lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Z/Vlj7KPkwgEgsZu@gmail.com>
Date: Tue, 8 Apr 2025 11:06:07 -0700
From: Breno Leitao <leitao@...ian.org>
To: Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: davem@...emloft.net, dsahern@...nel.org, edumazet@...gle.com,
	horms@...nel.org, kernel-team@...a.com, kuba@...nel.org,
	linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org,
	mathieu.desnoyers@...icios.com, mhiramat@...nel.org,
	ncardwell@...gle.com, netdev@...r.kernel.org, pabeni@...hat.com,
	rostedt@...dmis.org, song@...nel.org, yonghong.song@...ux.dev
Subject: Re: [PATCH net-next v2 2/2] trace: tcp: Add tracepoint for
 tcp_sendmsg_locked()

On Tue, Apr 08, 2025 at 10:12:14AM -0700, Kuniyuki Iwashima wrote:
> From: Breno Leitao <leitao@...ian.org>
> Date: Tue, 8 Apr 2025 10:01:05 -0700
> > On Tue, Apr 08, 2025 at 09:16:51AM -0600, David Ahern wrote:
> > > On 4/8/25 8:27 AM, Breno Leitao wrote:
> > > > 
> > > > 	SEC("tracepoint/tcp/tcp_sendmsg_locked")
> > > 
> > > Try `raw_tracepoint/tcp/tcp_sendmsg_locked`.
> > > 
> > > This is the form I use for my tracepoint based packet capture (not tied
> > > to this tracepoint, but traces inside our driver) and it works fine.
> > 
> > Thanks. I was not able to get this crashing as well. In fact, the
> > following program fails to be loaded:
> > 
> > 	SEC("raw_tracepoint/tcp/tcp_sendmsg_locked")
> 
> Try SEC("tp_btf/tcp_sendmsg_locked") and access the raw argument
> (struct sk_buff *skb) instead of bpf_raw_tracepoint_args.

Nice, I was able to crash the host, with the following code:

	SEC("tp_btf/tcp_sendmsg_locked")
	int BPF_PROG(tcp_sendmsg_locked, struct sock *sk, struct msghdr *msg, struct sk_buff *skb, int size_goal)
	{
		bpf_printk("skb->len %d\n", skb->len);

		return 0;
	}

This is the unusually expected stacktrace. :-)

	 BUG: kernel NULL pointer dereference, address: 0000000000000070
	 #PF: supervisor read access in kernel mode                                                                                                                                            "virtme-ng" 11:03 08-Apr-25
	 #PF: error_code(0x0000) - not-present page
	 PGD 10ca78067 P4D 0
	 Oops: Oops: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI
	 CPU: 13 UID: 0 PID: 1020 Comm: nc Tainted: G            E    N 6.14.0-upstream-05880-g14fbb7a1a500 #73 PREEMPT(undef)
	 Tainted: [E]=UNSIGNED_MODULE, [N]=TEST
	 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
	 RIP: 0010:bpf_prog_5b31430a4390397c_tcp_sendmsg_locked+0x18/0x37
	 Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 0f 1f 00 55 48 89 e5 f3 0f 1e fa 48 8b 7f 10 <8b> 57 70 48 bf d8 d9 03 06 01 00 11 ff be 0d 00 00 00 e8 15 f4 4c
	 RSP: 0018:ffa0000003c03bd0 EFLAGS: 00010282
	 RAX: 5aab7562e1de3200 RBX: ffa0000003be4000 RCX: 0000000000000018
	 RDX: 0000000000000000 RSI: ffa0000003be4048 RDI: 0000000000000000
	 RBP: ffa0000003c03bd0 R08: 000000000006043d R09: ffffffffffffffff
	 R10: 0000000000000000 R11: ffffffffa000096c R12: ff11000104ae5b00
	 R13: ff1100010610a3c0 R14: ffffffff814d34ef R15: 0000000000000000
	 FS:  00007fd67d550740(0000) GS:ff110005a40a9000(0000) knlGS:0000000000000000
	 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	 CR2: 0000000000000070 CR3: 000000010d9ec002 CR4: 0000000000771ef0
	 PKRU: 55555554
	 Call Trace:
	  <TASK>
	  ? __die_body+0xaf/0xc0
	  ? page_fault_oops+0x35b/0x3c0
	  ? do_user_addr_fault+0x6d4/0x730
	  ? srso_alias_return_thunk+0x5/0xfbef5
	  ? exc_page_fault+0x5f/0xe0
	  ? asm_exc_page_fault+0x26/0x30
	  ? bpf_trace_run4+0xbf/0x240
	  ? 0xffffffffa000096c
	  ? bpf_prog_5b31430a4390397c_tcp_sendmsg_locked+0x18/0x37
	  bpf_trace_run4+0x14c/0x240
	  ? trace_event_raw_event_tcp_sendmsg_locked+0xc3/0xf0
	  __traceiter_tcp_sendmsg_locked+0x44/0x60
	  tcp_sendmsg_locked+0x10c8/0x15b0
	  ? __local_bh_enable_ip+0x166/0x1c0
	  ? srso_alias_return_thunk+0x5/0xfbef5
	  tcp_sendmsg+0x2c/0x50
	  ? __pfx_inet6_sendmsg+0x10/0x10
	  sock_sendmsg_nosec+0xa0/0x100
	  __sys_sendto+0x1b4/0x1f0
	  __x64_sys_sendto+0x26/0x30
	  do_syscall_64+0x83/0x170
	  entry_SYSCALL_64_after_hwframe+0x76/0x7e

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