lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1444123482.1827743.1750996347470.JavaMail.zimbra@sjtu.edu.cn>
Date: Fri, 27 Jun 2025 11:52:27 +0800 (CST)
From: 陈乐 <tom2cat@...u.edu.cn>
To: bpf@...r.kernel.org
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [BUG][BPF] Kernel Bug Triggered when Ebpf Verifier Check Fails

Hi BPF maintainers,

I'm reporting a bug I encountered in the BPF subsystem on Linux kernel version <<5.19.5>>, <<6.15.0-rc2-00577-g8066e388be48-dirty>>,  <<6.15.3>>.

I wrote a BPF program that triggered a verifier rejection, but at the same time, the kernel emitted a BUG() warning at <<kernel/bpf/hashtab.c:222>>, suggesting a potential kernel-side issue rather than just verifier rejection. Later on, I discovered that constructing any ebpf Verifier rejection behavior within the specified code snippets would trigger this kernel bug.

- Miniest poc code:

#include "vmlinux.h"
#include <bpf/bpf_helpers.h>

struct mac_table_entry
{
    struct bpf_timer expiration_timer;
    __u32 ifindex;
    __u64 last_seen_timestamp_ns;
    struct in_addr border_ip;
};

struct
{
    __uint(type, BPF_MAP_TYPE_HASH);
    __type(key, struct mac_address);
    __type(value, struct mac_table_entry);
    __uint(max_entries, 4 * 1024 * 1024);
    __uint(pinning, LIBBPF_PIN_BY_NAME);
} mac_table SEC(".maps");

SEC("xdp.frags")
long mac_xdp_func(struct xdp_md *ctx)
{
    // Constructing any code segment that does not meet the requirements of BPF Validator
    // can trigger a kernel BUG: sleeping function called from invalid context at kernel/bpf/hashtab.c:222:
    while(1){
        __u32 j;
    }
    return XDP_PASS;
}

char LICENSE[] SEC("license") = "Dual BSD/GPL";

- Kernel version: <<6.15.3...>>
- Architecture: <<x86_64>>
- dmesg excerpt: <<BUG: sleeping function called from invalid context at kernel/bpf/hashtab.c:222>>

Detailed info including reproducible BPF program and kernel logs have been filed on Bugzilla:

  https://bugzilla.kernel.org/show_bug.cgi?id=220278


Please let me know if you need more information or if I can help test a patch.

Thanks,  
Le Chen;  
tom2cat@...u.edu.cn;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