[Syzkaller & bisect] There is KASAN: global-out-of-bounds Read in bpf_link_show_fdinfo in v6.7-rc5

[Syzkaller & bisect] There is KASAN: global-out-of-bounds Read in bpf_link_show_fdinfo in v6.7-rc5

[Pengfei Xu]

Hi Jiri Olsa,

Greeting!

There is KASAN: global-out-of-bounds Read in bpf_link_show_fdinfo in v6.7-rc5
kernel in vm.

All detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/231213_090512_bpf_link_show_fdinfo
Syzkaller reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/repro.c
Syzkaller syscall reproduced steps: https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/repro.prog
Kconfig(make olddefconfig): https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/kconfig_origin
Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/bisect_info.log
Issue dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/a39b6ac3781d46ba18193c9dbb2110f31e9bffe9_dmesg.log
bzImage: https://github.com/xupengfe/syzkaller_logs/raw/main/231213_090512_bpf_link_show_fdinfo/bzImage_a39b6ac3781d46ba18193c9dbb2110f31e9bffe9.tar.gz

Bisected and related commit is as follows:
"
0b779b61f651 bpf: Add cookies support for uprobe_multi link
"
Make the revert the commit on top of v6.7-rc5 kernel failed, could not double
confirm for the suspected commit.


[   20.624445] repro[731]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 0 (core 0, socket 0)
[   20.625349] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[   20.631427] repro[734]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
[   20.632325] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[   20.665797] repro[737]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 0 (core 0, socket 0)
[   20.666718] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[   20.671614] ==================================================================
[   20.672115] BUG: KASAN: global-out-of-bounds in bpf_link_show_fdinfo+0x30b/0x330
[   20.672598] Read of size 8 at addr ffffffff8593c9e0 by task systemd-coredum/732
[   20.673066] 
[   20.673179] CPU: 0 PID: 732 Comm: systemd-coredum Not tainted 6.7.0-rc5-a39b6ac3781d+ #1
[   20.673687] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[   20.674381] Call Trace:
[   20.674552]  <TASK>
[   20.674701]  dump_stack_lvl+0xaa/0x110
[   20.674964]  print_report+0xcf/0x620
[   20.675209]  ? bpf_link_show_fdinfo+0x30b/0x330
[   20.675514]  ? kasan_addr_to_slab+0x11/0xb0
[   20.675794]  ? bpf_link_show_fdinfo+0x30b/0x330
[   20.676103]  kasan_report+0xcd/0x110
[   20.676342]  ? bpf_link_show_fdinfo+0x30b/0x330
[   20.676651]  __asan_report_load8_noabort+0x18/0x20
[   20.676960]  bpf_link_show_fdinfo+0x30b/0x330
[   20.677253]  ? __pfx_bpf_link_show_fdinfo+0x10/0x10
[   20.677569]  ? locks_remove_file+0x6d0/0x790
[   20.677861]  ? __pfx_bpf_link_show_fdinfo+0x10/0x10
[   20.678169]  seq_show+0x581/0x890
[   20.678402]  seq_read_iter+0x51a/0x1300
[   20.678672]  ? iov_iter_init+0x55/0x200
[   20.678939]  seq_read+0x171/0x210
[   20.679172]  ? __pfx_seq_read+0x10/0x10
[   20.679438]  ? __sanitizer_cov_trace_const_cmp8+0x1c/0x30
[   20.679784]  ? fsnotify_perm.part.0+0x260/0x5f0
[   20.680087]  ? security_file_permission+0xc5/0xf0
[   20.680399]  vfs_read+0x202/0x930
[   20.680626]  ? __pfx_seq_read+0x10/0x10
[   20.680884]  ? __pfx_vfs_read+0x10/0x10
[   20.681137]  ? __pfx_lock_release+0x10/0x10
[   20.681398]  ? ktime_get_coarse_real_ts64+0x4d/0xf0
[   20.681706]  ? __this_cpu_preempt_check+0x21/0x30
[   20.681997]  ? seqcount_lockdep_reader_access.constprop.0+0xb4/0xd0
[   20.682379]  ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20
[   20.682722]  ksys_read+0x14f/0x290
[   20.682956]  ? __pfx_ksys_read+0x10/0x10
[   20.683226]  __x64_sys_read+0x7b/0xc0
[   20.683473]  ? syscall_enter_from_user_mode+0x53/0x70
[   20.683790]  do_syscall_64+0x42/0xf0
[   20.684027]  entry_SYSCALL_64_after_hwframe+0x6e/0x76
[   20.684327] RIP: 0033:0x7f688893eaf2
[   20.684556] Code: c0 e9 b2 fe ff ff 50 48 8d 3d ca 0c 08 00 e8 35 eb 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[   20.685647] RSP: 002b:00007ffde2a29e58 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[   20.686108] RAX: ffffffffffffffda RBX: 0000562b794752d0 RCX: 00007f688893eaf2
