lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d3eddad2-4243-6505-75d1-83ac41ac1b9c@gmail.com>
Date:   Wed, 30 Oct 2019 12:51:28 -0600
From:   David Ahern <dsahern@...il.com>
To:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        bpf <bpf@...r.kernel.org>
Subject: bpf: bug in bpf_xdp_adjust_head, 5.0.20 kernel

I hit this BUG with the 5.0.20 kernel built from stable tree:

[13294.815096] BUG: unable to handle kernel NULL pointer dereference at
0000000000000046
[13294.823913] #PF error: [normal kernel read fault]
[13294.829206] PGD 0 P4D 0
[13294.832056] Oops: 0000 [#1] SMP PTI
[13294.835976] CPU: 6 PID: 0 Comm: swapper/6 Kdump: loaded Tainted: G
       OE     5.0.20 #1
[13294.845557] Hardware name: Dell Inc. PowerEdge R620/0KCKR5, BIOS
2.7.0 05/23/2018
[13294.853979] RIP: 0010:__memmove+0x3d/0x1a0
[13294.858580] Code: 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 66 66 90
66 66 90 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20 48 83 ea
20 <4c> 8b 1e 4c 8b 56 08 4c 8b 4e 10 4c 8b 46 18 48 8d 76 20 4c 89 1f
[13294.879698] RSP: 0018:ffff88b3bf6c3d90 EFLAGS: 00010286
[13294.885589] RAX: 000000000000004a RBX: ffff88b3bf6c3e78 RCX:
0000000000000046
[13294.893621] RDX: ffff88b3056d203a RSI: 0000000000000046 RDI:
000000000000004a
[13294.901642] RBP: ffff88b3056d20c4 R08: ffff88b3056d20c0 R09:
ffff88b3056d209a
[13294.909670] R10: 00000000000000c6 R11: 0000000000000008 R12:
0000000000000004
[13294.917695] R13: ffffb758865d30f8 R14: 0000000000000002 R15:
0000000000000002
[13294.925724] FS:  0000000000000000(0000) GS:ffff88b3bf6c0000(0000)
knlGS:0000000000000000
[13294.934816] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[13294.941281] CR2: 0000000000000046 CR3: 000000042580e002 CR4:
00000000000626e0
[13294.949299] Call Trace:
[13294.952041]  <IRQ>
[13294.954315]  bpf_xdp_adjust_head+0x68/0x80
[13294.958963]  ? i40e_napi_poll+0xb49/0x1630 [i40e]
[13294.964262]  ? enqueue_task_fair+0x90/0x790
[13294.968968]  ? net_rx_action+0x13d/0x3b0


The driver is i40e and the packets have a vlan header (rx-vlan-offload
is disabled). The xdp program is removing the vlan header with:

        if (bpf_xdp_adjust_head(ctx, sizeof(*vhdr)))
                return XDP_PASS;

no other changes are made to the packet.

The bug does not happen with the 5.4 net-next kernel, so it has been
fixed somewhere along the way which suggests the 5.0 kernel is in need
of a backport. Does this ring a bell with anyone?

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