lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ca78b1b1-e6e3-9a98-7919-a68389933829@i-love.sakura.ne.jp>
Date:   Sun, 27 Jun 2021 00:17:20 +0900
From:   Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
To:     Steven Rostedt <rostedt@...dmis.org>
Cc:     Peter Zijlstra <peterz@...radead.org>,
        Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
        Ingo Molnar <mingo@...nel.org>,
        Robert Richter <rric@...nel.org>,
        Gabriel Krisman Bertazi <krisman@...labora.com>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        linux-kernel@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Andrii Nakryiko <andrii@...nel.org>,
        netdev <netdev@...r.kernel.org>, bpf@...r.kernel.org
Subject: Re: [PATCH] tracepoint: Do not warn on EEXIST or ENOENT

On 2021/06/27 0:13, Tetsuo Handa wrote:
> On 2021/06/26 23:18, Steven Rostedt wrote:
>> On Sat, 26 Jun 2021 22:58:45 +0900
>> Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> wrote:
>>
>>> syzbot is hitting WARN_ON_ONCE() at tracepoint_add_func() [1], but
>>> func_add() returning -EEXIST and func_remove() returning -ENOENT are
>>> not kernel bugs that can justify crashing the system.
>>
>> There should be no path that registers a tracepoint twice. That's a bug
>> in the kernel. Looking at the link below, I see the backtrace:
>>
>> Call Trace:
>>  tracepoint_probe_register_prio kernel/tracepoint.c:369 [inline]
>>  tracepoint_probe_register+0x9c/0xe0 kernel/tracepoint.c:389
>>  __bpf_probe_register kernel/trace/bpf_trace.c:2154 [inline]
>>  bpf_probe_register+0x15a/0x1c0 kernel/trace/bpf_trace.c:2159
>>  bpf_raw_tracepoint_open+0x34a/0x720 kernel/bpf/syscall.c:2878
>>  __do_sys_bpf+0x2586/0x4f40 kernel/bpf/syscall.c:4435
>>  do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
>>
>> So BPF is allowing the user to register the same tracepoint more than
>> once? That looks to be a bug in the BPF code where it shouldn't be
>> allowing user space to register the same tracepoint multiple times.
> 
> I didn't catch your question.
> 
>   (1) func_add() can reject an attempt to add same tracepoint multiple times
>       by returning -EINVAL to the caller.

Sorry, s/EINVAL/EEXIST/g on (1) (2) (6).

>   (2) But tracepoint_add_func() (the caller of func_add()) is calling WARN_ON_ONCE()
>       if func_add() returned -EINVAL.
>   (3) And tracepoint_add_func() is triggerable via request from userspace.
>   (4) tracepoint_probe_register_prio() serializes tracepoint_add_func() call
>       triggered by concurrent request from userspace using tracepoints_mutex mutex.
>   (5) But tracepoint_add_func() does not check whether same tracepoint multiple
>       is already registered before calling func_add().
>   (6) As a result, tracepoint_add_func() receives -EINVAL from func_add(), and
>       calls WARN_ON_ONCE() and the system crashes due to panic_on_warn == 1.
> 
> Why this is a bug in the BPF code? The BPF code is not allowing userspace to
> register the same tracepoint multiple times. I think that tracepoint_add_func()
> is stupid enough to crash the kernel instead of rejecting when an attempt to
> register the same tracepoint multiple times is made.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