lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20220203051427.23315-1-houtao1@huawei.com>
Date:   Thu,  3 Feb 2022 13:14:27 +0800
From:   Hou Tao <hotforest@...il.com>
To:     daniel@...earbox.net
Cc:     andreyknvl@...gle.com, andrii@...nel.org, ast@...nel.org,
        bpf@...r.kernel.org, davem@...emloft.net, hotforest@...il.com,
        houtao1@...wei.com, john.fastabend@...il.com, kafai@...com,
        kuba@...nel.org, netdev@...r.kernel.org,
        syzbot+5ad567a418794b9b5983@...kaller.appspotmail.com, yhs@...com
Subject: Re: [PATCH bpf-next v2] bpf: use VM_MAP instead of VM_ALLOC for ringbuf

Hi,

> On 2/2/22 7:01 AM, Hou Tao wrote:
> > After commit 2fd3fb0be1d1 ("kasan, vmalloc: unpoison VM_ALLOC pages
> > after mapping"), non-VM_ALLOC mappings will be marked as accessible
> > in __get_vm_area_node() when KASAN is enabled. But now the flag for
> > ringbuf area is VM_ALLOC, so KASAN will complain out-of-bound access
> > after vmap() returns. Because the ringbuf area is created by mapping
> > allocated pages, so use VM_MAP instead.
> > 
> > After the change, info in /proc/vmallocinfo also changes from
> >    [start]-[end]   24576 ringbuf_map_alloc+0x171/0x290 vmalloc user
> > to
> >    [start]-[end]   24576 ringbuf_map_alloc+0x171/0x290 vmap user
> > 
> > Reported-by: syzbot+5ad567a418794b9b5983@...kaller.appspotmail.com
> > Signed-off-by: Hou Tao <houtao1@...wei.com>
> > ---
> > v2:
> >    * explain why VM_ALLOC will lead to vmalloc-oob access
> 
> Do you know which tree commit 2fd3fb0be1d1 is, looks like it's neither
> in bpf nor in bpf-next tree at the moment.
> 
It is on linux-next tree:
 
 $ git name-rev 2fd3fb0be1d1
 2fd3fb0be1d1 tags/next-20220201~2^2~96
 
> Either way, I presume this fix should be routed via bpf tree rather
> than bpf-next? (I can add Fixes tag while applying.)
>
Make sense and thanks for that.

Regards,
Tao

> >    * add Reported-by tag
> > v1: https://lore.kernel.org/bpf/CANUnq3a+sT_qtO1wNQ3GnLGN7FLvSSgvit2UVgqQKRpUvs85VQ@mail.gmail.com/T/#t
> > ---
> >   kernel/bpf/ringbuf.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c
> > index 638d7fd7b375..710ba9de12ce 100644
> > --- a/kernel/bpf/ringbuf.c
> > +++ b/kernel/bpf/ringbuf.c
> > @@ -104,7 +104,7 @@ static struct bpf_ringbuf *bpf_ringbuf_area_alloc(size_t data_sz, int numa_node)
> >   	}
> >   
> >   	rb = vmap(pages, nr_meta_pages + 2 * nr_data_pages,
> > -		  VM_ALLOC | VM_USERMAP, PAGE_KERNEL);
> > +		  VM_MAP | VM_USERMAP, PAGE_KERNEL);
> >   	if (rb) {
> >   		kmemleak_not_leak(pages);
> >   		rb->pages = pages;
> > 
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