lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4ym76vsa2ey6ktrwmidmiawsymtlunoy4dtnjj4lwzgal6nue3@u3wpynwgmxya>
Date: Thu, 13 Nov 2025 19:19:22 +0530
From: Brahmajit Das <listout@...tout.xyz>
To: "Lecomte, Arnaud" <contact@...aud-lcm.com>
Cc: syzbot+d1b7fa1092def3628bd7@...kaller.appspotmail.com, 
	andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org, daniel@...earbox.net, 
	eddyz87@...il.com, haoluo@...gle.com, john.fastabend@...il.com, jolsa@...nel.org, 
	kpsingh@...nel.org, linux-kernel@...r.kernel.org, martin.lau@...ux.dev, 
	netdev@...r.kernel.org, sdf@...ichev.me, song@...nel.org, 
	syzkaller-bugs@...glegroups.com, yonghong.song@...ux.dev
Subject: Re: [PATCH bpf-next v3] bpf: Clamp trace length in __bpf_get_stack
 to fix OOB write

On 13.11.2025 13:26, Lecomte, Arnaud wrote:
> 
> On 13/11/2025 12:49, Brahmajit Das wrote:
> > On 12.11.2025 08:40, 'Lecomte, Arnaud' via syzkaller-bugs wrote:
> > > I am a not sure this is the right solution and I am scared that by
> > > forcing this clamping, we are hiding something else.
> > > If we have a look at the code below:
...snip...
> > > might hide something else. I would like to have a look at the return for
> > > each if case through gdb. |
> > Hi Arnaud,
> > So I've been debugging this the reproducer always takes the else branch
> > so trace holds whatever get_perf_callchain returns; in this situation.
> > 
> > I mostly found it to be a value around 4.
> > 
> > In some case the value would exceed to something 27 or 44, just after
> > the code block
> > 
> > 	if (unlikely(!trace) || trace->nr < skip) {
> > 		if (may_fault)
> > 			rcu_read_unlock();
> > 		goto err_fault;
> > 	}
> > 
> > So I'm assuming there's some race condition that might be going on
> > somewhere.
> Which value ? trace->nr ?

Yep, trace->nr

> > I'm still debugging bug I'm open to ideas and definitely I could be
> > wrong here, please feel free to correct/point out.
> 
> I should be able to have a look tomorrow evening as I am currently a bit
> overloaded
> with my work.

Awesome, thank you. I'll try to dig around a bit more meanwhile.

-- 
Regards,
listout

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