syzbot


KASAN: stack-out-of-bounds Read in hash

Status: upstream: reported C repro on 2024/04/06 13:44
Subsystems: bpf
[Documentation on labels]
Reported-by: syzbot+9459b5d7fab774cf182f@syzkaller.appspotmail.com
Fix commit: a8d89feba7e5 bpf: Check bloom filter map value size
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-net-next-test-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 49d, last: 38d
Cause bisection: introduced by (bisect log) :
commit 9330986c03006ab1d33d243b7cfe598a7a3c1baa
Author: Joanne Koong <joannekoong@fb.com>
Date: Wed Oct 27 23:45:00 2021 +0000

  bpf: Add bloom filter map implementation

Crash: BUG: stack guard page was hit in sys_unlink (log)
Repro: C syz .config
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [bpf?] KASAN: stack-out-of-bounds Read in hash 4 (6) 2024/05/16 01:35
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 BUG: unable to handle kernel paging request in hash origin:lts-only C error 2 48d 49d 0/3 upstream: reported C repro on 2024/04/02 17:12
android-6-1 KASAN: stack-out-of-bounds Read in hash origin:lts C 72 6h02m 49d 0/2 upstream: reported C repro on 2024/04/02 14:50
Last patch testing requests (4)
Created Duration User Patch Repo Result
2024/04/30 21:46 23m retest repro bpf OK log
2024/04/30 21:46 23m retest repro net OK log
2024/04/28 17:53 22m retest repro bpf-next error OK
2024/04/02 18:04 47m zokeefe@google.com https://prodkernel.git.corp.google.com/kernel/release/11xx next error OK

Sample crash report:
BUG: unable to handle page fault for address: ffffc90003b58000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 14c00067 
P4D 14c00067 
PUD 15ad6067 
PMD 1ea95067 
PTE 0

Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 PID: 5067 Comm: syz-executor311 Not tainted 6.8.0-syzkaller-05243-g14bb1e8c8d4a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:jhash2 include/linux/jhash.h:127 [inline]
RIP: 0010:hash+0xd3/0x410 kernel/bpf/bloom_filter.c:29
Code: ff df 0f b6 04 10 84 c0 0f 85 a7 00 00 00 45 03 6f f4 49 8d 7c 24 04 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 b3 00 00 00 <41> 03 5f f8 49 8d 7c 24 08 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0
RSP: 0018:ffffc90003b57ad8 EFLAGS: 00010286

