Received: by 2002:ab2:6857:0:b0:1ef:ffd0:ce49 with SMTP id l23csp1959386lqp; Sat, 23 Mar 2024 17:51:03 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUuBNKBnD88QhZvwoyYcQXJI4ock7nOijUnotcoXjxkzvQ/+iB2f6bvc/hUamONIgEG0ORAMkvm1GZEoxkLjYTLOVgm4SfiCiDEjMWZyQ== X-Google-Smtp-Source: AGHT+IFs8LlPNeof1eW7zr872s1YM42rRGmtfCvq28sP1anWEmKuQ0vw6urj5kq1yTKknZrFALnR X-Received: by 2002:a05:6214:29eb:b0:696:86a4:9a1b with SMTP id jv11-20020a05621429eb00b0069686a49a1bmr665828qvb.51.1711241463269; Sat, 23 Mar 2024 17:51:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711241463; cv=pass; d=google.com; s=arc-20160816; b=u07426CCBWFalHjDMRNN6RuXqXI04tZu3DX/jbjG7l2cpaKBSgbEqGuwoO/8EHstYM +N4jfeY5JKVYwmxzfkd9s0zZ9SaLuSmdg1IcVQ6vT/SaVrLPAUZoqIbruxBWhHGoqg/E u30luaaHvFX7Yml1u+s1GJd3q1SQsuqMIu/8WcmAs4HIAup4BT1ZuJ5qpL87g/EB8bKn qaw8ntK6KhbMiq81xdU6C/RdckITazTH2jcotUsEOLF8DG9dNUqih16gJEsKvVFLx5M7 WZsy+C595Sq3B0IP9tqw9qlUvSmRNbTNcxBLtGuoefJ09q7XyZWxoYuBGMOlCeTe0Ctx hhHA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=Gd+E+wjGsxttwBVcnZu6WwsovFEvT79fd7mf/2LSTkw=; fh=2mBCc1aXZsCSwAce2u/2eaekRfcVKH9xYyl8Sk71in8=; b=BsIsQTKma9rwLzU31E/CxbWMnOE9WZvTg9BT9D856rM5BNV4qEt+BplxFBy6RZ5MPS wx5YB/lgaDKK0GWdG1O5zY56EBmu7w2MASyGtpOs7QFIZqXLqK/Y9atci86ItcWROnEE 8r7NjAAN0LximNCgMDKV+9IfLxRCFxVIxpFHp63hDoDhFPZ35CQIxUUyldmVHzfvKKbj SLUp0QMI3uvLuzyvRNUwjfst6U3pGJCtcASrRHqNxKVYyB3UASx3yRnfv3iPgO+JmwIj k5f7NzMEK3sCzFQSXR+DiG2lh1r5DDrPD5BsnHTJAfB45813T0pWckrC7PN10qrEXLIG Rngg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=mN2IuuFG; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-112535-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-112535-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id nh5-20020a056214390500b006915bf12d2esi5060148qvb.68.2024.03.23.17.51.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 Mar 2024 17:51:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-112535-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=mN2IuuFG; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-112535-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-112535-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id E99301C211E7 for ; Sun, 24 Mar 2024 00:51:02 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8989123CE; Sun, 24 Mar 2024 00:50:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mN2IuuFG" Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A723563B; Sun, 24 Mar 2024 00:50:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711241450; cv=none; b=ohQTCsKwCpvpY/1QtIibnLbN42WtPijLuGV/wrDqNOm3hihvK66tzDoKfgkOIN7DX+4Po6qIiSmXAP9ihBLzSvTtaQr5fdFJtmmAXXWFYfkppv3E0fwLGyXHXgg6b9azryYb6AuCJLMuOOPO4JVq8Z5WODXEkyOnuRMNUmgMshI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711241450; c=relaxed/simple; bh=6+3n5jGyQ2Zf+BUw/Fg23lhslfgdOfy3aqLiWiy6NlY=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=lAlyi14CVhp4O1EjPiTv654ItwASDEffP8Z+N9SONOwAAfiAU1mDu6qednEyY21tT8Oc2dHMlP/WdqtIHs11lcuWpRmcCm5tFsR8j2lgn262kR6JZwHu5CegxGz36uq9FMneC55bYiEQOvJFACsaux5+qPv7tz/50zHe6vqFuug= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mN2IuuFG; arc=none smtp.client-ip=209.85.208.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ed1-f48.google.com with SMTP id 4fb4d7f45d1cf-56bf6591865so1273955a12.0; Sat, 23 Mar 2024 17:50:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711241447; x=1711846247; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Gd+E+wjGsxttwBVcnZu6WwsovFEvT79fd7mf/2LSTkw=; b=mN2IuuFGZ98rs0DnC38CpeTse1nZIF3dukqqscjy70bwvODnuXTAbl6wJoxuhxVdh8 B0S/j/UtOyMqrv08OAEWcZq/E46+LS+oY1RtznNR8/igdLV4UIrYDurK7sbExTqbwH5y Av82U5K/EPkBIsXpfrM/TrCiOeEVLjSR+L4ZDjr/5qdLzgG/ElVqu+5rqze76N8EqxS9 j+HUkwDIKP+n/CpwMXm53wXC8aeCNJTc3rrCWmocxh1bHroHqV7U/ipZQPGZku4YjQx5 nVv5CG7rS5MRyYJ9jQS5QOB9eEv2TZPu5LzOXu6QU4rNuXGLxeFBhxxHMuCDs/csQSg5 cssQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711241447; x=1711846247; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Gd+E+wjGsxttwBVcnZu6WwsovFEvT79fd7mf/2LSTkw=; b=napeW6EBGpqoNONvpbyrZYCawXjAUvwGjGmKudVqf1XwPjCHzOrsba6EO87shVCrFT EPjH4WdITYvCd+7eesZGd1nBIVUhInJpeKZ3NbejDR+VsskEYVNZsRZ8n3g7MREFVyvL EFeu9kEc7gehIcwBRbtVbwPeKQWOSH/Nw8hfcBagMFiR662kl6MsmDm5NiAOD7ZY7YCz 4cX+7gdhMP5DvYQzjpNU1r64y7J5KijZfXtYkB4wLNzvM+01wEkMx8ZmgmPySKhFZ760 fb48bEsjCNX1K4vCxGzLPFVBYforQRw1oGFF23Yef5mVRTt5R6WuELJJ1yV/1f4pJZRi jxMA== X-Forwarded-Encrypted: i=1; AJvYcCUGqb6kSyNzYzdkQFkKsFHp8ttBuyLNtqZU7YtAooaPKimgATu7mHGRWta6WKdF92l6u5/1Xy/cTHoZ6ueD6MEsw2X1kDHtIVujIJc3cQubMKf7GuTWzBIOOeABxOhLIISRoX2v3R6T/e6AVuV9l2zp0e2NJwXGIMzW X-Gm-Message-State: AOJu0YyB2u6NB3SAeNs/zbiWb7d5oYA44OKt3D/FAQq0Pew/wmYdCe0B 8sQN8UEDQZ5NP/2dnwE1fmivBoEoL9A4+HXMoo3ZGGszCJCm8nZursl3+npTBUj040KgHJp/b8T xCdgt3znAN9gzDfkgZcf9GRfZ+4A= X-Received: by 2002:a50:9b4e:0:b0:565:9e16:60da with SMTP id a14-20020a509b4e000000b005659e1660damr2050000edj.30.1711241446487; Sat, 23 Mar 2024 17:50:46 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <0000000000003dc8e00614076ab6@google.com> In-Reply-To: From: Andrei Matei Date: Sat, 23 Mar 2024 20:50:35 -0400 Message-ID: Subject: Re: stack access issue. Re: [syzbot] [bpf?] UBSAN: array-index-out-of-bounds in check_stack_range_initialized To: Alexei Starovoitov , eadavis@qq.com Cc: Andrii Nakryiko , Alexei Starovoitov , bpf , Daniel Borkmann , Eddy Z , Hao Luo , John Fastabend , Jiri Olsa , KP Singh , LKML , Martin KaFai Lau , Network Development , Stanislav Fomichev , Song Liu , syzkaller-bugs , Yonghong Song Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable + Edward On Thu, Mar 21, 2024 at 3:33=E2=80=AFAM Alexei Starovoitov wrote: > > Hi Andrei, > > looks like the refactoring of stack access introduced a bug. > See the reproducer below. > positive offsets are not caught by check_stack_access_within_bounds(). check_stack_access_within_bounds() tries to catch positive offsets; It does: [1] err =3D check_stack_slot_within_bounds(env, min_off, state, type); if (!err && max_off > 0) err =3D -EINVAL; /* out of stack access into non-negative offsets */ Notice the max_off > 0 in there. And we have various tests that seem to check that positive offsets are rejected. Do you know what the bug is? I'm thinking maybe there's some overflow going on, except that UBSAN reported an index of -1 as being the problem. Edward, I see that you've been tickling the robot trying to narrow the issu= e; perhaps you've figured it out? If the bug is not immediately apparent to anyone, I would really appreciate= a bit of tutoring around how to reproduce and get verifier logs. I have tried= a bunch of cases of constant- and variable-offset accesses, and couldn't repr= o. I can run syzkaller's repro on its own vm image, and indeed it crashes. But I= 'm not sure how to get verifier logs out of the C reproducer. Alternatively, = I'm not sure how to figure out the actual BPF program corresponding to the "syz repro" in [2] and turn it into a test_progs test. How do you guys do it? Thanks a lot! [1] https://github.com/torvalds/linux/blob/70293240c5ce675a67bfc48f419b0930= 23b862b3/kernel/bpf/verifier.c#L6695 [2] https://syzkaller.appspot.com/x/repro.syz?x=3D1763a479180000 > So both slot and spi become negative and access > stack[spi].slot_type[slot % BPF_REG_SIZE] > returns garbage. > > On Tue, Mar 19, 2024 at 11:12=E2=80=AFAM syzbot > wrote: > > > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 0740b6427e90 Merge branch 'bpf-arena-followups' > > git tree: bpf > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=3D12fed769180= 000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=3D6fb1be60a19= 3d440 > > dashboard link: https://syzkaller.appspot.com/bug?extid=3D33f4297b5f927= 648741a > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for D= ebian) 2.40 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=3D1763a4791= 80000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D15c38711180= 000 > > > > Downloadable assets: > > disk image: https://storage.googleapis.com/syzbot-assets/c9e6e9f97566/d= isk-0740b642.