| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 27 Jun 2021 00:17:20 +0900
From: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: Peter Zijlstra <peterz@...radead.org>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Ingo Molnar <mingo@...nel.org>,
Robert Richter <rric@...nel.org>,
Gabriel Krisman Bertazi <krisman@...labora.com>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>,
linux-kernel@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
netdev <netdev@...r.kernel.org>, bpf@...r.kernel.org
Subject: Re: [PATCH] tracepoint: Do not warn on EEXIST or ENOENT
On 2021/06/27 0:13, Tetsuo Handa wrote:
> On 2021/06/26 23:18, Steven Rostedt wrote:
>> On Sat, 26 Jun 2021 22:58:45 +0900
>> Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> wrote:
>>
>>> syzbot is hitting WARN_ON_ONCE() at tracepoint_add_func() [1], but
>>> func_add() returning -EEXIST and func_remove() returning -ENOENT are
>>> not kernel bugs that can justify crashing the system.
>>
>> There should be no path that registers a tracepoint twice. That's a bug
>> in the kernel. Looking at the link below, I see the backtrace:
>>
>> Call Trace:
>> tracepoint_probe_register_prio kernel/tracepoint.c:369 [inline]
>> tracepoint_probe_register+0x9c/0xe0 kernel/tracepoint.c:389
>> __bpf_probe_register kernel/trace/bpf_trace.c:2154 [inline]
>> bpf_probe_register+0x15a/0x1c0 kernel/trace/bpf_trace.c:2159
>> bpf_raw_tracepoint_open+0x34a/0x720 kernel/bpf/syscall.c:2878
>> __do_sys_bpf+0x2586/0x4f40 kernel/bpf/syscall.c:4435
>> do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
>>
>> So BPF is allowing the user to register the same tracepoint more than
>> once? That looks to be a bug in the BPF code where it shouldn't be
>> allowing user space to register the same tracepoint multiple times.
>
> I didn't catch your question.
>
> (1) func_add() can reject an attempt to add same tracepoint multiple times
> by returning -EINVAL to the caller.
Sorry, s/EINVAL/EEXIST/g on (1) (2) (6).
> (2) But tracepoint_add_func() (the caller of func_add()) is calling WARN_ON_ONCE()
> if func_add() returned -EINVAL.
> (3) And tracepoint_add_func() is triggerable via request from userspace.
> (4) tracepoint_probe_register_prio() serializes tracepoint_add_func() call
> triggered by concurrent request from userspace using tracepoints_mutex mutex.
> (5) But tracepoint_add_func() does not check whether same tracepoint multiple
> is already registered before calling func_add().
> (6) As a result, tracepoint_add_func() receives -EINVAL from func_add(), and
> calls WARN_ON_ONCE() and the system crashes due to panic_on_warn == 1.
>
> Why this is a bug in the BPF code? The BPF code is not allowing userspace to
> register the same tracepoint multiple times. I think that tracepoint_add_func()
> is stupid enough to crash the kernel instead of rejecting when an attempt to
> register the same tracepoint multiple times is made.
>
Powered by blists - more mailing lists