[syzbot] [bpf?] KASAN: stack-out-of-bounds Read in hash
16 views
Skip to first unread message
syzbot
Apr 6, 2024, 9:44:35 AMApr 6
to and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, edd...@gmail.com, hao...@google.com, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, net...@vger.kernel.org, s...@google.com, so...@kernel.org, syzkall...@googlegroups.com, yongho...@linux.dev
Hello,
syzbot found the following issue on:
HEAD commit: 443574b03387 riscv, bpf: Fix kfunc parameters incompatibil..
git tree: bpf
console+strace: https://syzkaller.appspot.com/x/log.txt?x=148ad855180000
kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
dashboard link: https://syzkaller.appspot.com/bug?extid=9459b5d7fab774cf182f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d86795180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143eff76180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3f355021a085/disk-443574b0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/44cf4de7472a/vmlinux-443574b0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a99a36c7ad65/bzImage-443574b0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9459b5...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:128 [inline]
BUG: KASAN: stack-out-of-bounds in hash+0x1bf/0x410 kernel/bpf/bloom_filter.c:29
Read of size 4 at addr ffffc900039f7c00 by task syz-executor297/5079
CPU: 0 PID: 5079 Comm: syz-executor297 Not tainted 6.8.0-syzkaller-05236-g443574b03387 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
jhash2 include/linux/jhash.h:128 [inline]
hash+0x1bf/0x410 kernel/bpf/bloom_filter.c:29
bloom_map_peek_elem+0xb2/0x1b0 kernel/bpf/bloom_filter.c:43
bpf_prog_00798911c748094f+0x42/0x46
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
__bpf_prog_run include/linux/filter.h:657 [inline]
bpf_prog_run include/linux/filter.h:664 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
bpf_trace_run2+0x204/0x420 kernel/trace/bpf_trace.c:2420
__traceiter_ext4_drop_inode+0x76/0xd0 include/trace/events/ext4.h:265
trace_ext4_drop_inode include/trace/events/ext4.h:265 [inline]
ext4_drop_inode+0x20a/0x270 fs/ext4/super.c:1450
iput_final fs/inode.c:1711 [inline]
iput+0x45e/0x900 fs/inode.c:1767
d_delete_notify include/linux/fsnotify.h:301 [inline]
vfs_rmdir+0x38f/0x4c0 fs/namei.c:4220
do_rmdir+0x3b5/0x580 fs/namei.c:4266
__do_sys_rmdir fs/namei.c:4285 [inline]
__se_sys_rmdir fs/namei.c:4283 [inline]
__x64_sys_rmdir+0x49/0x60 fs/namei.c:4283
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fd25730cfb7
Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff78ca7198 EFLAGS: 00000207
ORIG_RAX: 0000000000000054
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd25730cfb7
RDX: fffffffffffff000 RSI: 0000000000000000 RDI: 00007fff78ca82c0
RBP: 0000000000000065 R08: 0000555571b9a73b R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000207 R12: 00007fff78ca82c0
R13: 0000555571b9a6c0 R14: 00007fff78ca82c0 R15: 0000000000000001
</TASK>
The buggy address belongs to stack of task syz-executor297/5079
and is located at offset 0 in frame:
bpf_trace_run2+0x0/0x420
This frame has 1 object:
[32, 48) 'args'
The buggy address belongs to the virtual mapping at
[ffffc900039f0000, ffffc900039f9000) created by:
copy_process+0x5d1/0x3df0 kernel/fork.c:2219
The buggy address belongs to the physical page:
page:ffffea00007f36c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1fcdb
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5077, tgid 5077 (syz-executor297), ts 73887639293, free_ts 73091924927
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311
__alloc_pages+0x256/0x680 mm/page_alloc.c:4569
alloc_pages_mpol+0x3de/0x650 mm/mempolicy.c:2133
vm_area_alloc_pages mm/vmalloc.c:3135 [inline]
__vmalloc_area_node mm/vmalloc.c:3211 [inline]
__vmalloc_node_range+0x9a4/0x14a0 mm/vmalloc.c:3392
alloc_thread_stack_node kernel/fork.c:309 [inline]
dup_task_struct+0x3e9/0x7d0 kernel/fork.c:1114
copy_process+0x5d1/0x3df0 kernel/fork.c:2219
kernel_clone+0x21e/0x8d0 kernel/fork.c:2796
__do_sys_clone kernel/fork.c:2939 [inline]
__se_sys_clone kernel/fork.c:2923 [inline]
__x64_sys_clone+0x258/0x2a0 kernel/fork.c:2923
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
page last free pid 5072 tgid 5072 stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x968/0xa90 mm/page_alloc.c:2346
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2486
mm_free_pgd kernel/fork.c:803 [inline]
__mmdrop+0xb9/0x3d0 kernel/fork.c:919
exec_mmap+0x69d/0x730 fs/exec.c:1051
begin_new_exec+0x119b/0x1ce0 fs/exec.c:1309
load_elf_binary+0x961/0x2590 fs/binfmt_elf.c:996
search_binary_handler fs/exec.c:1777 [inline]
exec_binprm fs/exec.c:1819 [inline]
bprm_execve+0xaf8/0x1790 fs/exec.c:1871
do_execveat_common+0x553/0x700 fs/exec.c:1978
do_execve fs/exec.c:2052 [inline]
__do_sys_execve fs/exec.c:2128 [inline]
__se_sys_execve fs/exec.c:2123 [inline]
__x64_sys_execve+0x92/0xb0 fs/exec.c:2123
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Memory state around the buggy address:
ffffc900039f7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900039f7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900039f7c00: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00
^
ffffc900039f7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900039f7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 443574b03387 riscv, bpf: Fix kfunc parameters incompatibil..