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/78476a588b62/vmli= nux-0740b642.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/50cd6fab9ead= /bzImage-0740b642.xz > > > > IMPORTANT: if you fix the issue, please add the following tag to the co= mmit: > > Reported-by: syzbot+33f4297b5f927648741a@syzkaller.appspotmail.com > > > > ------------[ cut here ]------------ > > UBSAN: array-index-out-of-bounds in kernel/bpf/verifier.c:7190:12 > > index -1 is out of range for type 'u8[8]' (aka 'unsigned char[8]') > > CPU: 0 PID: 5071 Comm: syz-executor474 Not tainted 6.8.0-syzkaller-0522= 6-g0740b6427e90 #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS= Google 02/29/2024 > > Call Trace: > > > > __dump_stack lib/dump_stack.c:88 [inline] > > dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 > > ubsan_epilogue lib/ubsan.c:217 [inline] > > __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:415 > > check_stack_range_initialized+0x1668/0x19a0 kernel/bpf/verifier.c:7190 > > check_helper_mem_access+0x2eb/0xfa0 kernel/bpf/verifier.c:7294 > > check_helper_call+0x263c/0x7220 kernel/bpf/verifier.c:10252 > > do_check+0x9e29/0x10530 kernel/bpf/verifier.c:17801 > > do_check_common+0x14bd/0x1dd0 kernel/bpf/verifier.c:20500 > > do_check_main kernel/bpf/verifier.c:20591 [inline] > > bpf_check+0x136ab/0x19010 kernel/bpf/verifier.c:21261 > > bpf_prog_load+0x1667/0x20f0 kernel/bpf/syscall.c:2895 > > __sys_bpf+0x4ee/0x810 kernel/bpf/syscall.c:5631 > > __do_sys_bpf kernel/bpf/syscall.c:5738 [inline] > > __se_sys_bpf kernel/bpf/syscall.c:5736 [inline] > > __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736 > > do_syscall_64+0xfb/0x240 > > entry_SYSCALL_64_after_hwframe+0x6d/0x75 > > RIP: 0033:0x7f8416194629 > > Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89= f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 = ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > > RSP: 002b:00007ffdc6f0fdb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 > > RAX: ffffffffffffffda RBX: 00007ffdc6f0ff88 RCX: 00007f8416194629 > > RDX: 0000000000000090 RSI: 00000000200000c0 RDI: 0000000000000005 > > RBP: 00007f8416207610 R08: 0000000000000000 R09: 00007ffdc6f0ff88 > > R10: 00000000fffffff8 R11: 0000000000000246 R12: 0000000000000001 > > R13: 00007ffdc6f0ff78 R14: 0000000000000001 R15: 0000000000000001 > > > > ---[ end trace ]--- > > > > > > --- > > This report is generated by a bot. It may contain errors. > > See https://goo.gl/tpsmEJ for more information about syzbot. > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > syzbot will keep track of this issue. See: > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > > > If the report is already addressed, let syzbot know by replying with: > > #syz fix: exact-commit-title > > > > If you want syzbot to run the reproducer, reply with: > > #syz test: git://repo/address.git branch-or-commit-hash > > If you attach or paste a git patch, syzbot will apply it before testing= . > > > > If you want to overwrite report's subsystems, reply with: > > #syz set subsystems: new-subsystem > > (See the list of subsystem names on the web dashboard) > > > > If the report is a duplicate of another one, reply with: > > #syz dup: exact-subject-of-another-report > > > > If you want to undo deduplication, reply with: > > #syz undup