From: Yonghong Song <yhs@fb.com>
To: butt3rflyh4ck <butterflyhuangxx@gmail.com>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Networking <netdev@vger.kernel.org>, bpf <bpf@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: A slab-out-of-bounds Read bug in __htab_map_lookup_and_delete_batch
Date: Thu, 6 Jan 2022 17:19:36 -0800 [thread overview]
Message-ID: <bc4e05a5-5d97-2da0-0f18-b7fa55799158@fb.com> (raw)
In-Reply-To: <CAFcO6XMxZqQo4_C7s0T2dv3JRn4Vq4RDFqJO6ZQFr6kZzsnx9g@mail.gmail.com>
On 12/29/21 7:23 PM, butt3rflyh4ck wrote:
> Hi, the attachment is a reproducer. Enjoy it.
>
> Regards,
> butt3rflyh4ck.
>
>
> On Thu, Dec 30, 2021 at 10:23 AM Alexei Starovoitov
> <alexei.starovoitov@gmail.com> wrote:
>>
>> On Wed, Dec 29, 2021 at 2:10 AM butt3rflyh4ck
>> <butterflyhuangxx@gmail.com> wrote:
>>>
>>> Hi, there is a slab-out-bounds Read bug in
>>> __htab_map_lookup_and_delete_batch in kernel/bpf/hashtab.c
>>> and I reproduce it in linux-5.16.rc7(upstream) and latest linux-5.15.11.
>>>
>>> #carsh log
>>> [ 166.945208][ T6897]
>>> ==================================================================
>>> [ 166.947075][ T6897] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x87/0xb0
>>> [ 166.948612][ T6897] Read of size 49 at addr ffff88801913f800 by
>>> task __htab_map_look/6897
>>> [ 166.950406][ T6897]
>>> [ 166.950890][ T6897] CPU: 1 PID: 6897 Comm: __htab_map_look Not
>>> tainted 5.16.0-rc7+ #30
>>> [ 166.952521][ T6897] Hardware name: QEMU Standard PC (i440FX + PIIX,
>>> 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
>>> [ 166.954562][ T6897] Call Trace:
>>> [ 166.955268][ T6897] <TASK>
>>> [ 166.955918][ T6897] dump_stack_lvl+0x57/0x7d
>>> [ 166.956875][ T6897] print_address_description.constprop.0.cold+0x93/0x347
>>> [ 166.958411][ T6897] ? _copy_to_user+0x87/0xb0
>>> [ 166.959356][ T6897] ? _copy_to_user+0x87/0xb0
>>> [ 166.960272][ T6897] kasan_report.cold+0x83/0xdf
>>> [ 166.961196][ T6897] ? _copy_to_user+0x87/0xb0
>>> [ 166.962053][ T6897] kasan_check_range+0x13b/0x190
>>> [ 166.962978][ T6897] _copy_to_user+0x87/0xb0
>>> [ 166.964340][ T6897] __htab_map_lookup_and_delete_batch+0xdc2/0x1590
>>> [ 166.965619][ T6897] ? htab_lru_map_update_elem+0xe70/0xe70
>>> [ 166.966732][ T6897] bpf_map_do_batch+0x1fa/0x460
>>> [ 166.967619][ T6897] __sys_bpf+0x99a/0x3860
>>> [ 166.968443][ T6897] ? bpf_link_get_from_fd+0xd0/0xd0
>>> [ 166.969393][ T6897] ? rcu_read_lock_sched_held+0x9c/0xd0
>>> [ 166.970425][ T6897] ? lock_acquire+0x1ab/0x520
>>> [ 166.971284][ T6897] ? find_held_lock+0x2d/0x110
>>> [ 166.972208][ T6897] ? rcu_read_lock_sched_held+0x9c/0xd0
>>> [ 166.973139][ T6897] ? rcu_read_lock_bh_held+0xb0/0xb0
>>> [ 166.974096][ T6897] __x64_sys_bpf+0x70/0xb0
>>> [ 166.974903][ T6897] ? syscall_enter_from_user_mode+0x21/0x70
>>> [ 166.976077][ T6897] do_syscall_64+0x35/0xb0
>>> [ 166.976889][ T6897] entry_SYSCALL_64_after_hwframe+0x44/0xae
>>> [ 166.978027][ T6897] RIP: 0033:0x450f0d
>>>
>>>
>>> In hashtable, if the elements' keys have the same jhash() value, the
>>> elements will be put into the same bucket.
>>> By putting a lot of elements into a single bucket, the value of
>>> bucket_size can be increased to overflow.
>>> but also we can increase bucket_cnt to out of bound Read.
I tried the attachment (reproducer) and cannot reproduce the issue
with latest bpf-next tree.
My config has kasan enabled. Could you send the matching .config file
as well so I could reproduce?
>>
>> Can you be more specific?
>> If you can send a patch with a fix it would be even better.
>>
>>> the out of bound Read in __htab_map_lookup_and_delete_batch code:
>>> ```
>>> ...
>>> if (bucket_cnt && (copy_to_user(ukeys + total * key_size, keys,
>>> key_size * bucket_cnt) ||
>>> copy_to_user(uvalues + total * value_size, values,
>>> value_size * bucket_cnt))) {
>>> ret = -EFAULT;
>>> goto after_loop;
>>> }
>>> ...
>>> ```
>>>
>>> Regards,
>>> butt3rflyh4ck.
>>>
>>>
>>> --
>>> Active Defense Lab of Venustech
>
>
>
next prev parent reply other threads:[~2022-01-07 1:19 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-29 10:10 A slab-out-of-bounds Read bug in __htab_map_lookup_and_delete_batch butt3rflyh4ck
2021-12-30 2:23 ` Alexei Starovoitov
2021-12-30 3:23 ` butt3rflyh4ck
2021-12-30 4:00 ` Alexei Starovoitov
2022-01-06 6:02 ` butt3rflyh4ck
2022-01-07 1:19 ` Yonghong Song [this message]
2022-01-07 3:25 ` butt3rflyh4ck
2022-01-07 4:02 ` Yonghong Song
2022-01-07 5:42 ` butt3rflyh4ck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc4e05a5-5d97-2da0-0f18-b7fa55799158@fb.com \
--to=yhs@fb.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=butterflyhuangxx@gmail.com \
--cc=daniel@iogearbox.net \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=songliubraving@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).