lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <cfec3ec1b7092e1dde01eb1896ec7fba7ed714f4.camel@gmail.com>
Date: Mon, 07 Oct 2024 15:18:12 -0700
From: Eduard Zingerman <eddyz87@...il.com>
To: syzbot <syzbot+7e46cdef14bf496a3ab4@...kaller.appspotmail.com>, 
 andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org,
 daniel@...earbox.net,  haoluo@...gle.com, john.fastabend@...il.com,
 jolsa@...nel.org, kpsingh@...nel.org,  linux-kernel@...r.kernel.org,
 martin.lau@...ux.dev, sdf@...ichev.me,  song@...nel.org,
 syzkaller-bugs@...glegroups.com, yonghong.song@...ux.dev
Subject: Re: [syzbot] [bpf?] WARNING in push_jmp_history

On Mon, 2024-10-07 at 11:35 -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    c02d24a5af66 Add linux-next specific files for 20241003
> git tree:       linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=17382707980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=94f9caf16c0af42d
> dashboard link: https://syzkaller.appspot.com/bug?extid=7e46cdef14bf496a3ab4
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b82707980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16f4c327980000

When I try this reproducer the bpf syscall never exits (waited for 5 minutes).
Here is the reproducer as a selftest:

SEC("kprobe")
__success
__naked void syzbot_bug(void)
{
	asm volatile (
	"   r2 = *(u32 *)(r1 +140)\n"		// 0
	"   r3 = *(u32 *)(r1 +76)\n"		// 1
	"   r0 = r2\n"				// 2
	"   if w0 > 0xffffff07 goto 1f\n"	// 3
	"   if r3 <= r0 goto +16\n"		// 4
	"   exit\n"				// 5
	"1: r6 = *(u16 *)(r1 +0)\n"		// 6
	"   r7 = r6\n"				// 7
	"2: w7 += 447767737\n"			// 8
	"   if w7 & 0x702000 goto 2b\n"		// 9
	"   w7 &= 2024974\n"			// 10
	"   r5 = r1\n"				// 11
	"   r7 += r5\n"				// 12
	"   if r7 s> 0x37d2 goto +0\n"		// 13
	"   w3 *= w0\n"				// 14
	"   r5 -= r7\n"				// 15
	"   r4 = r5\n"				// 16
	"   r0 += -458748\n"			// 17
	"   if r3 < r4 goto 3f\n"		// 18
	"   w0 >>= w0\n"			// 19
	"3: goto +0\n"				// 20
	"   exit\n"				// 21
	::: __clobber_all);
}

(e.g. can be put to tools/testing/selftests/bpf/progs/verifier_and.c
 or any other verifier_*.c).

Inserting a few printks shows that the following instructions are
verified in a loop:
               
           ... verification starts ...
[    2.094272] do_check: env->insn_idx 0
[    2.094345] do_check: env->insn_idx 1
[    2.094417] do_check: env->insn_idx 2
[    2.094486] do_check: env->insn_idx 3
[    2.094585] do_check: env->insn_idx 4
[    2.094675] do_check: env->insn_idx 5
[    2.094748] do_check: env->insn_idx 21
[    2.094879] do_check: env->insn_idx 6
[    2.095005] do_check: env->insn_idx 7
[    2.095074] do_check: env->insn_idx 8 <------ let's call this point LBL
[    2.095156] do_check: env->insn_idx 9
[    2.095264] do_check: env->insn_idx 8
[    2.095372] do_check: env->insn_idx 9
[    2.095497] do_check: env->insn_idx 8
[    2.095579] do_check: env->insn_idx 9
[    2.095716] do_check: env->insn_idx 8
[    2.095892] do_check: env->insn_idx 9
[    2.096070] do_check: env->insn_idx 8
[    2.096151] do_check: env->insn_idx 9
[    2.096314] do_check: env->insn_idx 8
[    2.096402] do_check: env->insn_idx 9
[    2.096570] do_check: env->insn_idx 8
[    2.096646] do_check: env->insn_idx 9
[    2.096840] do_check: env->insn_idx 8
[    2.096921] do_check: env->insn_idx 9
[    2.097040] do_check: env->insn_idx 10
[    2.097113] do_check: env->insn_idx 11
[    2.097195] do_check: env->insn_idx 12
[    2.097417] do_check: env->insn_idx 13
[    2.097521] do_check: env->insn_idx 14
[    2.097597] do_check: env->insn_idx 15
[    2.097688] do_check: env->insn_idx 16
[    2.097774] do_check: env->insn_idx 17
[    2.097866] do_check: env->insn_idx 18
[    2.097990] do_check: env->insn_idx 19
[    2.098050] do_check: env->insn_idx 20
[    2.098119] do_check: env->insn_idx 21
[    2.098195] do_check: env->insn_idx 20
[    2.098347] do_check: env->insn_idx 21
[    2.098414] do_check: env->insn_idx 14
[    2.098556] do_check: env->insn_idx 15
[    2.098629] do_check: env->insn_idx 16
[    2.098700] do_check: env->insn_idx 17
[    2.098767] do_check: env->insn_idx 18
[    2.098842] do_check: env->insn_idx 8
[    2.098984] do_check: env->insn_idx 9
[    2.099108] do_check: env->insn_idx 8
[    2.099171] do_check: env->insn_idx 9
[    2.099304] do_check: env->insn_idx 8
[    2.099368] do_check: env->insn_idx 9
[    2.099505] do_check: env->insn_idx 8
[    2.099568] do_check: env->insn_idx 9
[    2.099703] do_check: env->insn_idx 8
[    2.099774] do_check: env->insn_idx 9
[    2.099921] do_check: env->insn_idx 8
[    2.099984] do_check: env->insn_idx 9
[    2.100133] do_check: env->insn_idx 8
[    2.100200] do_check: env->insn_idx 9
[    2.100349] do_check: env->insn_idx 8
[    2.100413] do_check: env->insn_idx 9
[    2.100503] do_check: env->insn_idx 10
[    2.100566] do_check: env->insn_idx 11
[    2.100636] do_check: env->insn_idx 12
[    2.100813] do_check: env->insn_idx 13
[    2.100909] do_check: env->insn_idx 14
[    2.100972] do_check: env->insn_idx 15
[    2.101047] do_check: env->insn_idx 16
[    2.101117] do_check: env->insn_idx 17
[    2.101185] do_check: env->insn_idx 18
[    2.101250] do_check: env->insn_idx 14
[    2.101389] do_check: env->insn_idx 15
[    2.101462] do_check: env->insn_idx 16
[    2.101531] do_check: env->insn_idx 17
[    2.101598] do_check: env->insn_idx 18

    ... verification repeats from LBL ...

[...]



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