| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEf4BzbA8ZH5HJHh=mzg2pvTsMcNMJLeWMZ6tUEahxJnppfPcQ@mail.gmail.com>
Date: Wed, 2 Feb 2022 23:24:51 -0800
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Hou Tao <hotforest@...il.com>
Cc: Daniel Borkmann <daniel@...earbox.net>, andreyknvl@...gle.com,
Andrii Nakryiko <andrii@...nel.org>,
Alexei Starovoitov <ast@...nel.org>, bpf <bpf@...r.kernel.org>,
"David S. Miller" <davem@...emloft.net>,
Hou Tao <houtao1@...wei.com>,
john fastabend <john.fastabend@...il.com>,
Martin Lau <kafai@...com>, Jakub Kicinski <kuba@...nel.org>,
Networking <netdev@...r.kernel.org>,
syzbot+5ad567a418794b9b5983@...kaller.appspotmail.com,
Yonghong Song <yhs@...com>
Subject: Re: [PATCH bpf-next v2] bpf: use VM_MAP instead of VM_ALLOC for ringbuf
On Wed, Feb 2, 2022 at 9:14 PM Hou Tao <hotforest@...il.com> wrote:
>
> Hi,
>
> > On 2/2/22 7:01 AM, Hou Tao wrote:
> > > After commit 2fd3fb0be1d1 ("kasan, vmalloc: unpoison VM_ALLOC pages
> > > after mapping"), non-VM_ALLOC mappings will be marked as accessible
> > > in __get_vm_area_node() when KASAN is enabled. But now the flag for
> > > ringbuf area is VM_ALLOC, so KASAN will complain out-of-bound access
> > > after vmap() returns. Because the ringbuf area is created by mapping
> > > allocated pages, so use VM_MAP instead.
> > >
> > > After the change, info in /proc/vmallocinfo also changes from
> > > [start]-[end] 24576 ringbuf_map_alloc+0x171/0x290 vmalloc user
> > > to
> > > [start]-[end] 24576 ringbuf_map_alloc+0x171/0x290 vmap user
> > >
> > > Reported-by: syzbot+5ad567a418794b9b5983@...kaller.appspotmail.com
> > > Signed-off-by: Hou Tao <houtao1@...wei.com>
> > > ---
> > > v2:
> > > * explain why VM_ALLOC will lead to vmalloc-oob access
> >
> > Do you know which tree commit 2fd3fb0be1d1 is, looks like it's neither
> > in bpf nor in bpf-next tree at the moment.
> >
> It is on linux-next tree:
>
> $ git name-rev 2fd3fb0be1d1
> 2fd3fb0be1d1 tags/next-20220201~2^2~96
>
> > Either way, I presume this fix should be routed via bpf tree rather
> > than bpf-next? (I can add Fixes tag while applying.)
> >
> Make sense and thanks for that.
Added
Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier
support for it")
and pushed to bpf tree, thanks.
>
> Regards,
> Tao
>
> > > * add Reported-by tag
> > > v1: https://lore.kernel.org/bpf/CANUnq3a+sT_qtO1wNQ3GnLGN7FLvSSgvit2UVgqQKRpUvs85VQ@mail.gmail.com/T/#t
> > > ---
> > > kernel/bpf/ringbuf.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c
> > > index 638d7fd7b375..710ba9de12ce 100644
> > > --- a/kernel/bpf/ringbuf.c
> > > +++ b/kernel/bpf/ringbuf.c
> > > @@ -104,7 +104,7 @@ static struct bpf_ringbuf *bpf_ringbuf_area_alloc(size_t data_sz, int numa_node)
> > > }
> > >
> > > rb = vmap(pages, nr_meta_pages + 2 * nr_data_pages,
> > > - VM_ALLOC | VM_USERMAP, PAGE_KERNEL);
> > > + VM_MAP | VM_USERMAP, PAGE_KERNEL);
> > > if (rb) {
> > > kmemleak_not_leak(pages);
> > > rb->pages = pages;
> > >
> >
> >
Powered by blists - more mailing lists