[   20.686527] RDX: 0000000000000400 RSI: 0000562b79475530 RDI: 0000000000000006
[   20.686964] RBP: 00007f68889f75e0 R08: 0000000000000006 R09: 00007f68889b14e0
[   20.687401] R10: 0000000000001000 R11: 0000000000000246 R12: 00007f688863c9c8
[   20.687837] R13: 0000000000000d68 R14: 00007f68889f69e0 R15: 0000000000000d68
[   20.688309]  </TASK>
[   20.688465] 
[   20.688571] The buggy address belongs to the variable:
[   20.688885]  bpf_link_type_strs+0x60/0x80
[   20.689145] 
[   20.689251] The buggy address belongs to the physical page:
[   20.689611] page:00000000449bb84f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x593c
[   20.690184] flags: 0xfffffc0004000(reserved|node=0|zone=1|lastcpupid=0x1fffff)
[   20.690601] page_type: 0xffffffff()
[   20.690824] raw: 000fffffc0004000 ffffea0000164f08 ffffea0000164f08 0000000000000000
[   20.691307] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   20.691795] page dumped because: kasan: bad access detected
[   20.692152] 
[   20.692254] Memory state around the buggy address:
[   20.692552]  ffffffff8593c880: 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
[   20.693008]  ffffffff8593c900: 00 05 f9 f9 f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9
[   20.693432] >ffffffff8593c980: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
[   20.693877]                                                        ^
[   20.694265]  ffffffff8593ca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   20.694707]  ffffffff8593ca80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   20.695158] ==================================================================
[   20.695666] Disabling lock debugging due to kernel taint
[   20.720062] repro[741]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 0 (core 0, socket 0)
[   20.720827] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[   20.724913] repro[744]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
[   20.725791] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[   20.732282] repro[747]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
[   20.733148] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[   20.770165] repro[750]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
[   20.771018] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[   20.820152] repro[757]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
[   20.820984] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[   20.837880] repro[760]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
[   20.838815] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[   20.839423] repro[755]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 0 (core 0, socket 0)
[   20.840255] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[   21.068187] Pid 786(repro) over core_pipe_limit
[   21.068503] Skipping core dump

I hope it's helpful.

---

If you don't need the following environment to reproduce the problem or if you
already have one reproduced environment, please ignore the following information.

How to reproduce:
git clone https://gitlab.com/xupengfe/repro_vm_env.git
cd repro_vm_env
tar -xvf repro_vm_env.tar.gz
cd repro_vm_env; ./start3.sh  // it needs qemu-system-x86_64 and I used v7.1.0
  // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
  // You could change the bzImage_xxx as you want
  // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
You could use below command to log in, there is no password for root.
ssh -p 10023 root@localhost

After login vm(virtual machine) successfully, you could transfer reproduced
binary to the vm by below way, and reproduce the problem in vm:
gcc -pthread -o repro repro.c
scp -P 10023 repro root@localhost:/root/

Get the bzImage for target kernel:
Please use target kconfig and copy it to kernel_src/.config
make olddefconfig
make -jx bzImage           //x should equal or less than cpu num your pc has

Fill the bzImage file into above start3.sh to load the target kernel in vm.


