Received: by 2002:ab2:6857:0:b0:1ef:ffd0:ce49 with SMTP id l23csp142246lqp; Wed, 20 Mar 2024 16:57:18 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXiNPNhho+j9PTyEM0B2Ixj5tw839XWj6tIKDFpVzS7Rud0Pzq58I+1CtNiWoSip4zSKPjrSoAP3/HTh400jL4YgsmIjhliqlzYFLdv/Q== X-Google-Smtp-Source: AGHT+IE+qYGu/mcyehzG+8w1jmF5bIIuOtmC4BM6hG9p+5cHQYHaAxyC4cT8twXeCKRIWR9y8W2Z X-Received: by 2002:a17:90a:5d0e:b0:29b:c31:1fe1 with SMTP id s14-20020a17090a5d0e00b0029b0c311fe1mr1568914pji.10.1710979037682; Wed, 20 Mar 2024 16:57:17 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710979037; cv=pass; d=google.com; s=arc-20160816; b=PgnD/fEo39sqd9d7b3a8PfFQmDlbra4XROFPMcOdWKU8PXyQJZs0LUdsryGD76PwB3 rYVlDKFW2/DE5+1siQwpvZW8WMFCmqKscW1z30eSDxBCUPc+KX6geGr96Rmc45Dfz1pV BzFf2iBaN8UDYvlsyDpiIF59/Xq5WRwBth1rDV3XCw6qZHkV8LdRLTTCfwP0Kfmt90lx 8K1MZxFzaTcLUUvK2PCEB8vytY4BVrLcuWwy9IUa+CXNFMnZdVNDStXavwsLHl9kCCsz kOd29BNkoYYjIGgjZNQwW0RTWrXfdwoziMxkqqvv1Go3FoFgf90d6u/9a0G961b0pKAc Fb9w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:date :subject:cc:to:from:message-id:dkim-signature; bh=27H7m5kBFQ6WUCbYjJTiUtRH7buNouNhLTaOuWrEkD8=; fh=Oz3TvEnikVZCkyGocvJRFKKGUEOne0C2PZNFzy9FWzU=; b=v21TeyR8LPYGrvzDIok5YwKmBl3+mup5lpyinxBxIlZ6BOwvkDUjfsYYTsNCFrtv0h tFP1cEgQsmMxH80VPHZ06yuDhaqrMxlg3GvQa4HMyU7HJeNNfxPY5v7KbvRrAhyA54Aa RoboWjCylwIb32mEcvEiQ9tMmw8xacq6+cIhN2GPzkjh02mBAxJn/+UWIMw5gQQVn+9Y hBkhEU1ThNNF5aWHFdva/e/I0TxPxc/uuS3XnxKMTRZ5kAOU/LshBMHMdxi7s9sW1ceS 76l0mGLiDhGQqnlpxkGrexH3PhyE3qSsEFmE5I29jOEUvjxrHlJuVBSAE8GjoTT33ztv 6K4w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=G2BTpIsp; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-109504-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-109504-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id h20-20020a17090aa89400b002a00654f4dfsi1842382pjq.27.2024.03.20.16.57.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 16:57:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-109504-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=G2BTpIsp; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-109504-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-109504-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 6076E283132 for ; Wed, 20 Mar 2024 23:57:17 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 527A28615F; Wed, 20 Mar 2024 23:57:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="G2BTpIsp" Received: from out162-62-58-216.mail.qq.com (out162-62-58-216.mail.qq.com [162.62.58.216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AEFC91E522 for ; Wed, 20 Mar 2024 23:57:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=162.62.58.216 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710979031; cv=none; b=neMWSEgA7JVx1I5A4bqwRKeiKONySdZOFzFeRUQkOMf6xF4ZMBSGzb3bttcaFwx2K2nGhmHvosmFsQaQRDvE6QMat835mhv0wRwlyiu9Ie81RPCTGUi1/1x2yLdZpuzp0envCGie/xlg27nf8rtXkeKh8C8Pf4HmIeWfNd02FSo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710979031; c=relaxed/simple; bh=uJUykw8jUkOORzgwxqEhMRwr0zQjg27PUy2ACwXrCAE=; h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References: MIME-Version; b=gI1KsdVEbbNymktIELYSPsFUoCtde8l8OH8aLyF/+BGg2aloR885rdRscgyahlPxcOktQGHcT9G+1Jq9Fykae7QqFp/8UuHPe7oIMr0Alc86nIwchaHDd82OYARKr8OpPnFEr45RfXPeNktMlaNFBo5GjjcdudaQhcnUfFNxrb8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=G2BTpIsp; arc=none smtp.client-ip=162.62.58.216 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1710978718; bh=27H7m5kBFQ6WUCbYjJTiUtRH7buNouNhLTaOuWrEkD8=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=G2BTpIsp2pIXWJJWajhD36DrQ+GfSIMlhRid/MUb7Py/wpPdWk2RFUABdx2/evb/X wn/t7OCajs51yu5VHrpVpyG+MCJVcMx0JmhpchPDiz71BFeL8xcGWK66XpLFGHJff7 