RAX: 0000000000000000 RBX: 000000007a0bd864 RCX: ffffffff81b5da0b
RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffffc90003b58000
RBP: 00000000e16c5d2c R08: ffffffff81b5d8f0 R09: 1ffffffff2598ea0
R10: dffffc0000000000 R11: ffffffffa0001c58 R12: ffffc90003b57ffc
R13: 000000004e7bdfe8 R14: 000000003ffffe60 R15: ffffc90003b58008
FS:  00005555899de380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90003b58000 CR3: 000000007851e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bloom_map_peek_elem+0xb2/0x1b0 kernel/bpf/bloom_filter.c:43
 bpf_prog_00798911c748094f+0x42/0x46
 bpf_dispatcher_nop_func include/linux/bpf.h:1233 [inline]
 __bpf_prog_run include/linux/filter.h:667 [inline]
 bpf_prog_run include/linux/filter.h:674 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2396 [inline]
 bpf_trace_run2+0x2ec/0x530 kernel/trace/bpf_trace.c:2437
 __traceiter_ext4_drop_inode+0x76/0xd0 include/trace/events/ext4.h:265
 trace_ext4_drop_inode include/trace/events/ext4.h:265 [inline]
 ext4_drop_inode+0x20a/0x270 fs/ext4/super.c:1450
 iput_final fs/inode.c:1711 [inline]
 iput+0x45e/0x900 fs/inode.c:1767
 d_delete_notify include/linux/fsnotify.h:301 [inline]
 vfs_rmdir+0x38f/0x4c0 fs/namei.c:4220
 do_rmdir+0x3b5/0x580 fs/namei.c:4266
 __do_sys_rmdir fs/namei.c:4285 [inline]
 __se_sys_rmdir fs/namei.c:4283 [inline]
 __x64_sys_rmdir+0x49/0x60 fs/namei.c:4283
 do_syscall_64+0xfb/0x240
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7ff2bfd2ffb7
Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc67298e8 EFLAGS: 00000207
 ORIG_RAX: 0000000000000054
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff2bfd2ffb7
RDX: fffffffffffff000 RSI: 0000000000000000 RDI: 00007ffcc672aa10
RBP: 0000000000000065 R08: 00005555899df73b R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000207 R12: 00007ffcc672aa10
R13: 00005555899df6c0 R14: 00007ffcc672aa10 R15: 0000000000000001
 </TASK>
Modules linked in:
CR2: ffffc90003b58000
---[ end trace 0000000000000000 ]---
RIP: 0010:jhash2 include/linux/jhash.h:127 [inline]
RIP: 0010:hash+0xd3/0x410 kernel/bpf/bloom_filter.c:29
Code: ff df 0f b6 04 10 84 c0 0f 85 a7 00 00 00 45 03 6f f4 49 8d 7c 24 04 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 b3 00 00 00 <41> 03 5f f8 49 8d 7c 24 08 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0
RSP: 0018:ffffc90003b57ad8 EFLAGS: 00010286

RAX: 0000000000000000 RBX: 000000007a0bd864 RCX: ffffffff81b5da0b
RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffffc90003b58000
RBP: 00000000e16c5d2c R08: ffffffff81b5d8f0 R09: 1ffffffff2598ea0
R10: dffffc0000000000 R11: ffffffffa0001c58 R12: ffffc90003b57ffc
R13: 000000004e7bdfe8 R14: 000000003ffffe60 R15: ffffc90003b58008
FS:  00005555899de380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90003b58000 CR3: 000000007851e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	df 0f                	fisttps (%rdi)
   2:	b6 04                	mov    $0x4,%dh
   4:	10 84 c0 0f 85 a7 00 	adc    %al,0xa7850f(%rax,%rax,8)
   b:	00 00                	add    %al,(%rax)
   d:	45 03 6f f4          	add    -0xc(%r15),%r13d
  11:	49 8d 7c 24 04       	lea    0x4(%r12),%rdi
  16:	48 89 f8             	mov    %rdi,%rax
  19:	48 c1 e8 03          	shr    $0x3,%rax
  1d:	0f b6 04 10          	movzbl (%rax,%rdx,1),%eax
  21:	84 c0                	test   %al,%al
  23:	0f 85 b3 00 00 00    	jne    0xdc
* 29:	41 03 5f f8          	add    -0x8(%r15),%ebx <-- trapping instruction
  2d:	49 8d 7c 24 08       	lea    0x8(%r12),%rdi
  32:	48 89 f8             	mov    %rdi,%rax
  35:	48 c1 e8 03          	shr    $0x3,%rax
  39:	0f b6 04 10          	movzbl (%rax,%rdx,1),%eax
  3d:	84 c0                	test   %al,%al

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/04/02 14:20 bpf-next 14bb1e8c8d4a 6baf5069 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce BUG: unable to handle kernel paging request in hash
2024/04/02 14:54 bpf 443574b03387 6baf5069 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: stack-out-of-bounds Read in hash
2024/04/02 14:55 net f99c5f563c17 6baf5069 .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce BUG: unable to handle kernel paging request in hash
2024/04/13 18:07 bpf 443574b03387 c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: stack-out-of-bounds Read in hash
2024/04/02 13:42 bpf-next 14bb1e8c8d4a 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: stack-out-of-bounds Read in hash
* Struck through repros no longer work on HEAD.