lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <b1717a5b75475b8e14afaee4825a40a3808bd0cb.camel@gmail.com>
Date: Mon, 15 Sep 2025 16:40:17 -0700
From: Eduard Zingerman <eddyz87@...il.com>
To: syzbot <syzbot+3afc814e8df1af64b653@...kaller.appspotmail.com>, 
	andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org,
 daniel@...earbox.net, 	haoluo@...gle.com, john.fastabend@...il.com,
 jolsa@...nel.org, kpsingh@...nel.org, 	linux-kernel@...r.kernel.org,
 martin.lau@...ux.dev, sdf@...ichev.me, 	song@...nel.org,
 syzkaller-bugs@...glegroups.com, yonghong.song@...ux.dev
Subject: Re: [syzbot] [bpf?] WARNING in maybe_exit_scc

On Mon, 2025-09-15 at 15:34 -0700, Eduard Zingerman wrote:

[...]

> > verifier bug: scc exit: no visit info for call chain (1)(1)
> > WARNING: CPU: 1 PID: 6013 at kernel/bpf/verifier.c:1949 maybe_exit_scc+0x768/0x8d0 kernel/bpf/verifier.c:1949
>
> Both this and [1] are reported for very similar programs:
>
> <this>                                      <[1]>
> --------------------------------------------------------------------------------------------
> (b7) r0 = -1023213567                       (b7) r0 = -1023213567
> (bf) r3 = r10				    (bf) r3 = r10
> (07) r3 += -512				    (07) r3 += -504
> (72) *(u8 *)(r10 -16) = -8		    (72) *(u8 *)(r10 -16) = -8
> (71) r4 = *(u8 *)(r10 -16)		    (71) r4 = *(u8 *)(r10 -16)
> (65) if r4 s> 0xff000000 goto pc+2	    (65) if r4 s> 0xff000000 goto pc+2
> (2d) if r0 > r4 goto pc+5		    (2d) if r0 > r4 goto pc+5
> (20) r0 = *(u32 *)skb[60673]		    (20) r0 = *(u32 *)skb[60673]
> (7b) *(u64 *)(r3 +0) = r0		    (7b) *(u64 *)(r3 +0) = r0
> (1d) if r4 == r4 goto pc+0		    (1d) if r4 == r4 goto pc+0
> (7a) *(u64 *)(r10 -512) = -256		    (7a) *(u64 *)(r10 -512) = -256
> (db) lock *(u64 *)(r3 +0) |= r0		    (db) r0 = atomic64_fetch_and((u64 *)(r3 +0), r0)
> (b5) if r0 <= 0x0 goto pc-2		    (b5) if r0 <= 0x0 goto pc-2
> (95) exit				    (95) exit
>
> So, I assume it's the same issue. Looking into it.
>
> [1] https://lore.kernel.org/bpf/68c85b0d.050a0220.2ff435.03a5.GAE@google.com/T/#u

Minimal reproducer:

  SEC("socket")
  __caps_unpriv(CAP_BPF)
  __naked void syzbot_bug(void)
  {
        asm volatile (
        "r0 = 100;"
  "1:"
        "*(u64 *)(r10 - 512) = r0;"
        "if r0 <= 0x0 goto 1b;"
        "exit;"
        ::: __clobber_all);
  }

And corresponding verifier log:

  Live regs before insn:
        0: .......... (b7) r0 = 100
    1   1: 0......... (7b) *(u64 *)(r10 -512) = r0
    1   2: 0......... (b5) if r0 <= 0x0 goto pc-2
        3: 0......... (95) exit
  Global function syzbot_bug() doesn't return scalar. Only those are supported.
  0: R1=ctx() R10=fp0
  ; asm volatile ( @ verifier_and.c:118
  0: (b7) r0 = 100                      ; R0_w=100
  1: (7b) *(u64 *)(r10 -512) = r0       ; R0_w=100 R10=fp0 fp-512_w=100
  2: (b5) if r0 <= 0x0 goto pc-2
  mark_precise: frame0: last_idx 2 first_idx 0 subseq_idx -1
  mark_precise: frame0: regs=r0 stack= before 1: (7b) *(u64 *)(r10 -512) = r0
  mark_precise: frame0: regs=r0 stack= before 0: (b7) r0 = 100
  2: R0_w=100
  3: (95) exit

  from 2 to 1 (speculative execution): R0_w=scalar() R1=ctx() R10=fp0 fp-512_w=100
  1: R0_w=scalar() R1=ctx() R10=fp0 fp-512_w=100
  1: (7b) *(u64 *)(r10 -512) = r0
  verifier bug: scc exit: no visit info for call chain (1)
  processed 5 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0

[...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