lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200723065329.yuw4dey27n2w5a4i@ast-mbp.dhcp.thefacebook.com>
Date:   Wed, 22 Jul 2020 23:53:29 -0700
From:   Alexei Starovoitov <alexei.starovoitov@...il.com>
To:     Yonghong Song <yhs@...com>
Cc:     bpf@...r.kernel.org, netdev@...r.kernel.org,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>, kernel-team@...com,
        Martin KaFai Lau <kafai@...com>
Subject: Re: [PATCH bpf-next v3 00/13] bpf: implement bpf iterator for map
 elements

On Wed, Jul 22, 2020 at 11:15:33PM -0700, Yonghong Song wrote:
> Bpf iterator has been implemented for task, task_file,
> bpf_map, ipv6_route, netlink, tcp and udp so far.
> 
> For map elements, there are two ways to traverse all elements from
> user space:
>   1. using BPF_MAP_GET_NEXT_KEY bpf subcommand to get elements
>      one by one.
>   2. using BPF_MAP_LOOKUP_BATCH bpf subcommand to get a batch of
>      elements.
> Both these approaches need to copy data from kernel to user space
> in order to do inspection.
> 
> This patch implements bpf iterator for map elements.
> User can have a bpf program in kernel to run with each map element,
> do checking, filtering, aggregation, modifying values etc.
> without copying data to user space.
> 
> Patch #1 and #2 are refactoring. Patch #3 implements readonly/readwrite
> buffer support in verifier. Patches #4 - #7 implements map element
> support for hash, percpu hash, lru hash lru percpu hash, array,
> percpu array and sock local storage maps. Patches #8 - #9 are libbpf
> and bpftool support. Patches #10 - #13 are selftests for implemented
> map element iterators.

kasan is not happy:

[   16.896170] ==================================================================
[   16.896994] BUG: KASAN: use-after-free in __do_sys_bpf+0x34f3/0x3860
[   16.897657] Read of size 4 at addr ffff8881f105b208 by task test_progs/1958
[   16.898416]
[   16.898577] CPU: 0 PID: 1958 Comm: test_progs Not tainted 5.8.0-rc4-01920-g6276000cd38e #2828
[   16.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
[   16.900405] Call Trace:
[   16.900679]  dump_stack+0x7d/0xb0
[   16.901068]  print_address_description.constprop.0+0x3a/0x60
[   16.901689]  ? __do_sys_bpf+0x34f3/0x3860
[   16.902125]  kasan_report.cold+0x1f/0x37
[   16.902595]  ? __do_sys_bpf+0x34f3/0x3860
[   16.903029]  __do_sys_bpf+0x34f3/0x3860
[   16.903494]  ? bpf_trace_run2+0xd1/0x210
[   16.903971]  ? bpf_link_get_from_fd+0xe0/0xe0
[   16.907802]  do_syscall_64+0x38/0x60
[   16.908187]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   16.908730] RIP: 0033:0x7f014cdfe7f9
[   16.909148] Code: Bad RIP value.
[   16.909524] RSP: 002b:00007ffe1d1e8b28 EFLAGS: 00000206 ORIG_RAX: 0000000000000141
[   16.910345] RAX: ffffffffffffffda RBX: 00007f014dd27690 RCX: 00007f014cdfe7f9
[   16.911058] RDX: 0000000000000078 RSI: 00007ffe1d1e8b60 RDI: 000000000000001e
[   16.911820] RBP: 00007ffe1d1e8b40 R08: 00007ffe1d1e8b40 R09: 00007ffe1d1e8b60
[   16.912575] R10: 0000000000000044 R11: 0000000000000206 R12: 0000000000000002
[   16.913304] R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000002
[   16.914026]
[   16.914189] Allocated by task 1958:
[   16.914562]  save_stack+0x1b/0x40
[   16.914944]  __kasan_kmalloc.constprop.0+0xc2/0xd0
[   16.915476]  bpf_iter_link_attach+0x235/0x4e0
[   16.915975]  __do_sys_bpf+0x1832/0x3860
[   16.916371]  do_syscall_64+0x38/0x60
[   16.916750]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   16.917338]
[   16.917524] Freed by task 1958:
[   16.917874]  save_stack+0x1b/0x40
[   16.918241]  __kasan_slab_free+0x12f/0x180
[   16.918681]  kfree+0xc6/0x280
[   16.919024]  bpf_iter_link_attach+0x3e3/0x4e0
[   16.919488]  __do_sys_bpf+0x1832/0x3860
[   16.919915]  do_syscall_64+0x38/0x60
[   16.920301]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

To reproduce:
./test_progs -n 5
#5 bpf_obj_id:OK
Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED

./test_progs -n 4/18
#4/18 bpf_hash_map:OK
#4 bpf_iter:OK
Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED

./test_progs -n 5
[   37.569154] ==================================================================
[   37.570020] BUG: KASAN: use-after-free in __do_sys_bpf+0x34f3/0x3860

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