Tips:
If you already have qemu-system-x86_64, please ignore below info.
If you want to install qemu v7.1.0 version:
git clone https://github.com/qemu/qemu.git
cd qemu
git checkout -f v7.1.0
mkdir build
cd build
yum install -y ninja-build.x86_64
yum -y install libslirp-devel.x86_64
../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
make
make install

Best Regards,
Thanks!

Re: [Syzkaller & bisect] There is KASAN: global-out-of-bounds Read in bpf_link_show_fdinfo in v6.7-rc5

[Hou Tao]

Hi,

On 12/14/2023 10:51 AM, Pengfei Xu wrote:
> Hi Jiri Olsa,
>
> Greeting!
>
> There is KASAN: global-out-of-bounds Read in bpf_link_show_fdinfo in v6.7-rc5
> kernel in vm.

It seems that the out-of-bound access is due to
BPF_LINK_TYPE_UPROBE_MULTI and other link types don't define
BPF_LINK_TYPE(type, name) in linux/bpf_types.h, so the content and the
length of bpf_link_type_strs array is unexpected. But I will leave the
fixes to Jiri and I have to continue on the fix of the warning during
bpf ma initialization.
>
> All detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/231213_090512_bpf_link_show_fdinfo
> Syzkaller reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/repro.c
> Syzkaller syscall reproduced steps: https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/repro.prog
> Kconfig(make olddefconfig): https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/kconfig_origin
> Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/bisect_info.log
> Issue dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/a39b6ac3781d46ba18193c9dbb2110f31e9bffe9_dmesg.log
> bzImage: https://github.com/xupengfe/syzkaller_logs/raw/main/231213_090512_bpf_link_show_fdinfo/bzImage_a39b6ac3781d46ba18193c9dbb2110f31e9bffe9.tar.gz
>
> Bisected and related commit is as follows:
> "
> 0b779b61f651 bpf: Add cookies support for uprobe_multi link
> "
> Make the revert the commit on top of v6.7-rc5 kernel failed, could not double
> confirm for the suspected commit.
>
>
> [   20.624445] repro[731]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 0 (core 0, socket 0)
> [   20.625349] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> [   20.631427] repro[734]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
> [   20.632325] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> [   20.665797] repro[737]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 0 (core 0, socket 0)
> [   20.666718] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> [   20.671614] ==================================================================
> [   20.672115] BUG: KASAN: global-out-of-bounds in bpf_link_show_fdinfo+0x30b/0x330
> [   20.672598] Read of size 8 at addr ffffffff8593c9e0 by task systemd-coredum/732
> [   20.673066] 
> [   20.673179] CPU: 0 PID: 732 Comm: systemd-coredum Not tainted 6.7.0-rc5-a39b6ac3781d+ #1
> [   20.673687] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> [   20.674381] Call Trace:
> [   20.674552]  <TASK>
> [   20.674701]  dump_stack_lvl+0xaa/0x110
> [   20.674964]  print_report+0xcf/0x620
> [   20.675209]  ? bpf_link_show_fdinfo+0x30b/0x330
> [   20.675514]  ? kasan_addr_to_slab+0x11/0xb0
> [   20.675794]  ? bpf_link_show_fdinfo+0x30b/0x330
> [   20.676103]  kasan_report+0xcd/0x110
> [   20.676342]  ? bpf_link_show_fdinfo+0x30b/0x330
> [   20.676651]  __asan_report_load8_noabort+0x18/0x20
> [   20.676960]  bpf_link_show_fdinfo+0x30b/0x330
> [   20.677253]  ? __pfx_bpf_link_show_fdinfo+0x10/0x10
> [   20.677569]  ? locks_remove_file+0x6d0/0x790
> [   20.677861]  ? __pfx_bpf_link_show_fdinfo+0x10/0x10
> [   20.678169]  seq_show+0x581/0x890
> [   20.678402]  seq_read_iter+0x51a/0x1300
> [   20.678672]  ? iov_iter_init+0x55/0x200
> [   20.678939]  seq_read+0x171/0x210
> [   20.679172]  ? __pfx_seq_read+0x10/0x10
> [   20.679438]  ? __sanitizer_cov_trace_const_cmp8+0x1c/0x30
> [   20.679784]  ? fsnotify_perm.part.0+0x260/0x5f0
> [   20.680087]  ? security_file_permission+0xc5/0xf0
> [   20.680399]  vfs_read+0x202/0x930
> [   20.680626]  ? __pfx_seq_read+0x10/0x10
> [   20.680884]  ? __pfx_vfs_read+0x10/0x10
> [   20.681137]  ? __pfx_lock_release+0x10/0x10
> [   20.681398]  ? ktime_get_coarse_real_ts64+0x4d/0xf0
> [   20.681706]  ? __this_cpu_preempt_check+0x21/0x30
> [   20.681997]  ? seqcount_lockdep_reader_access.constprop.0+0xb4/0xd0
> [   20.682379]  ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20
> [   20.682722]  ksys_read+0x14f/0x290
> [   20.682956]  ? __pfx_ksys_read+0x10/0x10
> [   20.683226]  __x64_sys_read+0x7b/0xc0
> [   20.683473]  ? syscall_enter_from_user_mode+0x53/0x70
> [   20.683790]  do_syscall_64+0x42/0xf0
> [   20.684027]  entry_SYSCALL_64_after_hwframe+0x6e/0x76
> [   20.684327] RIP: 0033:0x7f688893eaf2
> [   20.684556] Code: c0 e9 b2 fe ff ff 50 48 8d 3d ca 0c 08 00 e8 35 eb 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
