lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 2 Jan 2018 22:22:16 -0800
From:   Alexei Starovoitov <alexei.starovoitov@...il.com>
To:     syzbot <syzbot+32ac5a3e473f2e01cfc7@...kaller.appspotmail.com>
Cc:     ast@...nel.org, daniel@...earbox.net, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: general protection fault in copy_verifier_state

On Tue, Jan 02, 2018 at 02:58:01PM -0800, syzbot wrote:
> Hello,
> 
> syzkaller hit the following crash on
> 6bb8824732f69de0f233ae6b1a8158e149627b38
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
> 
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+32ac5a3e473f2e01cfc7@...kaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
> 
> R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
> R13: 656c6c616b7a7973 R14: 000000000000000e R15: 0000000000000000
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Modules linked in:
> CPU: 1 PID: 3197 Comm: syzkaller425062 Not tainted 4.15.0-rc5+ #170
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:copy_func_state kernel/bpf/verifier.c:403 [inline]
> RIP: 0010:copy_verifier_state+0x364/0x590 kernel/bpf/verifier.c:431
> RSP: 0018:ffff8801c7fff130 EFLAGS: 00010203
> RAX: 0000000000000070 RBX: dffffc0000000000 RCX: 0000000000000384
> RDX: 0000000000000000 RSI: ffff8801c938d800 RDI: ffff8801c938d800
> RBP: ffff8801c7fff188 R08: ffff8801c938d700 R09: ffff8801c938d700
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801c8066940
> R13: ffff8801c938d700 R14: 0000000000000000 R15: ffff8801c938d800
> FS:  0000000001581880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020a97000 CR3: 00000001c839a001 CR4: 00000000001606e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  pop_stack+0x8c/0x270 kernel/bpf/verifier.c:449
>  push_stack kernel/bpf/verifier.c:491 [inline]
>  check_cond_jmp_op kernel/bpf/verifier.c:3598 [inline]
>  do_check+0x4b60/0xa050 kernel/bpf/verifier.c:4731
>  bpf_check+0x3296/0x58c0 kernel/bpf/verifier.c:5489
>  bpf_prog_load+0xa2a/0x1b00 kernel/bpf/syscall.c:1198
>  SYSC_bpf kernel/bpf/syscall.c:1807 [inline]
>  SyS_bpf+0x1044/0x4420 kernel/bpf/syscall.c:1769
>  entry_SYSCALL_64_fastpath+0x1f/0x96
> RIP: 0033:0x4404f9
> RSP: 002b:00007fff03dc4a48 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
> RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004404f9
> RDX: 0000000000000048 RSI: 0000000020903000 RDI: 0000000000000005
> RBP: 000000000000000f R08: 0000000000000002 R09: 0000000000003332
> R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
> R13: 656c6c616b7a7973 R14: 000000000000000e R15: 0000000000000000
> Code: 4b 8d 3c f7 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 05 02 00 00 4f 8b
> 34 f7 49 8d 8e 84 03 00 00 48 89 c8 48 89 4d c8 48 c1 e8 03 <0f> b6 14 18 48
> 89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
> RIP: copy_func_state kernel/bpf/verifier.c:403 [inline] RSP:
> ffff8801c7fff130
> RIP: copy_verifier_state+0x364/0x590 kernel/bpf/verifier.c:431 RSP:
> ffff8801c7fff130
> ---[ end trace 18f3ab976ca58c6c ]---

thanks for the report.
Looks like it needs this fix:
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 98d8637cf70d..0876d4402dc3 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -375,6 +375,8 @@ static int realloc_func_state(struct bpf_func_state *state, int size,

 static void free_func_state(struct bpf_func_state *state)
 {
+       if (!state)
+               return;
        kfree(state->stack);
        kfree(state);
 }
@@ -487,6 +489,8 @@ static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
        }
        return &elem->st;
 err:
+       free_verifier_state(env->cur_state, true);
+       env->cur_state = NULL;
        /* pop all elements and return */
        while (!pop_stack(env, NULL, NULL));
        return NULL;

will submit it properly after few more tests.

Powered by blists - more mailing lists