lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 9 Jun 2023 15:40:19 -0700
From:   Yonghong Song <yhs@...a.com>
To:     Krister Johansen <kjlx@...pleofstupid.com>, bpf@...r.kernel.org
Cc:     Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Andrii Nakryiko <andrii@...nel.org>,
        Martin KaFai Lau <martin.lau@...ux.dev>,
        Song Liu <song@...nel.org>, Yonghong Song <yhs@...com>,
        John Fastabend <john.fastabend@...il.com>,
        KP Singh <kpsingh@...nel.org>,
        Stanislav Fomichev <sdf@...gle.com>,
        Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>,
        Mykola Lysenko <mykolal@...com>, Shuah Khan <shuah@...nel.org>,
        linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH bpf v4 2/2] selftests/bpf: add a test for subprogram
 extables



On 6/9/23 2:40 PM, Krister Johansen wrote:
> In certain situations a program with subprograms may have a NULL
> extable entry.  This should not happen, and when it does, it turns a
> single trap into multiple.  Add a test case for further debugging and to
> prevent regressions.
> 
> The test-case contains three essentially identical versions of the same
> test because just one program may not be sufficient to trigger the oops.
> This is due to the fact that the items are stored in a binary tree and
> have identical values so it's possible to sometimes find the ksym with
> the extable.  With 3 copies, this has been reliable on this author's
> test systems.
> 
> When triggered out of this test case, the oops looks like this:
> 
>     BUG: kernel NULL pointer dereference, address: 000000000000000c
>     #PF: supervisor read access in kernel mode
>     #PF: error_code(0x0000) - not-present page
>     PGD 0 P4D 0
>     Oops: 0000 [#1] PREEMPT SMP NOPTI
>     CPU: 0 PID: 1132 Comm: test_progs Tainted: G           OE      6.4.0-rc3+ #2
>     RIP: 0010:cmp_ex_search+0xb/0x30
>     Code: cc cc cc cc e8 36 cb 03 00 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 48 8b 07 <48> 63 0e 48 01 f1 31 d2 48 39 c8 19 d2 48 39 c8 b8 01 00 00 00 0f
>     RSP: 0018:ffffb30c4291f998 EFLAGS: 00010006
>     RAX: ffffffffc00b49da RBX: 0000000000000002 RCX: 000000000000000c
>     RDX: 0000000000000002 RSI: 000000000000000c RDI: ffffb30c4291f9e8
>     RBP: ffffb30c4291f998 R08: ffffffffab1a42d0 R09: 0000000000000001
>     R10: 0000000000000000 R11: ffffffffab1a42d0 R12: ffffb30c4291f9e8
>     R13: 000000000000000c R14: 000000000000000c R15: 0000000000000000
>     FS:  00007fb5d9e044c0(0000) GS:ffff92e95ee00000(0000) knlGS:0000000000000000
>     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>     CR2: 000000000000000c CR3: 000000010c3a2005 CR4: 00000000007706f0
>     DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>     DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>     PKRU: 55555554
>     Call Trace:
>      <TASK>
>      bsearch+0x41/0x90
>      ? __pfx_cmp_ex_search+0x10/0x10
>      ? bpf_prog_45a7907e7114d0ff_handle_fexit_ret_subprogs3+0x2a/0x6c
>      search_extable+0x3b/0x60
>      ? bpf_prog_45a7907e7114d0ff_handle_fexit_ret_subprogs3+0x2a/0x6c
>      search_bpf_extables+0x10d/0x190
>      ? bpf_prog_45a7907e7114d0ff_handle_fexit_ret_subprogs3+0x2a/0x6c
>      search_exception_tables+0x5d/0x70
>      fixup_exception+0x3f/0x5b0
>      ? look_up_lock_class+0x61/0x110
>      ? __lock_acquire+0x6b8/0x3560
>      ? __lock_acquire+0x6b8/0x3560
>      ? __lock_acquire+0x6b8/0x3560
>      kernelmode_fixup_or_oops+0x46/0x110
>      __bad_area_nosemaphore+0x68/0x2b0
>      ? __lock_acquire+0x6b8/0x3560
>      bad_area_nosemaphore+0x16/0x20
>      do_kern_addr_fault+0x81/0xa0
>      exc_page_fault+0xd6/0x210
>      asm_exc_page_fault+0x2b/0x30
>     RIP: 0010:bpf_prog_45a7907e7114d0ff_handle_fexit_ret_subprogs3+0x2a/0x6c
>     Code: f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 7f 08 49 bb 00 00 00 00 00 80 00 00 4c 39 df 73 04 31 f6 eb 04 <48> 8b 77 00 49 bb 00 00 00 00 00 80 00 00 48 81 c7 7c 00 00 00 4c
>     RSP: 0018:ffffb30c4291fcb8 EFLAGS: 00010282
>     RAX: 0000000000000001 RBX: 0000000000000001 RCX: 0000000000000000
>     RDX: 00000000cddf1af1 RSI: 000000005315a00d RDI: ffffffffffffffea
>     RBP: ffffb30c4291fcb8 R08: ffff92e644bf38a8 R09: 0000000000000000
>     R10: 0000000000000000 R11: 0000800000000000 R12: ffff92e663652690
>     R13: 00000000000001c8 R14: 00000000000001c8 R15: 0000000000000003
>      bpf_trampoline_251255721842_2+0x63/0x1000
>      bpf_testmod_return_ptr+0x9/0xb0 [bpf_testmod]
>      ? bpf_testmod_test_read+0x43/0x2d0 [bpf_testmod]
>      sysfs_kf_bin_read+0x60/0x90
>      kernfs_fop_read_iter+0x143/0x250
>      vfs_read+0x240/0x2a0
>      ksys_read+0x70/0xe0
>      __x64_sys_read+0x1f/0x30
>      do_syscall_64+0x68/0xa0
>      ? syscall_exit_to_user_mode+0x77/0x1f0
>      ? do_syscall_64+0x77/0xa0
>      ? irqentry_exit+0x35/0xa0
>      ? sysvec_apic_timer_interrupt+0x4d/0x90
>      entry_SYSCALL_64_after_hwframe+0x72/0xdc
>     RIP: 0033:0x7fb5da00a392
>     Code: ac 00 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb be 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
>     RSP: 002b:00007ffc5b3cab68 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
>     RAX: ffffffffffffffda RBX: 000055bee7b8b100 RCX: 00007fb5da00a392
>     RDX: 00000000000001c8 RSI: 0000000000000000 RDI: 0000000000000009
>     RBP: 00007ffc5b3caba0 R08: 0000000000000000 R09: 0000000000000037
>     R10: 000055bee7b8c2a7 R11: 0000000000000246 R12: 000055bee78f1f60
>     R13: 00007ffc5b3cae90 R14: 0000000000000000 R15: 0000000000000000
>      </TASK>
>     Modules linked in: bpf_testmod(OE) nls_iso8859_1 dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua intel_rapl_msr intel_rapl_common intel_uncore_frequency_common ppdev nfit crct10dif_pclmul crc32_pclmul psmouse ghash_clmulni_intel sha512_ssse3 aesni_intel parport_pc crypto_simd cryptd input_leds parport rapl ena i2c_piix4 mac_hid serio_raw ramoops reed_solomon pstore_blk drm pstore_zone efi_pstore autofs4 [last unloaded: bpf_testmod(OE)]
>     CR2: 000000000000000c
> 
> Though there may be some variation, depending on which suprogram
> triggers the bug.
> 
> Signed-off-by: Krister Johansen <kjlx@...pleofstupid.com>

Acked-by: Yonghong Song <yhs@...com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