lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3c89e1105e611812ae86fb6aafd346be4445e055.camel@gmail.com>
Date: Fri, 13 Jun 2025 00:56:39 -0700
From: Eduard Zingerman <eddyz87@...il.com>
To: syzbot <syzbot+a36aac327960ff474804@...kaller.appspotmail.com>, 
	andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org,
 daniel@...earbox.net, 	haoluo@...gle.com, john.fastabend@...il.com,
 jolsa@...nel.org, kpsingh@...nel.org, 	linux-kernel@...r.kernel.org,
 martin.lau@...ux.dev, netdev@...r.kernel.org, 	sdf@...ichev.me,
 song@...nel.org, syzkaller-bugs@...glegroups.com, 	yonghong.song@...ux.dev
Subject: Re: [syzbot] [bpf?] WARNING in do_check

On Fri, 2025-06-13 at 00:12 -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    1c66f4a3612c bpf: Fix state use-after-free on push_stack()..
> git tree:       bpf-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1346ed70580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=73696606574e3967
> dashboard link: https://syzkaller.appspot.com/bug?extid=a36aac327960ff474804
> compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1392610c580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11a9ee0c580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2ddb1df1c757/disk-1c66f4a3.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/6a318fc92af0/vmlinux-1c66f4a3.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/76c58dddcb6c/bzImage-1c66f4a3.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a36aac327960ff474804@...kaller.appspotmail.com
> 
> ------------[ cut here ]------------

Fwiw, here is a repro converted to selftest.
I'll take detailed look on Friday:

SEC("socket")
__naked void syzbot_repro(void)
{
        asm volatile (
        "r8 = 0xff80;"
        "r1 = 0xff110001085a0800 ll;"
        "r2 = 20;"
        "r3 = 0;"
        "call %[bpf_ktime_get_ns];"
"1:"
        "w9 = w10;"
        "if r9 >= 0xff4ad400 goto 2f;"
        "may_goto +13;"
        "r2 = 0;"
        "*(u8 *)(r10 -16) = r9;"
"2:"
        "if r9 s< 0x1004 goto 3f;"
        "lock *(u32 *)(r10 -16) += r10;"
        "r6 = r8;"
        "r8 += -8;"
        "r4 = r10;"
"3:"
        "r6 += -16;"
        "r2 = 8;"
        "r2 = 0xff110001085a05d8 ll;"
        "r5 = 8;"
        "if w8 & 0x76 goto 1b;"
        "r8 = r9;"
        "if w8 != 0x0 goto +0;"
        "call %[bpf_get_prandom_u32];"
        "r0 = 0;"
        "exit;"
        :
        : __imm(bpf_get_prandom_u32),
          __imm(bpf_ktime_get_ns)
        : __clobber_all);
}

[...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