> [   20.685647] RSP: 002b:00007ffde2a29e58 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> [   20.686108] RAX: ffffffffffffffda RBX: 0000562b794752d0 RCX: 00007f688893eaf2
> [   20.686527] RDX: 0000000000000400 RSI: 0000562b79475530 RDI: 0000000000000006
> [   20.686964] RBP: 00007f68889f75e0 R08: 0000000000000006 R09: 00007f68889b14e0
> [   20.687401] R10: 0000000000001000 R11: 0000000000000246 R12: 00007f688863c9c8
> [   20.687837] R13: 0000000000000d68 R14: 00007f68889f69e0 R15: 0000000000000d68
> [   20.688309]  </TASK>
> [   20.688465] 
> [   20.688571] The buggy address belongs to the variable:
> [   20.688885]  bpf_link_type_strs+0x60/0x80
> [   20.689145] 
> [   20.689251] The buggy address belongs to the physical page:
> [   20.689611] page:00000000449bb84f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x593c
> [   20.690184] flags: 0xfffffc0004000(reserved|node=0|zone=1|lastcpupid=0x1fffff)
> [   20.690601] page_type: 0xffffffff()
> [   20.690824] raw: 000fffffc0004000 ffffea0000164f08 ffffea0000164f08 0000000000000000
> [   20.691307] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
> [   20.691795] page dumped because: kasan: bad access detected
> [   20.692152] 
> [   20.692254] Memory state around the buggy address:
> [   20.692552]  ffffffff8593c880: 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
> [   20.693008]  ffffffff8593c900: 00 05 f9 f9 f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9
> [   20.693432] >ffffffff8593c980: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
> [   20.693877]                                                        ^
> [   20.694265]  ffffffff8593ca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [   20.694707]  ffffffff8593ca80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [   20.695158] ==================================================================
> [   20.695666] Disabling lock debugging due to kernel taint
> [   20.720062] repro[741]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 0 (core 0, socket 0)
> [   20.720827] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> [   20.724913] repro[744]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
> [   20.725791] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> [   20.732282] repro[747]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
> [   20.733148] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> [   20.770165] repro[750]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
> [   20.771018] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> [   20.820152] repro[757]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
> [   20.820984] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> [   20.837880] repro[760]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
> [   20.838815] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> [   20.839423] repro[755]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 0 (core 0, socket 0)
> [   20.840255] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> [   21.068187] Pid 786(repro) over core_pipe_limit
> [   21.068503] Skipping core dump
>
> I hope it's helpful.
>
> ---
>
> If you don't need the following environment to reproduce the problem or if you
> already have one reproduced environment, please ignore the following information.
>
> How to reproduce:
> git clone https://gitlab.com/xupengfe/repro_vm_env.git
> cd repro_vm_env
> tar -xvf repro_vm_env.tar.gz
> cd repro_vm_env; ./start3.sh  // it needs qemu-system-x86_64 and I used v7.1.0
>   // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
>   // You could change the bzImage_xxx as you want
>   // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
> You could use below command to log in, there is no password for root.
> ssh -p 10023 root@localhost
>
> After login vm(virtual machine) successfully, you could transfer reproduced
> binary to the vm by below way, and reproduce the problem in vm:
> gcc -pthread -o repro repro.c
> scp -P 10023 repro root@localhost:/root/
>
> Get the bzImage for target kernel:
> Please use target kconfig and copy it to kernel_src/.config
> make olddefconfig
> make -jx bzImage           //x should equal or less than cpu num your pc has
>
> Fill the bzImage file into above start3.sh to load the target kernel in vm.
>
>
> Tips:
> If you already have qemu-system-x86_64, please ignore below info.
> If you want to install qemu v7.1.0 version:
> git clone https://github.com/qemu/qemu.git
> cd qemu
> git checkout -f v7.1.0
> mkdir build
> cd build
> yum install -y ninja-build.x86_64
> yum -y install libslirp-devel.x86_64
> ../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
> make
> make install
>
> Best Regards,
> Thanks!
>
> .