git tree: bpf
console+strace: https://syzkaller.appspot.com/x/log.txt?x=148ad855180000
kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
dashboard link: https://syzkaller.appspot.com/bug?extid=9459b5d7fab774cf182f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d86795180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143eff76180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3f355021a085/disk-443574b0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/44cf4de7472a/vmlinux-443574b0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a99a36c7ad65/bzImage-443574b0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9459b5...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:128 [inline]
BUG: KASAN: stack-out-of-bounds in hash+0x1bf/0x410 kernel/bpf/bloom_filter.c:29
Read of size 4 at addr ffffc900039f7c00 by task syz-executor297/5079
CPU: 0 PID: 5079 Comm: syz-executor297 Not tainted 6.8.0-syzkaller-05236-g443574b03387 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
jhash2 include/linux/jhash.h:128 [inline]
hash+0x1bf/0x410 kernel/bpf/bloom_filter.c:29
bloom_map_peek_elem+0xb2/0x1b0 kernel/bpf/bloom_filter.c:43
bpf_prog_00798911c748094f+0x42/0x46
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
__bpf_prog_run include/linux/filter.h:657 [inline]
bpf_prog_run include/linux/filter.h:664 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
bpf_trace_run2+0x204/0x420 kernel/trace/bpf_trace.c:2420
__traceiter_ext4_drop_inode+0x76/0xd0 include/trace/events/ext4.h:265
trace_ext4_drop_inode include/trace/events/ext4.h:265 [inline]
ext4_drop_inode+0x20a/0x270 fs/ext4/super.c:1450
iput_final fs/inode.c:1711 [inline]
iput+0x45e/0x900 fs/inode.c:1767
d_delete_notify include/linux/fsnotify.h:301 [inline]
vfs_rmdir+0x38f/0x4c0 fs/namei.c:4220
do_rmdir+0x3b5/0x580 fs/namei.c:4266
__do_sys_rmdir fs/namei.c:4285 [inline]
__se_sys_rmdir fs/namei.c:4283 [inline]
__x64_sys_rmdir+0x49/0x60 fs/namei.c:4283
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fd25730cfb7
Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff78ca7198 EFLAGS: 00000207
ORIG_RAX: 0000000000000054
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd25730cfb7
RDX: fffffffffffff000 RSI: 0000000000000000 RDI: 00007fff78ca82c0
RBP: 0000000000000065 R08: 0000555571b9a73b R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000207 R12: 00007fff78ca82c0
R13: 0000555571b9a6c0 R14: 00007fff78ca82c0 R15: 0000000000000001
</TASK>
The buggy address belongs to stack of task syz-executor297/5079
and is located at offset 0 in frame:
bpf_trace_run2+0x0/0x420
This frame has 1 object:
[32, 48) 'args'
The buggy address belongs to the virtual mapping at
[ffffc900039f0000, ffffc900039f9000) created by:
copy_process+0x5d1/0x3df0 kernel/fork.c:2219
The buggy address belongs to the physical page:
page:ffffea00007f36c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1fcdb
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5077, tgid 5077 (syz-executor297), ts 73887639293, free_ts 73091924927
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311
__alloc_pages+0x256/0x680 mm/page_alloc.c:4569
alloc_pages_mpol+0x3de/0x650 mm/mempolicy.c:2133
vm_area_alloc_pages mm/vmalloc.c:3135 [inline]
__vmalloc_area_node mm/vmalloc.c:3211 [inline]
__vmalloc_node_range+0x9a4/0x14a0 mm/vmalloc.c:3392
alloc_thread_stack_node kernel/fork.c:309 [inline]
dup_task_struct+0x3e9/0x7d0 kernel/fork.c:1114
copy_process+0x5d1/0x3df0 kernel/fork.c:2219
kernel_clone+0x21e/0x8d0 kernel/fork.c:2796
__do_sys_clone kernel/fork.c:2939 [inline]
__se_sys_clone kernel/fork.c:2923 [inline]
__x64_sys_clone+0x258/0x2a0 kernel/fork.c:2923
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
page last free pid 5072 tgid 5072 stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x968/0xa90 mm/page_alloc.c:2346
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2486
mm_free_pgd kernel/fork.c:803 [inline]
