Received: by 10.223.148.5 with SMTP id 5csp7549148wrq; Thu, 18 Jan 2018 06:47:09 -0800 (PST) X-Google-Smtp-Source: ACJfBosw6lR6Z/rLeSLE5STliueeJ5M9o7epuY6bq63iw+KWOm03ciGblcg5lPdKsvSGkx8++waD X-Received: by 10.99.55.66 with SMTP id g2mr11419171pgn.61.1516286828925; Thu, 18 Jan 2018 06:47:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516286828; cv=none; d=google.com; s=arc-20160816; b=ZjfXdvY6nfVEVGdA8eYBv4r1VRU1n+Hw+8I5O761hVglY/AyqPa6m/QEKYodB1IlBq XieHZZrDetamYZKI/lXtS8acmv5gzfUnmAzE1ZueSPFvXYlUIMq709TXTNTwvxZM8SJe v2EEaqTs1kKRLCj/3CAHNb7eaSUblk/eXXlxoGPh/nuNqF3QN6Ch7z0hf0Du9QU94V1c ksFegOBTFOHoU5lU9S1/IQTm2jKEZrXoBPQZvLJ+gWxqvzO5lG1i5kMgxIfPLLfhTI93 vlEI4ASOBzHRk19WJ45zcRRrwQPWrBqOiFo7iI3xHN1Anbrsfl6+n6qvzdLrf5LweyBg qmLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=5dMX1+lzEUf65qQFo5hpkTUYFpHlwnUcYO9sIT7kXkE=; b=fyZghUrY4EfW2XZvki8+f5phqPeqaMqKA09tRUMGvTDRgUDm6HQXZX1xLhAbEzguBx Tx2cvNThG6wTMK7jP7uPih0L8qrEY404wL1uKTxH0gCqGzMGC7Q8TGTs+I0MHsdWQ5Iw PeB5RhDcMXSFVNuVGmj1uduw2mR1tWY14voDQsQKcIr3va6oFu+6wD6SaOd+0SBccBF6 ULp1qgkU4ev1D9J8pq1mACus4FkSp6RdRwRBGo69ema203Wg43EoqAacm8QfDXJbQ1o0 ro4Aw/VPIUDCYaruxDSOlK1zWOoXh3Edjrzvfr91M1XIOun9CVt4NtlYHmh2bq9XQBSJ HLAA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u14si5998630pgn.261.2018.01.18.06.46.54; Thu, 18 Jan 2018 06:47:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932538AbeAROqb (ORCPT + 99 others); Thu, 18 Jan 2018 09:46:31 -0500 Received: from www62.your-server.de ([213.133.104.62]:49435 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932257AbeAROq3 (ORCPT ); Thu, 18 Jan 2018 09:46:29 -0500 Received: from [62.202.221.5] (helo=linux.home) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256) (Exim 4.85_2) (envelope-from ) id 1ecBSU-0001mv-QP; Thu, 18 Jan 2018 15:46:26 +0100 Subject: Re: dangers of bots on the mailing lists was Re: divide error in ___bpf_prog_run To: Dmitry Vyukov , Alexei Starovoitov Cc: syzbot , Alexei Starovoitov , LKML , netdev References: <001a11405130ff1e9705629eb53c@google.com> <20180117093225.GB20303@amd> From: Daniel Borkmann Message-ID: Date: Thu, 18 Jan 2018 15:46:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.99.2/24233/Thu Jan 18 14:20:51 2018) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 01/18/2018 02:10 PM, Dmitry Vyukov wrote: > On Wed, Jan 17, 2018 at 12:09 PM, Dmitry Vyukov wrote: >> On Wed, Jan 17, 2018 at 10:49 AM, Daniel Borkmann wrote: >>> Don't know if there's such a possibility, but it would be nice if we could >>> target fuzzing for specific subsystems in related subtrees directly (e.g. >>> for bpf in bpf and bpf-next trees as one example). Dmitry? >> >> Hi Daniel, >> >> It's doable. >> Let's start with one bpf tree. Will it be bpf or bpf-next? Which one >> contains more ongoing work? What's the exact git repo address/branch, >> so that I don't second guess? I'm actually thinking that bpf tree [1] would be my preferred choice. While most of the development happens in bpf-next, after the merge window it will all end up in bpf eventually anyway and we'd still have ~8 weeks for targeted fuzzing on that before a release goes out. The other advantage I see on bpf tree itself would be that we'd uncover issues from fixes that go into bpf tree earlier like the recent max_entries overflow reports where syzkaller fired multiple times after the commit causing it went already into Linus' tree. Meaning, we'd miss out on that if we would choose bpf-next only, therefore my preferred choice would be on bpf. [1] git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git >> Also what syscalls it makes sense to enable there to target it at bpf >> specifically? As far as I understand effects of bpf are far beyond the >> bpf call and proper testing requires some sockets and other stuff. For Yes, correct. For example, the ones in ... * syzbot+93c4904c5c70348a6890@syzkaller.appspotmail.com * syzbot+48340bb518e88849e2e3@syzkaller.appspotmail.com ... are a great find (!), and they all require runtime testing, so interactions with sockets are definitely needed as well (e.g. the SO_ATTACH_BPF and writes to trigger traffic going through). Another option is to have a basic code template to attach to a loopback device e.g. in a netns and have a tc clsact qdisc with cls_bpf filter attached, so the fd would be passed to cls_bpf setup and then traffic goes over loopback to trigger prog run. Same could be for generic XDP as another example. Unlike socket filters this is root only though, but it would have more functionality available to fuzz into and I see robustness here as critically important. There's also a good bunch of use cases available in BPF kernel selftests which is under tools/testing/selftests/bpf/ to get a rough picture for fuzzing, but it doesn't cover all prog types, maps etc though. But overall, I think it's fine to first start out small and see how it goes. >> sockets, will it be enough to enable ip/ipv6? Because if we enable all >> of sctp/dccp/tipc/pptp/etc, it will sure will be finding lots of bugs >> there as well. Does bpf affect incoming network packets? Yes, see also comment above. For socket filters this definitely makes sense as well and there were some interactions in the past in the proto handlers that were buggy e.g. for odd historic reasons socket filters allow to truncate skbs (back from classic BPF times), and that required a reload of some of the prior referenced headers since underlying data could have changed in the meantime (aka use after free) and some handlers got that wrong, so probably makes sense to include some of the protos, too, to cover changes there. >> Also are there any sysctl's, command line arguments, etc that need to >> be tuned. I know there are net.core.bpf_jit_enable/harden, but I don't >> know what's the most relevant combination. Ideally, we test all of >> them, but let start with one of them because it requires separate >> instances (since the setting is global and test programs can't just >> flip it randomly). Right, I think the current one you set in syzkaller is fine for now. >> Also do you want testing from root or not from root? We generally >> don't test under root, because syzkaller comes up with legal ways to >> shut everything down even if we try to contain it (e.g. kill init >> somehow or shut down network using netlink). But if we limit syscall >> surface, then root may work and allow testing staging bpf features. If you have a chance to testing under both, root and non-root, that would be best. non-root has a restricted set of features available, so coverage would be increased under root, but I see both equally important (to mention one, coming back to the max_elem overflow example from earlier, this got only triggered for non-root). Btw, I recently checked out the bpf API model in syzkaller and it was all in line with latest upstream, very nice to see that! One more thought on future work could also be to experiment with syzkaller to have it additionally generate BPF progs in C that it would then try to load and pass traffic through. That may be worth trying in addition to the insns level fuzzing. > So, Daniel, Alexei, > > I understand that I asked lots of questions, but they are relatively > simple. I need that info to setup proper testing. Thanks a lot, Daniel