Re: [Syzkaller & bisect] There is KASAN: global-out-of-bounds Read in bpf_link_show_fdinfo in v6.7-rc5

[Jiri Olsa]

On Thu, Dec 14, 2023 at 02:33:34PM +0800, Hou Tao wrote:
> Hi,
> 
> On 12/14/2023 10:51 AM, Pengfei Xu wrote:
> > Hi Jiri Olsa,
> >
> > Greeting!
> >
> > There is KASAN: global-out-of-bounds Read in bpf_link_show_fdinfo in v6.7-rc5
> > kernel in vm.
> 
> It seems that the out-of-bound access is due to
> BPF_LINK_TYPE_UPROBE_MULTI and other link types don't define
> BPF_LINK_TYPE(type, name) in linux/bpf_types.h, so the content and the
> length of bpf_link_type_strs array is unexpected. But I will leave the
> fixes to Jiri and I have to continue on the fix of the warning during
> bpf ma initialization.

right, that seems to be the case.. will send the fix

thanks,
jirka

> >
> > All detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/231213_090512_bpf_link_show_fdinfo
> > Syzkaller reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/repro.c
> > Syzkaller syscall reproduced steps: https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/repro.prog
> > Kconfig(make olddefconfig): https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/kconfig_origin
> > Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/bisect_info.log
> > Issue dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/231213_090512_bpf_link_show_fdinfo/a39b6ac3781d46ba18193c9dbb2110f31e9bffe9_dmesg.log
> > bzImage: https://github.com/xupengfe/syzkaller_logs/raw/main/231213_090512_bpf_link_show_fdinfo/bzImage_a39b6ac3781d46ba18193c9dbb2110f31e9bffe9.tar.gz
> >
> > Bisected and related commit is as follows:
> > "
> > 0b779b61f651 bpf: Add cookies support for uprobe_multi link
> > "
> > Make the revert the commit on top of v6.7-rc5 kernel failed, could not double
> > confirm for the suspected commit.
> >
> >
> > [   20.624445] repro[731]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 0 (core 0, socket 0)
> > [   20.625349] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> > [   20.631427] repro[734]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
> > [   20.632325] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> > [   20.665797] repro[737]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 0 (core 0, socket 0)
> > [   20.666718] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> > [   20.671614] ==================================================================
> > [   20.672115] BUG: KASAN: global-out-of-bounds in bpf_link_show_fdinfo+0x30b/0x330
> > [   20.672598] Read of size 8 at addr ffffffff8593c9e0 by task systemd-coredum/732
> > [   20.673066] 
> > [   20.673179] CPU: 0 PID: 732 Comm: systemd-coredum Not tainted 6.7.0-rc5-a39b6ac3781d+ #1
> > [   20.673687] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> > [   20.674381] Call Trace:
> > [   20.674552]  <TASK>
> > [   20.674701]  dump_stack_lvl+0xaa/0x110
> > [   20.674964]  print_report+0xcf/0x620
> > [   20.675209]  ? bpf_link_show_fdinfo+0x30b/0x330
> > [   20.675514]  ? kasan_addr_to_slab+0x11/0xb0
> > [   20.675794]  ? bpf_link_show_fdinfo+0x30b/0x330
> > [   20.676103]  kasan_report+0xcd/0x110
> > [   20.676342]  ? bpf_link_show_fdinfo+0x30b/0x330
> > [   20.676651]  __asan_report_load8_noabort+0x18/0x20
