Re: [syzbot] KASAN: vmalloc-out-of-bounds Read in bpf_jit_free

From: Aleksandr Nogikh <nogikh@google.com>
To: Song Liu <song@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
	syzbot <syzbot+2f649ec6d2eea1495a8f@syzkaller.appspotmail.com>,
	Andrii Nakryiko <andrii@kernel.org>,
	Alexei Starovoitov <ast@kernel.org>, bpf <bpf@vger.kernel.org>,
	"David S . Miller" <davem@davemloft.net>,
	Jesper Dangaard Brouer <hawk@kernel.org>,
	John Fastabend <john.fastabend@gmail.com>,
	Martin KaFai Lau <kafai@fb.com>, KP Singh <kpsingh@kernel.org>,
	Jakub Kicinski <kuba@kernel.org>,
	open list <linux-kernel@vger.kernel.org>,
	Networking <netdev@vger.kernel.org>,
	Song Liu <songliubraving@fb.com>,
	syzkaller-bugs@googlegroups.com, Yonghong Song <yhs@fb.com>
Subject: Re: [syzbot] KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
Date: Thu, 17 Feb 2022 19:32:43 +0100	[thread overview]
Message-ID: <CANp29Y4YC_rSKAgkYTaPV1gcN4q4WeGMvs61P2wnMQEv=kiu8A@mail.gmail.com> (raw)
In-Reply-To: <CAPhsuW6YOv_xjvknt_FPGwDhuCuG5s=7Xt1t-xL2+F6UKsJf-w@mail.gmail.com>

Hi Song,

On Wed, Feb 16, 2022 at 5:27 PM Song Liu <song@kernel.org> wrote:
>
> Hi Aleksandr,
>
> Thanks for your kind reply!
>
> On Wed, Feb 16, 2022 at 1:38 AM Aleksandr Nogikh <nogikh@google.com> wrote:
> >
> > Hi Song,
> >
> > Is syzkaller not doing something you expect it to do with this config?
>
> I fixed sshkey in the config, and added a suppression for hsr_node_get_first.
> However, I haven't got a repro overnight.

Oh, that's unfortunately not a very reliable thing. The bug has so far
happened only once on syzbot, so it must be pretty rare. Maybe you'll
have more luck with your local setup :)

You can try to run syz-repro on the log file that is available on the
syzbot dashboard:
https://github.com/google/syzkaller/blob/master/tools/syz-repro/repro.go
Syzbot has already done it and apparently failed to succeed, but this
is also somewhat probabilistic, especially when the bug is due to some
rare race condition. So trying it several times might help.

Also you might want to hack your local syzkaller copy a bit:
https://github.com/google/syzkaller/blob/master/syz-manager/manager.go#L804
Here you can drop the limit on the maximum number of repro attempts
and make needLocalRepro only return true if crash.Title matches the
title of this particular bug. With this change your local syzkaller
instance won't waste time reproducing other bugs.

There's also a way to focus syzkaller on some specific kernel
functions/source files:
https://github.com/google/syzkaller/blob/master/pkg/mgrconfig/config.go#L125

--
Best Regards,
Aleksandr

>
> >
> > On Wed, Feb 16, 2022 at 2:38 AM Song Liu <song@kernel.org> wrote:
> > >
> > > On Mon, Feb 14, 2022 at 10:41 PM Song Liu <song@kernel.org> wrote:
> > > >
> > > > On Mon, Feb 14, 2022 at 3:52 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
> > > > >
> > > > > Song, ptal.
> > > > >
> > > > > On 2/14/22 7:45 PM, syzbot wrote:
> > > > > > Hello,
> > > > > >
> > > > > > syzbot found the following issue on:
> > > > > >
> > > > > > HEAD commit:    e5313968c41b Merge branch 'Split bpf_sk_lookup remote_port..
> > > > > > git tree:       bpf-next
> > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10baced8700000
> > > > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=c40b67275bfe2a58
> > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=2f649ec6d2eea1495a8f
> > >
> > > How do I run the exact same syzkaller? I am doing something like
> > >
> > > ./bin/syz-manager -config qemu.cfg
> > >
> > > with the cfg file like:
> > >
> > > {
> > >         "target": "linux/amd64",
> > >         "http": ":56741",
> > >         "workdir": "workdir",
> > >         "kernel_obj": "linux",
> > >         "image": "./pkg/mgrconfig/testdata/stretch.img",
> >
> > This image location looks suspicious - we store some dummy data for
> > tests in that folder.
> > Instances now run on buildroot-based images, generated with
> > https://github.com/google/syzkaller/blob/master/tools/create-buildroot-image.sh
>
> Thanks for the information. I will give it a try.
>
> >
> > >         "syzkaller": ".",
> > >         "disable_syscalls": ["keyctl", "add_key", "request_key"],
> >
> > For our bpf instances, instead of disable_syscalls we use enable_syscalls:
> >
> > "enable_syscalls": [
> > "bpf", "mkdir", "mount$bpf", "unlink", "close",
> > "perf_event_open*", "ioctl$PERF*", "getpid", "gettid",
> > "socketpair", "sendmsg", "recvmsg", "setsockopt$sock_attach_bpf",
> > "socket$kcm", "ioctl$sock_kcm*", "syz_clone",
> > "mkdirat$cgroup*", "openat$cgroup*", "write$cgroup*",
> > "openat$tun", "write$tun", "ioctl$TUN*", "ioctl$SIOCSIFHWADDR",
> > "openat$ppp", "syz_open_procfs$namespace"
> > ]
>
> I will try with the same list. Thanks!
>
> Song
>
> >
> > >         "suppressions": ["some known bug"],
> > >         "procs": 8,
> >
> > We usually run with "procs": 6, but it's not that important.
> >
> > >         "type": "qemu",
> > >         "vm": {
> > >                 "count": 16,
> > >                 "cpu": 2,
> > >                 "mem": 2048,
> > >                 "kernel": "linux/arch/x86/boot/bzImage"
> > >         }
> > > }
> >
> > Otherwise I don't see any really significant differences.
> >
> > --
> > Best Regards
> > Aleksandr
> >
> > >
> > > Is this correct? I am using stretch.img from syzkaller site, and the
> > > .config from
> > > the link above.
> > >
> > > Thanks,
> > > Song
> > >