* [PATCH bpf-next] bpf: test_run: fix OOB access in bpf_prog_test_run_xdp
@ 2022-02-02 20:53 Lorenzo Bianconi
2022-02-03 17:50 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Lorenzo Bianconi @ 2022-02-02 20:53 UTC (permalink / raw)
To: bpf; +Cc: ast, daniel, brouer, toke, lorenzo.bianconi, andrii, syzkaller-bugs
Fix the following kasan issue reported by syzbot:
BUG: KASAN: slab-out-of-bounds in __skb_frag_set_page include/linux/skbuff.h:3242 [inline]
BUG: KASAN: slab-out-of-bounds in bpf_prog_test_run_xdp+0x10ac/0x1150 net/bpf/test_run.c:972
Write of size 8 at addr ffff888048c75000 by task syz-executor.5/23405
CPU: 1 PID: 23405 Comm: syz-executor.5 Not tainted 5.16.0-syzkaller #0
Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
__skb_frag_set_page include/linux/skbuff.h:3242 [inline]
bpf_prog_test_run_xdp+0x10ac/0x1150 net/bpf/test_run.c:972
bpf_prog_test_run kernel/bpf/syscall.c:3356 [inline]
__sys_bpf+0x1858/0x59a0 kernel/bpf/syscall.c:4658
__do_sys_bpf kernel/bpf/syscall.c:4744 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4742 [inline]
__x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4742
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f4ea30dd059
RSP: 002b:00007f4ea1a52168 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f4ea31eff60 RCX: 00007f4ea30dd059
RDX: 0000000000000048 RSI: 0000000020000000 RDI: 000000000000000a
RBP: 00007f4ea313708d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc8367c5af R14: 00007f4ea1a52300 R15: 0000000000022000
</TASK>
Allocated by task 23405:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
____kasan_kmalloc mm/kasan/common.c:516 [inline]
____kasan_kmalloc mm/kasan/common.c:475 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525
kmalloc include/linux/slab.h:586 [inline]
kzalloc include/linux/slab.h:715 [inline]
bpf_test_init.isra.0+0x9f/0x150 net/bpf/test_run.c:411
bpf_prog_test_run_xdp+0x2f8/0x1150 net/bpf/test_run.c:941
bpf_prog_test_run kernel/bpf/syscall.c:3356 [inline]
__sys_bpf+0x1858/0x59a0 kernel/bpf/syscall.c:4658
__do_sys_bpf kernel/bpf/syscall.c:4744 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4742 [inline]
__x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4742
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff888048c74000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 0 bytes to the right of
4096-byte region [ffff888048c74000, ffff888048c75000)
The buggy address belongs to the page:
page:ffffea0001231c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x48c70
head:ffffea0001231c00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010c42140
raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
prep_new_page mm/page_alloc.c:2434 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
alloc_slab_page mm/slub.c:1799 [inline]
allocate_slab mm/slub.c:1944 [inline]
new_slab+0x28a/0x3b0 mm/slub.c:2004
___slab_alloc+0x87c/0xe90 mm/slub.c:3018
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105
slab_alloc_node mm/slub.c:3196 [inline]
__kmalloc_node_track_caller+0x2cb/0x360 mm/slub.c:4957
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0xde/0x340 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1159 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:745 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:802 [inline]
nsim_dev_trap_report_work+0x29a/0xbc0 drivers/net/netdevsim/dev.c:843
process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
worker_thread+0x657/0x1110 kernel/workqueue.c:2454
kthread+0x2e9/0x3a0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1352 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
free_unref_page_prepare mm/page_alloc.c:3325 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3404
qlink_free mm/kasan/quarantine.c:157 [inline]
qlist_free_all+0x6d/0x160 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:447
kasan_slab_alloc include/linux/kasan.h:260 [inline]
slab_post_alloc_hook mm/slab.h:732 [inline]
