Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B048C433FE for ; Fri, 7 Jan 2022 01:19:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345158AbiAGBT6 (ORCPT ); Thu, 6 Jan 2022 20:19:58 -0500 Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:6060 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1344075AbiAGBT4 (ORCPT ); Thu, 6 Jan 2022 20:19:56 -0500 Received: from pps.filterd (m0001303.ppops.net [127.0.0.1]) by m0001303.ppops.net (8.16.1.2/8.16.1.2) with ESMTP id 2070vEbM028426; Thu, 6 Jan 2022 17:19:43 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=message-id : date : subject : to : cc : references : from : in-reply-to : content-type : content-transfer-encoding : mime-version; s=facebook; bh=9H7JVkSu8tSU1jz0II2Z/yrGROgDz41EzogsJubWt2k=; b=TQ2jn3al/1qpRIXS8KaUjNGOwKO9D4g6rEvOx7GxkBVkvxFXzC2k+IfW4f5vf8pQQU0n vmPAHQUHOgkRS1XdQM7PjoJbf8oDKSgr7j2k4qpXmWNakr4u5TriRdZAs+1a/YOlzJwe dCouXPn6Iib7A/BtgZxs4OhI5qOsyvGqq0c= Received: from maileast.thefacebook.com ([163.114.130.16]) by m0001303.ppops.net (PPS) with ESMTPS id 3de4xftp0q-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 06 Jan 2022 17:19:42 -0800 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (100.104.31.183) by o365-in.thefacebook.com (100.104.35.175) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Thu, 6 Jan 2022 17:19:42 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WjmceGYIPidBFhBJJnGMw9i8s9seWE913M61ColuzQqhm6QNj6FvoyEsJj0VX0goFeTk8Iyxufes/FIAtjVAyMz7Gze4RREEZYrbN54UnO+SypHB0wocV9CcMr5+4dITuOQKlXCDpkovFKnLOSH2MVANlD2HXgtDxtdTufE04om9CXuEDhsrSry5LtT+TMEE5S+M5Rl8dhFrBNDlqbZbBKHLy9OYy3DTQbf1XY1mfadLO9nvOa5tyC1nA9WgiYNJ5Tksp4C39OQ7SVggaGb8QSENly6O7lbQETe8vBKgi5SsE/rp19ELL+Rw+JrdgN9ie8nHSFhEHrZ4xgr6DZ+gQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9H7JVkSu8tSU1jz0II2Z/yrGROgDz41EzogsJubWt2k=; b=b5POYgURdNYMlsE6YeTj3YBPpd+bOB3sPoq+GqJEvxJ25yftI0N6OE8TgRY4islawnvybbNCY953MybbZJCDdXe45mHQUpvcT4KcmgnapmyOE3bUu8uEsmnWxXOaetgd9xrEM/2qfZk0ZtjU8kym9Ap2P6umBfE6eab7i2/nK4v3TmgJ7NMShRGvg8tQsOJe3bMXRYH0OfvQnePVhyZXx4vlYJFMuclyMhLSXThqTleCyXkHFHynbwp8wU63thKl8t6C2MrswYYWDVgGOtpL2VtT8fO3qEgxrDwQMbCAN/pYRdBFFhWfnk47AU8WkdAemq3R+nhfbYQtzhfVBhTprw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=fb.com; dmarc=pass action=none header.from=fb.com; dkim=pass header.d=fb.com; arc=none Received: from SN6PR1501MB2064.namprd15.prod.outlook.com (2603:10b6:805:d::27) by SA1PR15MB4436.namprd15.prod.outlook.com (2603:10b6:806:197::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4867.7; Fri, 7 Jan 2022 01:19:40 +0000 Received: from SN6PR1501MB2064.namprd15.prod.outlook.com ([fe80::ede3:677f:b85c:ac29]) by SN6PR1501MB2064.namprd15.prod.outlook.com ([fe80::ede3:677f:b85c:ac29%4]) with mapi id 15.20.4867.011; Fri, 7 Jan 2022 01:19:40 +0000 Message-ID: Date: Thu, 6 Jan 2022 17:19:36 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.4.1 Subject: Re: A slab-out-of-bounds Read bug in __htab_map_lookup_and_delete_batch Content-Language: en-US To: butt3rflyh4ck , Alexei Starovoitov CC: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , John Fastabend , KP Singh , Networking , bpf , LKML References: From: Yonghong Song In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-ClientProxiedBy: CO2PR04CA0154.namprd04.prod.outlook.com (2603:10b6:104::32) To SN6PR1501MB2064.namprd15.prod.outlook.com (2603:10b6:805:d::27) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a7838404-4d4b-4bc2-2024-08d9d17bc73b X-MS-TrafficTypeDiagnostic: SA1PR15MB4436:EE_ X-Microsoft-Antispam-PRVS: X-FB-Source: Internal X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: bEPIP2YKXWbX6y5NL93NZGDleEB/X1n1xebmx4BzgXF5L1aq1iX8fgBettFwTs4XcW1v2shb/UKl3JTfJelq1/txMZy5ivbrjLfDoVuE/xp95D/8JRMrl/pOmB6WDy4PObi/MSw9NYHViQCc+6GQNvehcdgSc6Eal43AnZb4aJVOoO/tBqG7yOhPb0BDkP18aEvtlGi6pRR0Gk+bhG0lEbb3QA63eIieeEWzNYsH3wlUqqm/bSPkbvh2OFQWSXlNKu6FKyqm4zZ2zMdYcWap2cBKDT5VnDyox+d81nH2u7GSQKN63idVZLv0Tv9OMrEriyddgaj910B69hDilZBhyHKPGWsQehxDNGljXySIV9J2Ikdvafo2Sy3lucONp1JZgvgq4PGJw5cGSDsbqQOP5Gu4cZ3yl+zw6KC7eZ6JIDMADBwI0oBJLXINQW+ibLCo78pimIVAQnTs6ZzlmR0MJGINBdjTEnejifv/uIqKyZOAV6oX2guVFQezkMPTlTMQswG1DQac0N9Oyv8WN74s0ocEHLT6OSGh+jQZ9oV8xaco7B8pPen+fRya5CjfrWOcG7g8lMh9kqDoGLGzCrLWWK4U+dTq8CT4pDe8L/cOQnf1wZOcoiOWt4BiOfyfAgZIY6tsbSIvNK9hhirE90e5ClaAQxlIenAeNv+bcvuiFmZ677fb8zmA6ZAmJR1IxgHnHnwpugaL69Qgt1jN8LVV0d61yTksnnWKx5YCs3KPSb31Io022y+LW8rSls/LNd1z X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR1501MB2064.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(5660300002)(83380400001)(31696002)(508600001)(66556008)(86362001)(6512007)(66476007)(6486002)(2906002)(38100700002)(186003)(8936002)(54906003)(2616005)(6506007)(316002)(4326008)(52116002)(6666004)(8676002)(31686004)(110136005)(7416002)(53546011)(36756003)(66946007)(43740500002)(45980500001);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?ZXpCY0xMMFhHMmZKVHNUNFFLa3MzMFNGWHJTUGwxTnNERkE4WHE4N3BvRDJ3?= =?utf-8?B?R1gyY256blBFMjlpSzlIdVc0a2JPTHVzbWRQdDBPSGgwbGxEdnUxRnNqUnd3?= =?utf-8?B?WFFORjdGaTlOcXhLMHdIZWc1eHRKYU1uaEtsT0hRQkJ6cWg1Q25Fa2piRVVp?= =?utf-8?B?em54aDFsZU10QXZhRzBSZW1NS1BhQkZzUkNnNG1UY3dzMERuS0Z1RWtNenIv?= =?utf-8?B?Q2Z4d1I0Y0twbkNJOVF3STc4WWVkSXplZDg5eGNXTmpxcVJmQ2c4Y0FKTUc0?= =?utf-8?B?T1prUTdVRks2MWxFa2M3bENaMVhRT1ZYcjE4T2xhdmhDMldram5uS3NKdFVT?= =?utf-8?B?K1h3VEdPemFiYjRvNTVNNER4RnFVdXRiK0VEV1h2UCtuZzhRN3Q5WHNMUkwy?= =?utf-8?B?dFBOM3lxQmYydzN3Snh5eDh2YlNBRHlYTGZUcS9oTWk3dXpKbUpOU2d1QTlR?= =?utf-8?B?aFJGYm4rUDB2TitYYnNoRC80UUNwZ1JOejRrRmJWUkphbm10VjUwSHRpRkJY?= =?utf-8?B?MUhoeE5ldFQzVzlQQ2JEOXhseFlmSWFLcEt4dzV2Mi9LN3REc3FsOTY2aDF5?= =?utf-8?B?T2RpaHdJSUJNU3V1cEwwYmdjTjVVaFB0Rk1rVXB5Qy9Rcmo5cURXaE9QbWR4?= =?utf-8?B?bzQvcHhTN2RZVGs1MlZaamp0QWR4aUlldzMzaFFmTUQwVE1xWE8xYWd0N3oy?= =?utf-8?B?WnlLRDJaR1Q0dDlWa0FSbm9iSzVEcUQvQW8vZkJETHJlOVJlWmJLWVVaTjBB?= =?utf-8?B?TTd5ZkNXSXNYd2U1aEFBcFJjWjNabm4raUVQSjBkdUowL0FvRFlvZW05aDhW?= =?utf-8?B?QUNMR2VWbDRXQlliSGhxek16Zm40UUU3SUo4WmFJa3Z0VUdkeS90Sm1xZXg1?