Received: by 2002:ab2:6857:0:b0:1ef:ffd0:ce49 with SMTP id l23csp1978700lqp; Sat, 23 Mar 2024 19:12:53 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUQtMUb16xclvlQCWaMcT20TM1lzSi9CEIQQZ12Ur7IWHykaL7rpVmJBken0IFrsIWHKNS27izpbf38MLVO4pgTwXTesgsohmO7V90YeA== X-Google-Smtp-Source: AGHT+IGOGniC/nDHnlX/UHgiFSSabdT7OsF/QAmMh70HHxxHhDzyczzC7bzW89aP8IBKlqDOEgrc X-Received: by 2002:a05:6808:1706:b0:3c3:ae2f:cfbf with SMTP id bc6-20020a056808170600b003c3ae2fcfbfmr4037276oib.57.1711246373216; Sat, 23 Mar 2024 19:12:53 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711246373; cv=pass; d=google.com; s=arc-20160816; b=HcdcmwjcCKOB+44Gaon/kBQBXUx8RFOS+ai2wECK5+Cjk6OwGhRfEMMrbEMe5JP7bz nvcTp7dS+gBxRzBkWPYEMU5FJ7jye99gEmmzT1WxNveUAmyT+CCy04SnCQHuB29ZN/Yl KJcJZi4zwtE68yO0CRwLi2uQEC44i4TWxS2e6hRQRPTOa4OlYiZ0KtogqinhKvO6oRNR DWGeW1cHQ+Ajze41tPApbAByZAvBgnK6SdsEka4ErYgGkd9Q6By4ZENDvVkxOEReylzd unx4cGnCWIRf+zba76L9FsoIGGyuN98pl7eexLqzUa8GyuJ8cu0mNwZrhmm+rM+q4PDf RymA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=xHFyLHQgXPjbo6X2x+pg5cZRKKgfaicsQUJCH3BgxQg=; fh=SNqlLwVlPK6vrdrGIlxaQBckS6NCaYadQzPky69dqoM=; b=ndjWsGltwbw70mLsNQTbmREaq9c+u9+BAGPNsC1KxADCl8ErHmKF6UR/5ncRZZmYO1 L7IwR+eKZlCx9ap/FjecquD/0RnXBCSDt24moRl1kcWv+j3OZh3D5PjMeVG9/mDhOeug QnqKgB6AR8TrQLoHegOEYfwsnZ04AQo2y1z3oA6y5lKnoBcHQ9glzJL8BL7+vooagzbE ONWF7dbZgJG/M3UIz4wWdQI2d8+vt3+b86XwV+UyPZ5fo9nGd21il6zffFcH+3db5rgf f4oJ+0I8wOBOFGoLqjgDvC4tGKG9mucgplzES2FOoWN653UvsWcXxzmi5vy2/JohZads KNOA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ItqIjY5L; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-112548-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-112548-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id o20-20020a170903009400b001ddbdd77416si2369272pld.382.2024.03.23.19.12.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 Mar 2024 19:12:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-112548-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ItqIjY5L; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-112548-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-112548-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id DE996281C76 for ; Sun, 24 Mar 2024 02:12:52 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3579A4691; Sun, 24 Mar 2024 02:12:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ItqIjY5L" Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com [209.85.208.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB08B81E; Sun, 24 Mar 2024 02:12:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.43 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711246359; cv=none; b=EtjMgwHCs/jcnizINBnu+N93g6QAvCaoiKWOSAioyHZ0SzmJtmUqH4OGwFS4KAxshyqtiPM03Dic8sHACKGpRoRj4cvPmcHzv+LJ1o2Ziew7q72B+BrOqkhBmcCqa8pRs0Y44PXgByz1Pmv8KNP8XbJmtN5IMKPGBxN5D/w2rz8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711246359; c=relaxed/simple; bh=ovHUKz8Xzqtw0vfM9uEg01DKZBo+9/U+IEf7Cmmf4X0=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=gGTHHKGyKXdcd+HmlcrblBmjMAGwfyOp0zdJSQwE8iyCjElXeZkGQkPixs1J4axOZQMw/ealQs0DhzpkkguNP6MWzkeQGy0AQeE+ZvH/YF5PHM4KDUk3u2NFOdDuz5H9wD7ETc0C808r1+nWUH0Ky9BGIAY3tOnIWS2JrMZCf/k= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ItqIjY5L; arc=none smtp.client-ip=209.85.208.