| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6757dc5255b71_404920841@john.notmuch> Date: Mon, 09 Dec 2024 22:14:42 -0800 From: John Fastabend <john.fastabend@...il.com> To: Levi Zim <rsworktech@...look.com>, John Fastabend <john.fastabend@...il.com>, Levi Zim via B4 Relay <devnull+rsworktech.outlook.com@...nel.org>, Jakub Sitnicki <jakub@...udflare.com>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, David Ahern <dsahern@...nel.org> Cc: netdev@...r.kernel.org, bpf@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH net 2/2] tcp_bpf: fix copied value in tcp_bpf_sendmsg Levi Zim wrote: > On 2024-12-09 15:02, John Fastabend wrote: > > Levi Zim via B4 Relay wrote: > >> From: Levi Zim <rsworktech@...look.com> > >> > >> bpf kselftest sockhash::test_txmsg_cork_hangs in test_sockmap.c triggers a > >> kernel NULL pointer dereference: > > Is it just the cork test that causes issue? > Yes. More specifically only "sockhash::test_txmsg_cork_hangs" but not > "sockmap::test_txmsg_cork_hangs" > > > >> BUG: kernel NULL pointer dereference, address: 0000000000000008 > >> ? __die_body+0x6e/0xb0 > >> ? __die+0x8b/0xa0 > >> ? page_fault_oops+0x358/0x3c0 > >> ? local_clock+0x19/0x30 > >> ? lock_release+0x11b/0x440 > >> ? kernelmode_fixup_or_oops+0x54/0x60 > >> ? __bad_area_nosemaphore+0x4f/0x210 > >> ? mmap_read_unlock+0x13/0x30 > >> ? bad_area_nosemaphore+0x16/0x20 > >> ? do_user_addr_fault+0x6fd/0x740 > >> ? prb_read_valid+0x1d/0x30 > >> ? exc_page_fault+0x55/0xd0 > >> ? asm_exc_page_fault+0x2b/0x30 > >> ? splice_to_socket+0x52e/0x630 > >> ? shmem_file_splice_read+0x2b1/0x310 > >> direct_splice_actor+0x47/0x70 > >> splice_direct_to_actor+0x133/0x300 > >> ? do_splice_direct+0x90/0x90 > >> do_splice_direct+0x64/0x90 > >> ? __ia32_sys_tee+0x30/0x30 > >> do_sendfile+0x214/0x300 > >> __se_sys_sendfile64+0x8e/0xb0 > >> __x64_sys_sendfile64+0x25/0x30 > >> x64_sys_call+0xb82/0x2840 > >> do_syscall_64+0x75/0x110 > >> entry_SYSCALL_64_after_hwframe+0x4b/0x53 > >> > >> This is caused by tcp_bpf_sendmsg() returning a larger value(12289) than > >> size (8192), which causes the while loop in splice_to_socket() to release > >> an uninitialized pipe buf. > >> > >> The underlying cause is that this code assumes sk_msg_memcopy_from_iter() > >> will copy all bytes upon success but it actually might only copy part of > >> it. > > The intent was to ensure we allocate a buffer large enough to fit the > > data. I guess the cork + send here is not allocating enough bytes? > I am not familiar enough with neither this part of code nor tcp with bpf > in general and just > hit this bug when trying to run the bpf kselftests. Then I decided to > debug it. > > In my perspective the buffer(8192) is large enough to hold the data(8192), > but tcp_bpf_sendmsg returns 12289 which is a little surprising for me. > > Could you further elaborate why 8192 bytes are not enough? Thanks! > There is some bug in the buffer allocation sizing that is happening because of cork'd data. The cork logic is used to hold extra bytes in buffer until N bytes have been received. I'm not really opposed to the fix here, but would be good to understand how it got here. I have some time tommorrow I can look a bit more.
Powered by blists - more mailing lists