slab_alloc_node mm/slub.c:3230 [inline]
slab_alloc mm/slub.c:3238 [inline]
kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3243
getname_flags.part.0+0x50/0x4f0 fs/namei.c:138
getname_flags include/linux/audit.h:323 [inline]
getname+0x8e/0xd0 fs/namei.c:217
do_sys_openat2+0xf5/0x4d0 fs/open.c:1208
do_sys_open fs/open.c:1230 [inline]
__do_sys_openat fs/open.c:1246 [inline]
__se_sys_openat fs/open.c:1241 [inline]
__x64_sys_openat+0x13f/0x1f0 fs/open.c:1241
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Memory state around the buggy address:
ffff888048c74f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888048c74f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888048c75000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888048c75080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888048c75100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Fixes: 1c19499825246 ("bpf: introduce frags support to bpf_prog_test_run_xdp()")
Reported-by: syzbot+6d70ca7438345077c549@syzkaller.appspotmail.com
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
net/bpf/test_run.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 65b52b4bd6e1..0220b0822d77 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -962,6 +962,11 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
skb_frag_t *frag;
int data_len;
+ if (sinfo->nr_frags == MAX_SKB_FRAGS) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
page = alloc_page(GFP_KERNEL);
if (!page) {
ret = -ENOMEM;
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH bpf-next] bpf: test_run: fix OOB access in bpf_prog_test_run_xdp
2022-02-02 20:53 [PATCH bpf-next] bpf: test_run: fix OOB access in bpf_prog_test_run_xdp Lorenzo Bianconi
@ 2022-02-03 17:50 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-02-03 17:50 UTC (permalink / raw)
To: Lorenzo Bianconi
Cc: bpf, ast, daniel, brouer, toke, lorenzo.bianconi, andrii, syzkaller-bugs
Hello:
This patch was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:
On Wed, 2 Feb 2022 21:53:20 +0100 you wrote:
> Fix the following kasan issue reported by syzbot:
>
> BUG: KASAN: slab-out-of-bounds in __skb_frag_set_page include/linux/skbuff.h:3242 [inline]
> BUG: KASAN: slab-out-of-bounds in bpf_prog_test_run_xdp+0x10ac/0x1150 net/bpf/test_run.c:972
> Write of size 8 at addr ffff888048c75000 by task syz-executor.5/23405
>
> CPU: 1 PID: 23405 Comm: syz-executor.5 Not tainted 5.16.0-syzkaller #0
> Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
> print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
> __kasan_report mm/kasan/report.c:442 [inline]
> kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
> __skb_frag_set_page include/linux/skbuff.h:3242 [inline]
> bpf_prog_test_run_xdp+0x10ac/0x1150 net/bpf/test_run.c:972
> bpf_prog_test_run kernel/bpf/syscall.c:3356 [inline]
> __sys_bpf+0x1858/0x59a0 kernel/bpf/syscall.c:4658
> __do_sys_bpf kernel/bpf/syscall.c:4744 [inline]
> __se_sys_bpf kernel/bpf/syscall.c:4742 [inline]
> __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4742
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x7f4ea30dd059
> RSP: 002b:00007f4ea1a52168 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
> RAX: ffffffffffffffda RBX: 00007f4ea31eff60 RCX: 00007f4ea30dd059
> RDX: 0000000000000048 RSI: 0000000020000000 RDI: 000000000000000a
> RBP: 00007f4ea313708d R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007ffc8367c5af R14: 00007f4ea1a52300 R15: 0000000000022000
> </TASK>
>
> [...]
Here is the summary with links:
- [bpf-next] bpf: test_run: fix OOB access in bpf_prog_test_run_xdp
https://git.kernel.org/bpf/bpf-next/c/a6763080856f
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-02-03 17:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-02 20:53 [PATCH bpf-next] bpf: test_run: fix OOB access in bpf_prog_test_run_xdp Lorenzo Bianconi
2022-02-03 17:50 ` patchwork-bot+netdevbpf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.