9vVLS1C/F0MhRaTXASh+n5fgb0JnsBAHqMFlUhtU= Received: from pek-lxu-l1.wrs.com ([111.198.228.140]) by newxmesmtplogicsvrsza1-0.qq.com (NewEsmtp) with SMTP id CF891E7A; Thu, 21 Mar 2024 07:51:56 +0800 X-QQ-mid: xmsmtpt1710978716t4owoxfc3 Message-ID: X-QQ-XMAILINFO: NhUkPfKlCtQwjfAHDpPnwVSd8w4ia+wOjuxjv83V9I9u3GuWsT00K3QbF2R9Og a1KNCqAEI3qcP4W6k6kOPfr3HE658MIz/ufb8aXvqEOEqlk8gAQU4muH/iaSzLfj2z9wW2Sh39lN 9EbgcFWdOk9797LxmmbsWDMUqcSgL3CB5czjYxl4ni/6wqtiy6shrvlR6CU78PFNWAXk7/vaglgM xzgnUNezIxw4enQCNa10JcWsh3RtRzkX0Rh8nPGMQQHFddNR9TS06PcyFohVH6bjI0SmeAm8F8Wr Oda222pePk/pS1nX+n2DTyJzqNrQ4YUSXFCKwyri0kPsrSHCPUfRyTK+QgZy+pS6aJRaQCyjqK77 4clg6v7ulj9G/uIa83gNbscfYCajNLU24tyMyFP6LaJ1kgpWMHBo/1xJ0UJ8wMAY8fetzAnixsBo Wpc9diWfT/xVQeZssu3I2nqOCTfA+G+GkQFM8GYII1yaRyJkxdWYXv2fqC5pocHIlGad8hT/xjy1 JVzIHYKorMFbcFQXpndbs4A6RaLZ7bM9C4oV0jH2DsMhaCLhNzETr/PeimAmlnP1u6gSj1r46Day TmAd8BkRet8wrnuNuvaOAsWJMOfBRofcgh4bwxQdw74JTEgyqdfaClVKGxSBmReEHQR27XVq9IbK 1PmwR3HhEamSaLAFvFa7MCfqtnehm9aG1DNwQ6TV6HtBRI8LBBVQsp++gPs76eS69rzdnvObxzcS ZK5OEXRFkOjN7h8/+TWvS8XhREWua6kYberZqLjtUAGk3SNpAqcFC2iZdiZZ1gNMpe9sy0nvn45R +L+41Xd0yPcV1YOPZypGTZdsqEEERdi5rpAp1kIwuiGpi3RVVxYXxaRz83DYeQ8KZ7eTwnnZe5u4 w7rsKnY8TZ/fuBPd+suwZKdloUl5lApyarAsTMTB1m88LGrOsLxxrpJ48ExBTqzw== X-QQ-XMRINFO: Mp0Kj//9VHAxr69bL5MkOOs= From: Edward Adam Davis To: syzbot+33f4297b5f927648741a@syzkaller.appspotmail.com Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [bpf?] UBSAN: array-index-out-of-bounds in check_stack_range_initialized Date: Thu, 21 Mar 2024 07:52:02 +0800 X-OQ-MSGID: <20240320235201.1681744-2-eadavis@qq.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <0000000000003dc8e00614076ab6@google.com> References: <0000000000003dc8e00614076ab6@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit please test oob in check_stack_range_initialized #syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git master diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 1dd3b99d1bb9..7ba5b4131929 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -7177,6 +7177,11 @@ static int check_stack_range_initialized( return 0; } + if (INT_MIN - access_size > max_off) { + verbose(env, "invalid access size\n"); + return -EACCES; + } + for (i = min_off; i < max_off + access_size; i++) { u8 *stype; @@ -8589,6 +8594,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, return 0; } + printk("1meta:%p, maptr:%p, ks:%d, kv:%d,%s\n", + meta, meta->map_ptr, meta->map_ptr->key_size, meta->map_ptr->value_size, __func__); if (type_is_pkt_pointer(type) && !may_access_direct_pkt_data(env, meta, BPF_READ)) { verbose(env, "helper access to the packet is not allowed\n"); @@ -8704,6 +8711,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, verbose(env, "invalid map_ptr to access map->key\n"); return -EACCES; } + printk("meta:%p, maptr:%p, ks:%d, reg->map_ptr:%p, %s\n", + meta, meta->map_ptr, meta->map_ptr->key_size, reg->map_ptr, __func__); err = check_helper_mem_access(env, regno, meta->map_ptr->key_size, false, NULL); @@ -8721,6 +8730,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, return -EACCES; } meta->raw_mode = arg_type & MEM_UNINIT; + printk("meta:%p, maptr:%p, vs:%d, reg->map_ptr:%p, %s\n", + meta, meta->map_ptr, meta->map_ptr->value_size, reg->map_ptr, __func__); err = check_helper_mem_access(env, regno, meta->map_ptr->value_size, false, meta); @@ -10248,6 +10259,8 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn meta.func_id = func_id; /* check args */ + printk("meta:%p, maptr:%p, ks:%d, kv:%d,%s\n", + &meta, meta.map_ptr, meta.map_ptr->key_size, meta.map_ptr->value_size, __func__); for (i = 0; i < MAX_BPF_FUNC_REG_ARGS; i++) { err = check_func_arg(env, i, &meta, fn, insn_idx); if (err)