__mmdrop+0xb9/0x3d0 kernel/fork.c:919
exec_mmap+0x69d/0x730 fs/exec.c:1051
begin_new_exec+0x119b/0x1ce0 fs/exec.c:1309
load_elf_binary+0x961/0x2590 fs/binfmt_elf.c:996
search_binary_handler fs/exec.c:1777 [inline]
exec_binprm fs/exec.c:1819 [inline]
bprm_execve+0xaf8/0x1790 fs/exec.c:1871
do_execveat_common+0x553/0x700 fs/exec.c:1978
do_execve fs/exec.c:2052 [inline]
__do_sys_execve fs/exec.c:2128 [inline]
__se_sys_execve fs/exec.c:2123 [inline]
__x64_sys_execve+0x92/0xb0 fs/exec.c:2123
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Memory state around the buggy address:
ffffc900039f7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900039f7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900039f7c00: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00
^
ffffc900039f7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900039f7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hou Tao
Apr 7, 2024, 5:09:37 AMApr 7
to syzbot, b...@vger.kernel.org, syzkall...@googlegroups.com, net...@vger.kernel.org, and...@kernel.org, a...@kernel.org, dan...@iogearbox.net, edd...@gmail.com, hao...@google.com, john.fa...@gmail.com, kps...@kernel.org, jo...@kernel.org, marti...@linux.dev, s...@google.com, so...@kernel.org, yongho...@linux.dev, linux-...@vger.kernel.org
Hi,
On 4/6/2024 9:44 PM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 443574b03387 riscv, bpf: Fix kfunc parameters incompatibil..
> git tree: bpf
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=148ad855180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
> dashboard link: https://syzkaller.appspot.com/bug?extid=9459b5d7fab774cf182f
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d86795180000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143eff76180000
According to the reproducer, it passes a big value_size (0xfffffe00)
when creating bloom filter map. The big value_size bypasses the check in
check_stack_access_within_bounds(). I think a proper fix needs to add
these following two checks:
(1) in check_stack_access_within_bounds() add check for negative
access_size
(2) in bloom_map_alloc() limit the max value of bloom_map_alloc().
Will post a patch to fix the syzbot report. Will also check whether or
not there are similar problems for other bpf maps.
On 4/6/2024 9:44 PM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 443574b03387 riscv, bpf: Fix kfunc parameters incompatibil..
> git tree: bpf
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=148ad855180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
> dashboard link: https://syzkaller.appspot.com/bug?extid=9459b5d7fab774cf182f
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d86795180000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143eff76180000
when creating bloom filter map. The big value_size bypasses the check in
check_stack_access_within_bounds(). I think a proper fix needs to add
these following two checks:
(1) in check_stack_access_within_bounds() add check for negative
access_size
(2) in bloom_map_alloc() limit the max value of bloom_map_alloc().
Will post a patch to fix the syzbot report. Will also check whether or
not there are similar problems for other bpf maps.
Alexei Starovoitov
Apr 7, 2024, 10:24:40 AMApr 7
to Hou Tao, syzbot, bpf, syzkaller-bugs, Network Development, Andrii Nakryiko, Alexei Starovoitov, Daniel Borkmann, Eddy Z, Hao Luo, John Fastabend, KP Singh, Jiri Olsa, Martin KaFai Lau, Stanislav Fomichev, Song Liu, Yonghong Song, LKML
Hou Tao
Apr 7, 2024, 9:11:57 PMApr 7
to Alexei Starovoitov, syzbot, bpf, syzkaller-bugs, Network Development, Andrii Nakryiko, Alexei Starovoitov, Daniel Borkmann, Eddy Z, Hao Luo, John Fastabend, KP Singh, Jiri Olsa, Martin KaFai Lau, Stanislav Fomichev, Song Liu, Yonghong Song, LKML
Hi,
Yes. Totally missed the patch set. The patch set will fix the syzbot
reported problem.
reported problem.
Reply all
Reply to author
Forward
0 new messages