[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a0e172e9-e4d3-427f-b237-ba8f6b3772f4@arnaud-lcm.com>
Date: Tue, 5 Aug 2025 21:49:48 +0100
From: Arnaud Lecomte <contact@...aud-lcm.com>
To: Yonghong Song <yonghong.song@...ux.dev>, song@...nel.org,
jolsa@...nel.org, ast@...nel.org, daniel@...earbox.net, andrii@...nel.org,
martin.lau@...ux.dev, eddyz87@...il.com, john.fastabend@...il.com,
kpsingh@...nel.org, sdf@...ichev.me, haoluo@...gle.com
Cc: bpf@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com,
syzbot+c9b724fbb41cf2538b7b@...kaller.appspotmail.com
Subject: Re: [PATCH v2] bpf: fix stackmap overflow check in
__bpf_get_stackid()
Hi,
I gave it several tries and I can't find a nice to do see properly.
The main challenge is to find a way to detect memory corruption. I
wanted to place a canary value
by tweaking the map size but we don't have a way from a BPF program
perspective to access to the size
of a stack_map_bucket. If we decide to do this computation manually, we
would end-up with maintainability
issues:
#include "vmlinux.h"
#include "bpf/bpf_helpers.h"
#define MAX_STACK_DEPTH 32
#define CANARY_VALUE 0xBADCAFE
/* Calculate size based on known layout:
* - fnode: sizeof(void*)
* - hash: 4 bytes
* - nr: 4 bytes
* - data: MAX_STACK_DEPTH * 8 bytes
* - canary: 8 bytes
*/
#define VALUE_SIZE (sizeof(void*) + 4 + 4 + (MAX_STACK_DEPTH * 8) + 8)
struct {
__uint(type, BPF_MAP_TYPE_STACK_TRACE);
__uint(max_entries, 1);
__uint(value_size, VALUE_SIZE);
__uint(key_size, sizeof(u32));
} stackmap SEC(".maps");
static __attribute__((noinline)) void recursive_helper(int depth) {
if (depth <= 0) return;
asm volatile("" ::: "memory");
recursive_helper(depth - 1);
}
SEC("kprobe/do_sys_open")
int test_stack_overflow(void *ctx) {
u32 key = 0;
u64 *stack = bpf_map_lookup_elem(&stackmap, &key);
if (!stack) return 0;
stack[MAX_STACK_DEPTH] = CANARY_VALUE;
/* Force minimum stack depth */
recursive_helper(MAX_STACK_DEPTH + 10);
(void)bpf_get_stackid(ctx, &stackmap, 0);
return 0;
}
char _license[] SEC("license") = "GPL";
On 01/08/2025 19:16, Lecomte, Arnaud wrote:
> Well, it turns out it is less straightforward than it looked like to
> detect the memory corruption
> without KASAN. I am currently in holidays for the next 3 days so I've
> limited access to a
> computer. I should be able to sort this out on monday.
>
> Thanks,
> Arnaud
>
> On 30/07/2025 08:10, Arnaud Lecomte wrote:
>> On 29/07/2025 23:45, Yonghong Song wrote:
>>>
>>>
>>> On 7/29/25 9:56 AM, Arnaud Lecomte wrote:
>>>> Syzkaller reported a KASAN slab-out-of-bounds write in
>>>> __bpf_get_stackid()
>>>> when copying stack trace data. The issue occurs when the perf trace
>>>> contains more stack entries than the stack map bucket can hold,
>>>> leading to an out-of-bounds write in the bucket's data array.
>>>> For build_id mode, we use sizeof(struct bpf_stack_build_id)
>>>> to determine capacity, and for normal mode we use sizeof(u64).
>>>>
>>>> Reported-by: syzbot+c9b724fbb41cf2538b7b@...kaller.appspotmail.com
>>>> Closes: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
>>>> Tested-by: syzbot+c9b724fbb41cf2538b7b@...kaller.appspotmail.com
>>>> Signed-off-by: Arnaud Lecomte <contact@...aud-lcm.com>
>>>
>>> Could you add a selftest? This way folks can easily find out what is
>>> the problem and why this fix solves the issue correctly.
>>>
>> Sure, will be done after work
>> Thanks,
>> Arnaud
>>>> ---
>>>> Changes in v2:
>>>> - Use utilty stack_map_data_size to compute map stack map size
>>>> ---
>>>> kernel/bpf/stackmap.c | 8 +++++++-
>>>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
>>>> index 3615c06b7dfa..6f225d477f07 100644
>>>> --- a/kernel/bpf/stackmap.c
>>>> +++ b/kernel/bpf/stackmap.c
>>>> @@ -230,7 +230,7 @@ static long __bpf_get_stackid(struct bpf_map *map,
>>>> struct bpf_stack_map *smap = container_of(map, struct
>>>> bpf_stack_map, map);
>>>> struct stack_map_bucket *bucket, *new_bucket, *old_bucket;
>>>> u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
>>>> - u32 hash, id, trace_nr, trace_len, i;
>>>> + u32 hash, id, trace_nr, trace_len, i, max_depth;
>>>> bool user = flags & BPF_F_USER_STACK;
>>>> u64 *ips;
>>>> bool hash_matches;
>>>> @@ -241,6 +241,12 @@ static long __bpf_get_stackid(struct bpf_map
>>>> *map,
>>>> trace_nr = trace->nr - skip;
>>>> trace_len = trace_nr * sizeof(u64);
>>>> +
>>>> + /* Clamp the trace to max allowed depth */
>>>> + max_depth = smap->map.value_size / stack_map_data_size(map);
>>>> + if (trace_nr > max_depth)
>>>> + trace_nr = max_depth;
>>>> +
>>>> ips = trace->ip + skip;
>>>> hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0);
>>>> id = hash & (smap->n_buckets - 1);
>>>
>>>
Powered by blists - more mailing lists