From: syzbot <syzbot+bed360704c521841c85d@syzkaller.appspotmail.com>
To: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
daniel@iogearbox.net, davem@davemloft.net, hawk@kernel.org,
john.fastabend@gmail.com, kafai@fb.com, kpsingh@kernel.org,
kuba@kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, songliubraving@fb.com,
syzkaller-bugs@googlegroups.com, yhs@fb.com
Subject: [syzbot] UBSAN: shift-out-of-bounds in ___bpf_prog_run
Date: Wed, 10 Mar 2021 08:05:22 -0800 [thread overview]
Message-ID: <0000000000008f912605bd30d5d7@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 144c79ef Merge tag 'perf-tools-fixes-for-v5.12-2020-03-07'..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1572d952d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ccdd84f79f45b23d
dashboard link: https://syzkaller.appspot.com/bug?extid=bed360704c521841c85d
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com
================================================================================
UBSAN: shift-out-of-bounds in kernel/bpf/core.c:1420:2
shift exponent 255 is too large for 64-bit type 'long long unsigned int'
CPU: 1 PID: 11097 Comm: syz-executor.4 Not tainted 5.12.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
__ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
___bpf_prog_run.cold+0x19/0x56c kernel/bpf/core.c:1420
__bpf_prog_run32+0x8f/0xd0 kernel/bpf/core.c:1735
bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline]
bpf_prog_run_pin_on_cpu include/linux/filter.h:624 [inline]
bpf_prog_run_clear_cb include/linux/filter.h:755 [inline]
run_filter+0x1a1/0x470 net/packet/af_packet.c:2031
packet_rcv+0x313/0x13e0 net/packet/af_packet.c:2104
dev_queue_xmit_nit+0x7c2/0xa90 net/core/dev.c:2387
xmit_one net/core/dev.c:3588 [inline]
dev_hard_start_xmit+0xad/0x920 net/core/dev.c:3609
__dev_queue_xmit+0x2121/0x2e00 net/core/dev.c:4182
__bpf_tx_skb net/core/filter.c:2116 [inline]
__bpf_redirect_no_mac net/core/filter.c:2141 [inline]
__bpf_redirect+0x548/0xc80 net/core/filter.c:2164
____bpf_clone_redirect net/core/filter.c:2448 [inline]
bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2420
___bpf_prog_run+0x34e1/0x77d0 kernel/bpf/core.c:1523
__bpf_prog_run512+0x99/0xe0 kernel/bpf/core.c:1737
bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline]
bpf_test_run+0x3ed/0xc50 net/bpf/test_run.c:50
bpf_prog_test_run_skb+0xabc/0x1c50 net/bpf/test_run.c:582
bpf_prog_test_run kernel/bpf/syscall.c:3127 [inline]
__do_sys_bpf+0x1ea9/0x4f00 kernel/bpf/syscall.c:4406
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x465f69
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2797f63188 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465f69
RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a
RBP: 00000000004bfa3f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffcd53d929f R14: 00007f2797f63300 R15: 0000000000022000
================================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
next reply other threads:[~2021-03-10 16:06 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-10 16:05 syzbot [this message]
2021-03-28 3:38 ` [syzbot] UBSAN: shift-out-of-bounds in ___bpf_prog_run syzbot
2021-06-02 21:27 ` [PATCH v3] bpf: core: fix " Kurt Manucredo
2021-06-02 21:27 ` Kurt Manucredo
2021-06-03 4:43 ` Greg KH
2021-06-03 4:43 ` Greg KH
2021-06-05 15:01 ` [PATCH v4] " Kurt Manucredo
2021-06-05 15:01 ` Kurt Manucredo
2021-06-05 17:55 ` Yonghong Song
2021-06-05 17:55 ` Yonghong Song via Linux-kernel-mentees
2021-06-05 19:10 ` Alexei Starovoitov
2021-06-05 19:10 ` Alexei Starovoitov
2021-06-05 21:39 ` Yonghong Song
2021-06-05 21:39 ` Yonghong Song via Linux-kernel-mentees
2021-06-06 19:44 ` Kurt Manucredo
2021-06-06 19:44 ` Kurt Manucredo
2021-06-07 7:38 ` Dmitry Vyukov
2021-06-07 7:38 ` Dmitry Vyukov
2021-06-07 7:38 ` Dmitry Vyukov via Linux-kernel-mentees
2021-06-09 18:20 ` Kees Cook
2021-06-09 18:20 ` Kees Cook
2021-06-09 23:40 ` Yonghong Song
2021-06-09 23:40 ` Yonghong Song via Linux-kernel-mentees
2021-06-10 5:32 ` Dmitry Vyukov
2021-06-10 5:32 ` Dmitry Vyukov
2021-06-10 5:32 ` Dmitry Vyukov via Linux-kernel-mentees
2021-06-10 6:06 ` Yonghong Song
2021-06-10 6:06 ` Yonghong Song via Linux-kernel-mentees
2021-06-10 17:06 ` Kees Cook
2021-06-10 17:06 ` Kees Cook
2021-06-10 17:52 ` Alexei Starovoitov
2021-06-10 17:52 ` Alexei Starovoitov
2021-06-10 17:52 ` Alexei Starovoitov
2021-06-10 20:00 ` Eric Biggers
2021-06-10 20:00 ` Eric Biggers
2021-06-15 16:42 ` [PATCH v5] " Kurt Manucredo
2021-06-15 18:51 ` Edward Cree
2021-06-15 19:33 ` Eric Biggers
2021-06-15 21:08 ` Daniel Borkmann
2021-06-15 21:32 ` Eric Biggers
2021-06-15 21:38 ` Eric Biggers
2021-06-15 21:54 ` Daniel Borkmann
2021-06-15 22:07 ` Eric Biggers
2021-06-15 22:31 ` Kurt Manucredo
2021-06-17 10:09 ` Daniel Borkmann
2021-06-06 19:15 ` [PATCH v4] " Kurt Manucredo
2021-06-06 19:15 ` Kurt Manucredo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000008f912605bd30d5d7@google.com \
--to=syzbot+bed360704c521841c85d@syzkaller.appspotmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=hawk@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=songliubraving@fb.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.