lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 23 Jul 2020 11:32:28 -0700
From:   Yonghong Song <yhs@...com>
To:     Alexei Starovoitov <alexei.starovoitov@...il.com>
CC:     <bpf@...r.kernel.org>, <netdev@...r.kernel.org>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>, <kernel-team@...com>,
        Martin KaFai Lau <kafai@...com>
Subject: Re: [PATCH bpf-next v3 00/13] bpf: implement bpf iterator for map
 elements



On 7/22/20 11:53 PM, Alexei Starovoitov wrote:
> On Wed, Jul 22, 2020 at 11:15:33PM -0700, Yonghong Song wrote:
>> Bpf iterator has been implemented for task, task_file,
>> bpf_map, ipv6_route, netlink, tcp and udp so far.
>>
>> For map elements, there are two ways to traverse all elements from
>> user space:
>>    1. using BPF_MAP_GET_NEXT_KEY bpf subcommand to get elements
>>       one by one.
>>    2. using BPF_MAP_LOOKUP_BATCH bpf subcommand to get a batch of
>>       elements.
>> Both these approaches need to copy data from kernel to user space
>> in order to do inspection.
>>
>> This patch implements bpf iterator for map elements.
>> User can have a bpf program in kernel to run with each map element,
>> do checking, filtering, aggregation, modifying values etc.
>> without copying data to user space.
>>
>> Patch #1 and #2 are refactoring. Patch #3 implements readonly/readwrite
>> buffer support in verifier. Patches #4 - #7 implements map element
>> support for hash, percpu hash, lru hash lru percpu hash, array,
>> percpu array and sock local storage maps. Patches #8 - #9 are libbpf
>> and bpftool support. Patches #10 - #13 are selftests for implemented
>> map element iterators.
> 
> kasan is not happy:
> 
> [   16.896170] ==================================================================
> [   16.896994] BUG: KASAN: use-after-free in __do_sys_bpf+0x34f3/0x3860
> [   16.897657] Read of size 4 at addr ffff8881f105b208 by task test_progs/1958
> [   16.898416]
> [   16.898577] CPU: 0 PID: 1958 Comm: test_progs Not tainted 5.8.0-rc4-01920-g6276000cd38e #2828
> [   16.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
> [   16.900405] Call Trace:
> [   16.900679]  dump_stack+0x7d/0xb0
> [   16.901068]  print_address_description.constprop.0+0x3a/0x60
> [   16.901689]  ? __do_sys_bpf+0x34f3/0x3860
> [   16.902125]  kasan_report.cold+0x1f/0x37
> [   16.902595]  ? __do_sys_bpf+0x34f3/0x3860
> [   16.903029]  __do_sys_bpf+0x34f3/0x3860
> [   16.903494]  ? bpf_trace_run2+0xd1/0x210
> [   16.903971]  ? bpf_link_get_from_fd+0xe0/0xe0
> [   16.907802]  do_syscall_64+0x38/0x60
> [   16.908187]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [   16.908730] RIP: 0033:0x7f014cdfe7f9
> [   16.909148] Code: Bad RIP value.
> [   16.909524] RSP: 002b:00007ffe1d1e8b28 EFLAGS: 00000206 ORIG_RAX: 0000000000000141
> [   16.910345] RAX: ffffffffffffffda RBX: 00007f014dd27690 RCX: 00007f014cdfe7f9
> [   16.911058] RDX: 0000000000000078 RSI: 00007ffe1d1e8b60 RDI: 000000000000001e
> [   16.911820] RBP: 00007ffe1d1e8b40 R08: 00007ffe1d1e8b40 R09: 00007ffe1d1e8b60
> [   16.912575] R10: 0000000000000044 R11: 0000000000000206 R12: 0000000000000002
> [   16.913304] R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000002
> [   16.914026]
> [   16.914189] Allocated by task 1958:
> [   16.914562]  save_stack+0x1b/0x40
> [   16.914944]  __kasan_kmalloc.constprop.0+0xc2/0xd0
> [   16.915476]  bpf_iter_link_attach+0x235/0x4e0
> [   16.915975]  __do_sys_bpf+0x1832/0x3860
> [   16.916371]  do_syscall_64+0x38/0x60
> [   16.916750]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [   16.917338]
> [   16.917524] Freed by task 1958:
> [   16.917874]  save_stack+0x1b/0x40
> [   16.918241]  __kasan_slab_free+0x12f/0x180
> [   16.918681]  kfree+0xc6/0x280
> [   16.919024]  bpf_iter_link_attach+0x3e3/0x4e0
> [   16.919488]  __do_sys_bpf+0x1832/0x3860
> [   16.919915]  do_syscall_64+0x38/0x60
> [   16.920301]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Thanks for reporting the bug. The gcc on my system is 8.2 and the
requirement for kasan support is gcc 8.3. Using clang, I am able
to see the issue. Will fix and re-submit. Thanks!

> 
> To reproduce:
> ./test_progs -n 5
> #5 bpf_obj_id:OK
> Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
> 
> ./test_progs -n 4/18
> #4/18 bpf_hash_map:OK
> #4 bpf_iter:OK
> Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
> 
> ./test_progs -n 5
> [   37.569154] ==================================================================
> [   37.570020] BUG: KASAN: use-after-free in __do_sys_bpf+0x34f3/0x3860
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