syzbot


UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare

Status: auto-obsoleted due to no activity on 2024/09/09 11:57
Reported-by: syzbot+e26f359a082bbc0c3949@syzkaller.appspotmail.com
First crash: 228d, last: 129d
Fix bisection: fixed by (bisect log) :
commit 95b7476f6f68d725c474e3348e89436b0abde62a
Author: Jiri Olsa <jolsa@kernel.org>
Date: Thu Dec 15 21:44:29 2022 +0000

  bpf: Do cleanup in bpf_bprintf_cleanup only when needed

  
Bug presence (2)
Date Name Commit Repro Result
2024/07/07 lts (merge base) 347385861c50 C Didn't crash
2024/07/07 upstream (ToT) 256abd8e550c C Didn't crash
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare C done 12 145d 233d 0/2 auto-obsoleted due to no activity on 2024/08/24 09:50
upstream KMSAN: uninit-value in bpf_bprintf_prepare bpf C 4 194d 230d 0/28 closed as dup on 2024/04/09 05:35
Last patch testing requests (1)
Created Duration User Patch Repo Result
2024/05/19 07:49 6m retest repro android14-6.1 report log

Sample crash report:
================================================================================
UBSAN: array-index-out-of-bounds in kernel/bpf/helpers.c:776:13
index -1 is out of range for type 'char[3][512]'
CPU: 0 PID: 330 Comm: syz-executor141 Not tainted 6.1.68-syzkaller-00090-g609541ba1afd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 dump_stack+0x15/0x1b lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_out_of_bounds+0x13a/0x160 lib/ubsan.c:282
 try_get_fmt_tmp_buf kernel/bpf/helpers.c:776 [inline]
 bpf_bprintf_prepare+0x132e/0x1360 kernel/bpf/helpers.c:818
 ____bpf_trace_printk kernel/trace/bpf_trace.c:385 [inline]
 bpf_trace_printk+0x14a/0x300 kernel/trace/bpf_trace.c:376
 bpf_prog_6d76b37dff78ad46+0x2e/0x32
 bpf_dispatcher_nop_func include/linux/bpf.h:982 [inline]
 __bpf_prog_run include/linux/filter.h:600 [inline]
 bpf_prog_run include/linux/filter.h:607 [inline]
 bpf_test_run+0x4ab/0xa40 net/bpf/test_run.c:402
 bpf_prog_test_run_skb+0xaf1/0x13a0 net/bpf/test_run.c:1180
 bpf_prog_test_run+0x3b0/0x630 kernel/bpf/syscall.c:3635
 __sys_bpf+0x59f/0x7f0 kernel/bpf/syscall.c:4990
 __do_sys_bpf kernel/bpf/syscall.c:5076 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5074 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5074
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f36a8445f69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffa6a01058 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f36a8445f69
RDX: 0000000000000028 RSI: 0000000020000200 RDI: 000000000000000a
RBP: 00000000000f4240 R08: 00000000000000a0 R09: 00000000000000a0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
================================================================================
BUG: scheduling while atomic: syz-executor141/330/0x00000002
Modules linked in:
Preemption disabled at:
[<ffffffff818eaf88>] try_get_fmt_tmp_buf kernel/bpf/helpers.c:768 [inline]
[<ffffffff818eaf88>] bpf_bprintf_prepare+0x118/0x1360 kernel/bpf/helpers.c:818
CPU: 0 PID: 330 Comm: syz-executor141 Not tainted 6.1.68-syzkaller-00090-g609541ba1afd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 dump_stack+0x15/0x1b lib/dump_stack.c:113
 __schedule_bug+0x195/0x260 kernel/sched/core.c:5960
 schedule_debug kernel/sched/core.c:5987 [inline]
 __schedule+0xcf7/0x1550 kernel/sched/core.c:6622
 schedule+0xc3/0x180 kernel/sched/core.c:6805
 exit_to_user_mode_loop+0x4e/0xa0 kernel/entry/common.c:159
 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
 syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:297
 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f36a8445f69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffa6a01058 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f36a8445f69
RDX: 0000000000000028 RSI: 0000000020000200 RDI: 000000000000000a
RBP: 00000000000f4240 R08: 00000000000000a0 R09: 00000000000000a0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

Crashes (14):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/03/22 15:08 android14-6.1 609541ba1afd 4b6cdce6 .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-android-6-1 UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
2024/02/23 08:49 android14-6.1 d6b58cc171f4 8d446f15 .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-android-6-1 UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
2024/02/25 05:42 android14-6.1 8c0f9174731d 8d446f15 .config console log report syz [disk image] [vmlinux] [kernel image] ci2-android-6-1 UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
2024/06/01 11:56 android14-6.1 74c507aab139 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
2024/05/05 07:22 android14-6.1 1794308d463f 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1-perf UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
2024/05/01 01:16 android14-6.1 1d37bc9913cc 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1-perf UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
2024/04/21 04:33 android14-6.1 dcb09569bbff af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1-perf UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
2024/04/20 18:18 android14-6.1 dcb09569bbff af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
2024/04/17 04:12 android14-6.1 089d1b8f6daf 18f6e127 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
2024/04/15 16:59 android14-6.1 26f2c9be9ebe b9af7e61 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1-perf UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
2024/04/07 07:29 android14-6.1 60534eef4739 ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
2024/04/04 23:41 android14-6.1 60534eef4739 0ee3535e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
2024/03/31 14:11 android14-6.1 5b8114ec3c92 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
2024/03/31 07:51 android14-6.1 5b8114ec3c92 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
* Struck through repros no longer work on HEAD.