAN: array-index-out-of-bounds in bpf_mprog_detach
6 views
Skip to first unread message
syzbot
Jul 29, 2023, 8:48:52 PM7/29/23
to and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, hao...@google.com, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, net...@vger.kernel.org, s...@google.com, so...@kernel.org, syzkall...@googlegroups.com, y...@fb.com
Hello,
syzbot found the following issue on:
HEAD commit: ec87f05402f5 octeontx2-af: Install TC filter rules in hard..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12a76df1a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=8acaeb93ad7c6aaa
dashboard link: https://syzkaller.appspot.com/bug?extid=0c06ba0f831fe07a8f27
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0fc53904fc08/disk-ec87f054.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/aee64718ea5c/vmlinux-ec87f054.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d3b6d3f4cfbc/bzImage-ec87f054.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0c06ba...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in ./include/linux/bpf_mprog.h:292:24
index 4294967295 is out of range for type 'bpf_mprog_fp [64]'
CPU: 1 PID: 13232 Comm: syz-executor.1 Not tainted 6.5.0-rc2-syzkaller-00573-gec87f05402f5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
bpf_mprog_read include/linux/bpf_mprog.h:292 [inline]
bpf_mprog_fetch kernel/bpf/mprog.c:307 [inline]
bpf_mprog_detach+0xcd7/0xd50 kernel/bpf/mprog.c:381
tcx_prog_detach+0x258/0x950 kernel/bpf/tcx.c:78
bpf_prog_detach kernel/bpf/syscall.c:3877 [inline]
__sys_bpf+0x36ee/0x4ec0 kernel/bpf/syscall.c:5357
__do_sys_bpf kernel/bpf/syscall.c:5449 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5447 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5447
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f443e27cb29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f443cdfe0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f443e39bf80 RCX: 00007f443e27cb29
RDX: 0000000000000020 RSI: 0000000020000340 RDI: 0000000000000009
RBP: 00007f443e2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f443e39bf80 R15: 00007ffdb0833788
</TASK>
================================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: ec87f05402f5 octeontx2-af: Install TC filter rules in hard..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12a76df1a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=8acaeb93ad7c6aaa
dashboard link: https://syzkaller.appspot.com/bug?extid=0c06ba0f831fe07a8f27
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0fc53904fc08/disk-ec87f054.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/aee64718ea5c/vmlinux-ec87f054.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d3b6d3f4cfbc/bzImage-ec87f054.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0c06ba...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in ./include/linux/bpf_mprog.h:292:24
index 4294967295 is out of range for type 'bpf_mprog_fp [64]'
CPU: 1 PID: 13232 Comm: syz-executor.1 Not tainted 6.5.0-rc2-syzkaller-00573-gec87f05402f5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
bpf_mprog_read include/linux/bpf_mprog.h:292 [inline]
bpf_mprog_fetch kernel/bpf/mprog.c:307 [inline]
bpf_mprog_detach+0xcd7/0xd50 kernel/bpf/mprog.c:381
tcx_prog_detach+0x258/0x950 kernel/bpf/tcx.c:78
bpf_prog_detach kernel/bpf/syscall.c:3877 [inline]
__sys_bpf+0x36ee/0x4ec0 kernel/bpf/syscall.c:5357
__do_sys_bpf kernel/bpf/syscall.c:5449 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5447 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5447
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f443e27cb29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f443cdfe0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f443e39bf80 RCX: 00007f443e27cb29
RDX: 0000000000000020 RSI: 0000000020000340 RDI: 0000000000000009
RBP: 00007f443e2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f443e39bf80 R15: 00007ffdb0833788
</TASK>
================================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Martin KaFai Lau
Aug 3, 2023, 7:40:02 PM8/3/23
to syzbot, syzkall...@googlegroups.com, b...@vger.kernel.org, and...@kernel.org, a...@kernel.org, dan...@iogearbox.net, hao...@google.com, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, s...@google.com, so...@kernel.org, y...@fb.com
Daniel Borkmann
Aug 4, 2023, 9:15:21 AM8/4/23
to Martin KaFai Lau, syzbot, syzkall...@googlegroups.com, b...@vger.kernel.org, and...@kernel.org, a...@kernel.org, hao...@google.com, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, s...@google.com, so...@kernel.org, y...@fb.com
https://lore.kernel.org/bpf/20230804131112...@iogearbox.net/
Thanks,
Daniel
Reply all
Reply to author
Forward
0 new messages