= =?utf-8?B?SGVjMzVVQ0ZSTFRHbVpBa2hWaXdsaGUzOVIrd0lHN3ZrcnBqa0t0Qk1MSnFY?= =?utf-8?B?bE0zWGw0THJlbmUvYk02TnE4cDlVMXQ5c080NmxwOVRJUlRpdFFDV0ppWmc0?= =?utf-8?B?eXVwdnUreWVzYkpxbjlpMjNzY0d2RlpzZCtxdkU5WDhLWjE3eXc2Y1ppSHBX?= =?utf-8?B?ODMvUzZNb2RaRUpvMFp4RkhNdkU0MWt0Y292RkZHbjN5SmsxU0M1UWVRM0J3?= =?utf-8?B?QU5MN0NvUk9MdjdWaXZ0YUh3TkMxb3UvN2s1bmhGMkpETDFmMjIrTlY4cmF1?= =?utf-8?B?NFNUUDdFanVwc2NhNUh1QzJHbFVsYXJpS1ltSnd5U3JzN1pmWjBkbCtmMEU1?= =?utf-8?B?bVFKYnNKbW1RbHNUL2JEY2FOMkpoTzhjbjRDKzNjOEU4Qm1rM0dNN2k1WVlh?= =?utf-8?B?cFdpNm0vZUo5ZXlmKzRSTVVSTWtSTmdsWkhVOU92L29wWFlBR3V1L1IvazBU?= =?utf-8?B?Y0R6cEFuK1FqbWI0SVRaOHJhTEgvZlpvZ2ZrTkJaTE9UUkdtY3ZEb3BKcW1y?= =?utf-8?B?QkxjNk8xa0N6NERlMVROMGFkVUdqeVRQYzRrbEZsdExkeU5RRVhyNGVVRXdO?= =?utf-8?B?ZFhhbDg3L3c5SENXUE5UVXpTYy9tdGJDbDVwWnAyS3BDcGFWMTdRMXBxK1lz?= =?utf-8?B?SWVjUlpKVGZBNkE2OUwxMkcwaVVtZE1EQ3A2Y1YzZXEvbG5UM2Q2d3U5Q1kw?= =?utf-8?B?dytEb0xXSnNiNDBMdWJTTUZ6ZC9MckRzdjZ1MXdpMWcwQUZmbms0VmFjdFBo?= =?utf-8?B?L01VSGpUa3V3dGVuTUs0NEVXT2NlRkViUjgwNW9sUGZ4RWd1VEpMc1dXMndZ?= =?utf-8?B?UExNajhZd3IvK0pQYW05clRpeXo1NzdnbkEvMjBDUCtnWmNFRnNVbTdqc1Yr?= =?utf-8?B?cXlia29DekM3WkVsdnpubDVONWR3ZlhVeVgydkZHZTU4SzFKR2VFN3FSK0tH?= =?utf-8?B?ZFZJcVRkaFNqWUtmZmo0TFVOMlozbklwcm5yd3RGZ25IUmZmbjdMYTFvV0Fu?= =?utf-8?B?YnFEdm5YS0FWbE5tcmVIcmF6NWtOZDZGdE1FeEhlRzJnazhvMVZaZkkyNldK?= =?utf-8?B?U0tQSEdkVFFnUWZ0bWFDN29KM3NHelM5SmdGUDNwR1JNOEJncG9MMG9NWHBW?= =?utf-8?B?KytIZXVVaFcvWXhjVTBsZ2RIa3A0SG4xNFpMSEZidFN1cmhjVGtPUG12cDBW?= =?utf-8?B?bmN2bXp6VDN2OFArbXplaVlrSy9UUkJnbzY2dm0xYTdxSkxLSU4rUHJUT1k0?= =?utf-8?B?Y1E9PQ==?= X-MS-Exchange-CrossTenant-Network-Message-Id: a7838404-4d4b-4bc2-2024-08d9d17bc73b X-MS-Exchange-CrossTenant-AuthSource: SN6PR1501MB2064.namprd15.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jan 2022 01:19:40.5702 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: R3Nc8Huj9lubcqWJA26Fe/9PrgcESW3kjCBm1oaX6XiRqWd9z3RBO4ns/grqf2bp X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR15MB4436 X-OriginatorOrg: fb.com X-Proofpoint-GUID: j2eJG3jEBN8rJ1_b5oYOyBs0tpGtj9ec X-Proofpoint-ORIG-GUID: j2eJG3jEBN8rJ1_b5oYOyBs0tpGtj9ec X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2022-01-06_10,2022-01-06_01,2021-12-02_01 X-Proofpoint-Spam-Details: rule=fb_outbound_notspam policy=fb_outbound score=0 impostorscore=0 priorityscore=1501 clxscore=1031 lowpriorityscore=0 mlxscore=0 spamscore=0 phishscore=0 suspectscore=0 mlxlogscore=864 adultscore=0 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2201070007 X-FB-Internal: deliver Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/29/21 7:23 PM, butt3rflyh4ck wrote: > Hi, the attachment is a reproducer. Enjoy it. > > Regards, > butt3rflyh4ck. > > > On Thu, Dec 30, 2021 at 10:23 AM Alexei Starovoitov > wrote: >> >> On Wed, Dec 29, 2021 at 2:10 AM butt3rflyh4ck >> wrote: >>> >>> Hi, there is a slab-out-bounds Read bug in >>> __htab_map_lookup_and_delete_batch in kernel/bpf/hashtab.c >>> and I reproduce it in linux-5.16.rc7(upstream) and latest