> > [   20.676960]  bpf_link_show_fdinfo+0x30b/0x330
> > [   20.677253]  ? __pfx_bpf_link_show_fdinfo+0x10/0x10
> > [   20.677569]  ? locks_remove_file+0x6d0/0x790
> > [   20.677861]  ? __pfx_bpf_link_show_fdinfo+0x10/0x10
> > [   20.678169]  seq_show+0x581/0x890
> > [   20.678402]  seq_read_iter+0x51a/0x1300
> > [   20.678672]  ? iov_iter_init+0x55/0x200
> > [   20.678939]  seq_read+0x171/0x210
> > [   20.679172]  ? __pfx_seq_read+0x10/0x10
> > [   20.679438]  ? __sanitizer_cov_trace_const_cmp8+0x1c/0x30
> > [   20.679784]  ? fsnotify_perm.part.0+0x260/0x5f0
> > [   20.680087]  ? security_file_permission+0xc5/0xf0
> > [   20.680399]  vfs_read+0x202/0x930
> > [   20.680626]  ? __pfx_seq_read+0x10/0x10
> > [   20.680884]  ? __pfx_vfs_read+0x10/0x10
> > [   20.681137]  ? __pfx_lock_release+0x10/0x10
> > [   20.681398]  ? ktime_get_coarse_real_ts64+0x4d/0xf0
> > [   20.681706]  ? __this_cpu_preempt_check+0x21/0x30
> > [   20.681997]  ? seqcount_lockdep_reader_access.constprop.0+0xb4/0xd0
> > [   20.682379]  ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20
> > [   20.682722]  ksys_read+0x14f/0x290
> > [   20.682956]  ? __pfx_ksys_read+0x10/0x10
> > [   20.683226]  __x64_sys_read+0x7b/0xc0
> > [   20.683473]  ? syscall_enter_from_user_mode+0x53/0x70
> > [   20.683790]  do_syscall_64+0x42/0xf0
> > [   20.684027]  entry_SYSCALL_64_after_hwframe+0x6e/0x76
> > [   20.684327] RIP: 0033:0x7f688893eaf2
> > [   20.684556] Code: c0 e9 b2 fe ff ff 50 48 8d 3d ca 0c 08 00 e8 35 eb 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
> > [   20.685647] RSP: 002b:00007ffde2a29e58 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> > [   20.686108] RAX: ffffffffffffffda RBX: 0000562b794752d0 RCX: 00007f688893eaf2
> > [   20.686527] RDX: 0000000000000400 RSI: 0000562b79475530 RDI: 0000000000000006
> > [   20.686964] RBP: 00007f68889f75e0 R08: 0000000000000006 R09: 00007f68889b14e0
> > [   20.687401] R10: 0000000000001000 R11: 0000000000000246 R12: 00007f688863c9c8
> > [   20.687837] R13: 0000000000000d68 R14: 00007f68889f69e0 R15: 0000000000000d68
> > [   20.688309]  </TASK>
> > [   20.688465] 
> > [   20.688571] The buggy address belongs to the variable:
> > [   20.688885]  bpf_link_type_strs+0x60/0x80
> > [   20.689145] 
> > [   20.689251] The buggy address belongs to the physical page:
> > [   20.689611] page:00000000449bb84f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x593c
> > [   20.690184] flags: 0xfffffc0004000(reserved|node=0|zone=1|lastcpupid=0x1fffff)
> > [   20.690601] page_type: 0xffffffff()
> > [   20.690824] raw: 000fffffc0004000 ffffea0000164f08 ffffea0000164f08 0000000000000000
> > [   20.691307] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
> > [   20.691795] page dumped because: kasan: bad access detected
> > [   20.692152] 
> > [   20.692254] Memory state around the buggy address:
> > [   20.692552]  ffffffff8593c880: 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
> > [   20.693008]  ffffffff8593c900: 00 05 f9 f9 f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9
> > [   20.693432] >ffffffff8593c980: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
> > [   20.693877]                                                        ^
