| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 May 2022 17:01:35 +0200
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Vegard Nossum <vegard.nossum@...il.com>
Cc: syzbot <syzbot+5027de09e0964fd78ce1@...kaller.appspotmail.com>,
andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org,
daniel@...earbox.net, "David S. Miller" <davem@...emloft.net>,
fgheet255t@...il.com, hawk@...nel.org, jakub@...udflare.com,
john.fastabend@...il.com, kafai@...com, kpsingh@...nel.org,
kuba@...nel.org, LKML <linux-kernel@...r.kernel.org>,
lmb@...udflare.com, Linux Netdev List <netdev@...r.kernel.org>,
songliubraving@...com, syzkaller-bugs@...glegroups.com, yhs@...com
Subject: Re: [syzbot] KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put
On Mon, 24 Jan 2022 at 12:42, Vegard Nossum <vegard.nossum@...il.com> wrote:
>
> On Thu, 20 Jan 2022 at 15:17, syzbot
> <syzbot+5027de09e0964fd78ce1@...kaller.appspotmail.com> wrote:
> >
> > syzbot suspects this issue was fixed by commit:
> >
> > commit 218d747a4142f281a256687bb513a135c905867b
> > Author: John Fastabend <john.fastabend@...il.com>
> > Date: Tue Jan 4 21:46:45 2022 +0000
> >
> > bpf, sockmap: Fix double bpf_prog_put on error case in map_link
>
> I can confirm the above commit fixes the issue, but it references a
> slightly different report. Looks like the only difference is
> __bpf_prog_put instead of bpf_prog_put:
>
> KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put
> KASAN: vmalloc-out-of-bounds Read in bpf_prog_put
>
> However, looking at the stack traces for the two bugs shows that
> __bpf_prog_put() is really the location for both reports, see:
>
> https://syzkaller.appspot.com/bug?id=797cd651dd0d9bd921e4fa51b792f5afdc3f390f
> kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 mm/kasan/report.c:450
> __bpf_prog_put.constprop.0+0x1dd/0x220 kernel/bpf/syscall.c:1812
> kernel/bpf/syscall.c:1812
> bpf_prog_put kernel/bpf/syscall.c:1829 [inline]
> bpf_prog_put kernel/bpf/syscall.c:1829 [inline] kernel/bpf/syscall.c:1837
>
> vs.
>
> https://syzkaller.appspot.com/bug?extid=bb73e71cf4b8fd376a4f
> kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450
> __bpf_prog_put kernel/bpf/syscall.c:1812 [inline]
> __bpf_prog_put kernel/bpf/syscall.c:1812 [inline] kernel/bpf/syscall.c:1829
> bpf_prog_put+0x8c/0x4f0 kernel/bpf/syscall.c:1829 kernel/bpf/syscall.c:1829
>
> Looks to me like the compiler's inlining decision caused syzbot to see
> __bpf_prog_put() instead of bpf_prog_put(), but I can't tell if it's
> because it got inlined or because of the .constprop.0 suffix... I
> guess syzbot skips the [inline] entries when deciding which function
> to report the bug in?
Not sure if you are still interested in this or not...
But, yes, it's inline frames that are a problem, ".constprop.0" should
be stripped.
syzkaller parses non-symbolized kernel output w/o inlined frames to
extract the title. This was a very early decision, not sure if it's
the right one or not. On the other hand using inline frames can cause
attribution to all the common one-liners.
Now it's somewhat hard to change b/c if we change it, new crashes will
be parsed differently and it will cause a storm of duplicates for
already reported bugs.
> In any case:
>
> #syz dup: KASAN: vmalloc-out-of-bounds Read in bpf_prog_put
>
> Vegard
Powered by blists - more mailing lists