lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 11 Dec 2023 14:01:43 +0100
From:   Jiri Olsa <olsajiri@...il.com>
To:     Hou Tao <houtao@...weicloud.com>, mhiramat@...nel.org
Cc:     xingwei lee <xrivendell7@...il.com>, ast@...nel.org,
        daniel@...earbox.net, andrii@...nel.org, martin.lau@...ux.dev,
        song@...nel.org, yonghong.song@...ux.dev, john.fastabend@...il.com,
        kpsingh@...nel.org, sdf@...gle.com, haoluo@...gle.com,
        rostedt@...dmis.org, mathieu.desnoyers@...icios.com,
        bpf@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-trace-kernel@...r.kernel.org
Subject: Re: WARNING: kmalloc bug in bpf_uprobe_multi_link_attach

On Mon, Dec 11, 2023 at 07:29:40PM +0800, Hou Tao wrote:

SNIP

> 
> It seems a big attr->link_create.uprobe_multi.cnt is passed to
> bpf_uprobe_multi_link_attach(). Could you please try the first patch in
> the following patch set ?
> 
> https://lore.kernel.org/bpf/20231211112843.4147157-1-houtao@huaweicloud.com/T/#t
> > [   68.389633][ T8223]  ? __might_fault+0x13f/0x1a0
> > [   68.390129][ T8223]  ? bpf_kprobe_multi_link_attach+0x10/0x10
> 
> SNIP
> >   res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000140ul, /*size=*/0x90ul);
> >   if (res != -1) r[0] = res;
> >   memcpy((void*)0x20000000, "./file0\000", 8);
> >   syscall(__NR_creat, /*file=*/0x20000000ul, /*mode=*/0ul);
> >   *(uint32_t*)0x20000340 = r[0];
> >   *(uint32_t*)0x20000344 = 0;
> >   *(uint32_t*)0x20000348 = 0x30;
> >   *(uint32_t*)0x2000034c = 0;
> >   *(uint64_t*)0x20000350 = 0x20000080;
> >   memcpy((void*)0x20000080, "./file0\000", 8);
> 
> 0x20000350 is the address of attr->link_create.uprobe_multi.path.
> >   *(uint64_t*)0x20000358 = 0x200000c0;
> >   *(uint64_t*)0x200000c0 = 0;
> >   *(uint64_t*)0x20000360 = 0;
> >   *(uint64_t*)0x20000368 = 0;
> >   *(uint32_t*)0x20000370 = 0xffffff1f;
> 
> The value of attr->link_create.uprobe_multi.cnt is 0xffffff1f, so 
> 0xffffff1f * sizeof(bpf_uprobe) will be greater than INT_MAX, and
> triggers the warning in mm/util.c:
> 
>         /* Don't even allow crazy sizes */
>         if (unlikely(size > INT_MAX)) {
>                 WARN_ON_ONCE(!(flags & __GFP_NOWARN));
>                 return NULL;
>         }
> 
> Adding __GFP_NOWARN when doing kvcalloc() can fix the warning.

hi,
looks like that's the case.. thanks for fixing that

btw while checking on that I found kprobe_multi bench attach test
takes forever on latest bpf-next/master

	test_kprobe_multi_bench_attach:PASS:bpf_program__attach_kprobe_multi_opts 0 nsec
	test_kprobe_multi_bench_attach: found 56140 functions
	test_kprobe_multi_bench_attach: attached in  89.174s
	test_kprobe_multi_bench_attach: detached in  13.245s
	#113/1   kprobe_multi_bench_attach/kernel:OK

Masami,
any idea of any change on fprobe/ftrace side recently? I'm going to check ;-)

thanks,
jirka

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