Re: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run7

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Yonghong Song <yhs@fb.com>
To: syzbot <syzbot+fad5d91c7158ce568634@syzkaller.appspotmail.com>,
	<andrii@kernel.org>, <andriin@fb.com>, <ast@kernel.org>,
	<bpf@vger.kernel.org>, <daniel@iogearbox.net>,
	<davem@davemloft.net>, <hawk@kernel.org>,
	<jakub.kicinski@netronome.com>, <john.fastabend@gmail.com>,
	<kafai@fb.com>, <kpsingh@kernel.org>, <kuba@kernel.org>,
	<linux-kernel@vger.kernel.org>, <mingo@redhat.com>,
	<netdev@vger.kernel.org>, <rostedt@goodmis.org>,
	<songliubraving@fb.com>, <syzkaller-bugs@googlegroups.com>,
	<xdp-newbies@vger.kernel.org>
Subject: Re: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run7
Date: Sat, 23 Jan 2021 11:35:53 -0800	[thread overview]
Message-ID: <d967ff2d-e272-b966-407c-82dca9a08e04@fb.com> (raw)
In-Reply-To: <000000000000891f4605b963d113@google.com>


I can reproduce the issue with C reproducer. This is an old known issue 
though and the failure is due to memory allocation failure in 
tracepoint_probe_unregister().

[   40.807849][ T8287] Call Trace:
[   40.808201][ T8287]  dump_stack+0x77/0x97
[   40.808695][ T8287]  should_fail.cold.6+0x32/0x4c
[   40.809238][ T8287]  should_failslab+0x5/0x10
[   40.809709][ T8287]  slab_pre_alloc_hook.constprop.97+0xa0/0xd0
[   40.810365][ T8287]  ? tracepoint_probe_unregister+0xc7/0x2b0
[   40.810998][ T8287]  __kmalloc+0x64/0x210
[   40.811442][ T8287]  ? trace_raw_output_percpu_destroy_chunk+0x40/0x40
[   40.812158][ T8287]  tracepoint_probe_unregister+0xc7/0x2b0
[   40.812766][ T8287]  bpf_raw_tp_link_release+0x11/0x20
[   40.813328][ T8287]  bpf_link_free+0x20/0x40
[   40.813802][ T8287]  bpf_link_release+0xc/0x10
[   40.814242][ T8287]  __fput+0xa1/0x250
[   40.814606][ T8287]  task_work_run+0x68/0xb0
[   40.815030][ T8287]  exit_to_user_mode_prepare+0x22c/0x250

Steven Rostedt has the following pending patch
   https://lore.kernel.org/bpf/20201118093405.7a6d2290@gandalf.local.home/
trying to solve this exact problem.

On 1/20/21 11:14 PM, syzbot wrote:
> syzbot has bisected this issue to:
> 
> commit 8b401f9ed2441ad9e219953927a842d24ed051fc
> Author: Yonghong Song <yhs@fb.com>
> Date:   Thu May 23 21:47:45 2019 +0000
> 
>      bpf: implement bpf_send_signal() helper
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=123408e7500000
> start commit:   7d68e382 bpf: Permit size-0 datasec
> git tree:       bpf-next
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=113408e7500000
> console output: https://syzkaller.appspot.com/x/log.txt?x=163408e7500000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=e0c7843b8af99dff
> dashboard link: https://syzkaller.appspot.com/bug?extid=fad5d91c7158ce568634
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1224daa4d00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13dfabd0d00000
> 
> Reported-by: syzbot+fad5d91c7158ce568634@syzkaller.appspotmail.com
> Fixes: 8b401f9ed244 ("bpf: implement bpf_send_signal() helper")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>

     prev parent reply	other threads:[~2021-01-23 19:37 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-05 15:25 KASAN: vmalloc-out-of-bounds Read in bpf_trace_run7 syzbot
2021-01-20 23:09 ` syzbot
2021-01-21  7:14 ` syzbot
2021-01-23 19:35   ` Yonghong Song [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d967ff2d-e272-b966-407c-82dca9a08e04@fb.com \
    --to=yhs@fb.com \
    --cc=andrii@kernel.org \
    --cc=andriin@fb.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=hawk@kernel.org \
    --cc=jakub.kicinski@netronome.com \
    --cc=john.fastabend@gmail.com \
    --cc=kafai@fb.com \
    --cc=kpsingh@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=netdev@vger.kernel.org \
    --cc=rostedt@goodmis.org \
    --cc=songliubraving@fb.com \
    --cc=syzbot+fad5d91c7158ce568634@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=xdp-newbies@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.