linux-5.15.11. >>> >>> #carsh log >>> [ 166.945208][ T6897] >>> ================================================================== >>> [ 166.947075][ T6897] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x87/0xb0 >>> [ 166.948612][ T6897] Read of size 49 at addr ffff88801913f800 by >>> task __htab_map_look/6897 >>> [ 166.950406][ T6897] >>> [ 166.950890][ T6897] CPU: 1 PID: 6897 Comm: __htab_map_look Not >>> tainted 5.16.0-rc7+ #30 >>> [ 166.952521][ T6897] Hardware name: QEMU Standard PC (i440FX + PIIX, >>> 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 >>> [ 166.954562][ T6897] Call Trace: >>> [ 166.955268][ T6897] >>> [ 166.955918][ T6897] dump_stack_lvl+0x57/0x7d >>> [ 166.956875][ T6897] print_address_description.constprop.0.cold+0x93/0x347 >>> [ 166.958411][ T6897] ? _copy_to_user+0x87/0xb0 >>> [ 166.959356][ T6897] ? _copy_to_user+0x87/0xb0 >>> [ 166.960272][ T6897] kasan_report.cold+0x83/0xdf >>> [ 166.961196][ T6897] ? _copy_to_user+0x87/0xb0 >>> [ 166.962053][ T6897] kasan_check_range+0x13b/0x190 >>> [ 166.962978][ T6897] _copy_to_user+0x87/0xb0 >>> [ 166.964340][ T6897] __htab_map_lookup_and_delete_batch+0xdc2/0x1590 >>> [ 166.965619][ T6897] ? htab_lru_map_update_elem+0xe70/0xe70 >>> [ 166.966732][ T6897] bpf_map_do_batch+0x1fa/0x460 >>> [ 166.967619][ T6897] __sys_bpf+0x99a/0x3860 >>> [ 166.968443][ T6897] ? bpf_link_get_from_fd+0xd0/0xd0 >>> [ 166.969393][ T6897] ? rcu_read_lock_sched_held+0x9c/0xd0 >>> [ 166.970425][ T6897] ? lock_acquire+0x1ab/0x520 >>> [ 166.971284][ T6897] ? find_held_lock+0x2d/0x110 >>> [ 166.972208][ T6897] ? rcu_read_lock_sched_held+0x9c/0xd0 >>> [ 166.973139][ T6897] ? rcu_read_lock_bh_held+0xb0/0xb0 >>> [ 166.974096][ T6897] __x64_sys_bpf+0x70/0xb0 >>> [ 166.974903][ T6897] ? syscall_enter_from_user_mode+0x21/0x70 >>> [ 166.976077][ T6897] do_syscall_64+0x35/0xb0 >>> [ 166.976889][ T6897] entry_SYSCALL_64_after_hwframe+0x44/0xae >>> [ 166.978027][ T6897] RIP: 0033:0x450f0d >>> >>> >>> In hashtable, if the elements' keys have the same jhash() value, the >>> elements will be put into the same bucket. >>> By putting a lot of elements into a single bucket, the value of >>> bucket_size can be increased to overflow. >>> but also we can increase bucket_cnt to out of bound Read. I tried the attachment (reproducer) and cannot reproduce the issue with latest bpf-next tree. My config has kasan enabled. Could you send the matching .config file as well so I could reproduce? >> >> Can you be more specific? >> If you can send a patch with a fix it would be even better. >> >>> the out of bound Read in __htab_map_lookup_and_delete_batch code: >>> ``` >>> ... >>> if (bucket_cnt && (copy_to_user(ukeys + total * key_size, keys, >>> key_size * bucket_cnt) || >>> copy_to_user(uvalues + total * value_size, values, >>> value_size * bucket_cnt))) { >>> ret = -EFAULT; >>> goto after_loop; >>> } >>> ... >>> ``` >>> >>> Regards, >>> butt3rflyh4ck. >>> >>> >>> -- >>> Active Defense Lab of Venustech > > >