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ed1-f43.google.com with SMTP id 4fb4d7f45d1cf-56bc753f58eso3991841a12.3; Sat, 23 Mar 2024 19:12:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711246356; x=1711851156; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=xHFyLHQgXPjbo6X2x+pg5cZRKKgfaicsQUJCH3BgxQg=; b=ItqIjY5L9G4l/EolYckTAegP2/t89zzCBmoZYS2JG2KPkFKTFXRF6gvUG1NPdCOrM0 hevpKSPYg3En4sF6/YtVrpG9UtorMa7ub8sbE/HDC7fuuVYRugSr4HfFsOqHyhpKB922 U4XgmbQGLDKR5+//BIyuQNcDWcxWxa2ul+D47Mua1mlU6vnQg2GRhUGqjkkn87Garm50 PrWUO5qR62MtP7p6ZLZoex/SCIpo0sPOidsD0ETFB1CsNSHrL/wgP1idNLsclzn09GOB MksMY7kk7j6klxs7W3/zmDXyo3WcI7qezvGwvVchcZFskxKzPdcDv9hc0eq3gkB06Qoq HZxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711246356; x=1711851156; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xHFyLHQgXPjbo6X2x+pg5cZRKKgfaicsQUJCH3BgxQg=; b=Xh9JSN11nGuc74Uz15ldRiU3/MPMaGy5N8GSZtPxC+o7y/hxtdy2GwTql8A+V5BplS 3h+nlEczCHQJ2KHPknnVmKWFhkDDeN/H+4jHIi/WG8xomraY2Hr6tTNfqZHHT8oiE2zc GR1StWC/yRGhiKq5LqYX9E1VBNJTYmRsO+eJzT15clnRxjBhix2PL1TZmrov9Cw72NSh s3nyHEVYGD9OYMn+PRn+JiGaRuRC537QVIFT/8AH1r/wlNrPhAoEhM3mKVy+eVuyhX1Q rexoCxcD7vxj29YsQjKx/qkpCbERN/fkj5lBtHROjuUjLF9GVXGtyELr8rFt0z6zKTD6 lQ7w== X-Forwarded-Encrypted: i=1; AJvYcCUvRhbVe9nxlR4Iuc50vXNgQIXqBt8Ri/Ln6IO+RfGbt2pCxzHuWcrZk4ksYvV+CSWwcjgX6754gBRyifylS4twUHS8arwgpCiLOQva5qwCILGZTiX2k0rX4UBhZ5pcEhO7BPD7+Bi7LJrocBD/VsJIQUzMj0A2lyng X-Gm-Message-State: AOJu0YwXl3E0BkURQd9xzndrwj2a8H6uVZDx6xxKVo16ZAm9sDVlkEal ibjDAnLHrGVhWOzcMAF1v4Q0mausLwIAQeZ+oefUuU0FYHI5wZ+4gTnlpCdv6+IFNcPIb03rEOp 3/pU2LHj8yhgS4+BVu0qUAhK/UxI= X-Received: by 2002:a50:ab49:0:b0:56b:ed78:f58 with SMTP id t9-20020a50ab49000000b0056bed780f58mr2235343edc.33.1711246355828; Sat, 23 Mar 2024 19:12:35 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <0000000000003dc8e00614076ab6@google.com> In-Reply-To: From: Andrei Matei Date: Sat, 23 Mar 2024 22:12:23 -0400 Message-ID: Subject: Re: stack access issue. Re: [syzbot] [bpf?] UBSAN: array-index-out-of-bounds in check_stack_range_initialized To: Alexei Starovoitov Cc: Edward Adam Davis , Andrii Nakryiko , Alexei Starovoitov , bpf , Daniel Borkmann , Eddy Z , Hao Luo , John Fastabend , Jiri Olsa , KP Singh , LKML , Martin KaFai Lau , Network Development , Stanislav Fomichev , Song Liu , syzkaller-bugs , Yonghong Song Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, Mar 23, 2024 at 8:52=E2=80=AFPM Alexei Starovoitov wrote: > > On Sat, Mar 23, 2024 at 5:50=E2=80=AFPM Andrei Matei wrote: > > > > + Edward > > > > On Thu, Mar 21, 2024 at 3:33=E2=80=AFAM Alexei Starovoitov > > wrote: > > > > > > Hi Andrei, > > > > > > looks like the refactoring of stack access introduced a bug. > > > See the reproducer below. > > > positive offsets are not caught by check_stack_access_within_bounds()= . > > > > check_stack_access_within_bounds() tries to catch positive offsets; > > It does: [1] > > > > err =3D check_stack_slot_within_bounds(env, min_off, state, type); > > if (!err && max_off > 0) > > err =3D -EINVAL; /* out of stack access into non-negative offsets */ > > > > Notice the max_off > 0 in there. > > And we have various tests that seem to check that positive offsets are > > rejected. Do you know what the bug is? > > I'm thinking maybe there's some overflow going on, except that UBSAN > > reported an index of -1 as being the problem. > > > > Edward, I see that you've been tickling the robot trying to narrow the = issue; > > perhaps you've figured it out? > > > > If the bug is not immediately apparent to anyone, I would really apprec= iate a > > bit of tutoring around how to reproduce and get verifier logs. > > The repro is right there in the email I forwarded: > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D15c38711180= 000 I understand, but how does one go from this to either BPF assembly, or to running it in such a way that you also get verifier logs?