> > [   20.694265]  ffffffff8593ca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [   20.694707]  ffffffff8593ca80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [   20.695158] ==================================================================
> > [   20.695666] Disabling lock debugging due to kernel taint
> > [   20.720062] repro[741]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 0 (core 0, socket 0)
> > [   20.720827] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> > [   20.724913] repro[744]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
> > [   20.725791] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> > [   20.732282] repro[747]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
> > [   20.733148] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> > [   20.770165] repro[750]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
> > [   20.771018] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> > [   20.820152] repro[757]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
> > [   20.820984] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> > [   20.837880] repro[760]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 1 (core 1, socket 0)
> > [   20.838815] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> > [   20.839423] repro[755]: segfault at 0 ip 0000000000000000 sp 0000000020000288 error 14 in repro[400000+1000] likely on CPU 0 (core 0, socket 0)
> > [   20.840255] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> > [   21.068187] Pid 786(repro) over core_pipe_limit
> > [   21.068503] Skipping core dump
> >
> > I hope it's helpful.
> >
> > ---
> >
> > If you don't need the following environment to reproduce the problem or if you
> > already have one reproduced environment, please ignore the following information.
> >
> > How to reproduce:
> > git clone https://gitlab.com/xupengfe/repro_vm_env.git
> > cd repro_vm_env
> > tar -xvf repro_vm_env.tar.gz
> > cd repro_vm_env; ./start3.sh  // it needs qemu-system-x86_64 and I used v7.1.0
> >   // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
> >   // You could change the bzImage_xxx as you want
> >   // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
> > You could use below command to log in, there is no password for root.
> > ssh -p 10023 root@localhost
> >
> > After login vm(virtual machine) successfully, you could transfer reproduced
> > binary to the vm by below way, and reproduce the problem in vm:
> > gcc -pthread -o repro repro.c
> > scp -P 10023 repro root@localhost:/root/
> >
> > Get the bzImage for target kernel:
> > Please use target kconfig and copy it to kernel_src/.config
> > make olddefconfig
> > make -jx bzImage           //x should equal or less than cpu num your pc has
> >
> > Fill the bzImage file into above start3.sh to load the target kernel in vm.
> >
> >
> > Tips:
> > If you already have qemu-system-x86_64, please ignore below info.
> > If you want to install qemu v7.1.0 version:
> > git clone https://github.com/qemu/qemu.git
> > cd qemu
> > git checkout -f v7.1.0
> > mkdir build
> > cd build
> > yum install -y ninja-build.x86_64
> > yum -y install libslirp-devel.x86_64
> > ../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
> > make
> > make install
> >
> > Best Regards,
> > Thanks!
> >
> > .
> 
>