bisecting fixing commit since 3ffe1e79c174b2093f7ee3df589a7705572c9620 building syzkaller on 0d298d6b2e4a48a2b4d3413cabc199e5f61c1dd4 testing commit 3ffe1e79c174b2093f7ee3df589a7705572c9620 with gcc (GCC) 8.1.0 kernel signature: de390d3a615f39243a207f4642b2450b9e0332b033168e9ac018b1ae65a9ef68 run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail run #1: crashed: KASAN: use-after-free Read in bpf_skb_change_tail run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail run #3: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail run #5: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail run #8: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail testing current HEAD 9fa690a2a016e1b55356835f047b952e67d3d73a testing commit 9fa690a2a016e1b55356835f047b952e67d3d73a with gcc (GCC) 8.1.0 kernel signature: 98179b0eb04d6bbc87dade5bf3da8ef226da08064a770549960d2d60ff426a8f all runs: OK # git bisect start 9fa690a2a016e1b55356835f047b952e67d3d73a 3ffe1e79c174b2093f7ee3df589a7705572c9620 Bisecting: 1644 revisions left to test after this (roughly 11 steps) [fb7a0caf45dae36dd750d596939fb805ab5b72f5] RDMA/bnxt_re: Fix qp async event reporting testing commit fb7a0caf45dae36dd750d596939fb805ab5b72f5 with gcc (GCC) 8.1.0 kernel signature: e44b632dd6c9c1e32b8b30858eb0e31bbf663362914bf401004220639a8dcc33 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail # git bisect good fb7a0caf45dae36dd750d596939fb805ab5b72f5 Bisecting: 822 revisions left to test after this (roughly 10 steps) [e46523a24db0a8c48a072c6f75184f8ff4b222ca] crypto: vmx - Avoid weird build failures testing commit e46523a24db0a8c48a072c6f75184f8ff4b222ca with gcc (GCC) 8.1.0 kernel signature: 532478e1187c808073f84a3b22e4328085e5b471810ebdb4ea9275ab6bbfa955 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail # git bisect good e46523a24db0a8c48a072c6f75184f8ff4b222ca Bisecting: 411 revisions left to test after this (roughly 9 steps) [93c81624bb12329445e76a88dbb45ac0ef55d152] macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() testing commit 93c81624bb12329445e76a88dbb45ac0ef55d152 with gcc (GCC) 8.1.0 kernel signature: 9c1967f54d418b54b9257d6812877642f496e374d5b562e4a78b8b415a31650b all runs: OK # git bisect bad 93c81624bb12329445e76a88dbb45ac0ef55d152 Bisecting: 205 revisions left to test after this (roughly 8 steps) [210670f32876544b6cb7613dc4d1c7b63dec03d0] ARM: vexpress: Set-up shared OPP table instead of individual for each CPU testing commit 210670f32876544b6cb7613dc4d1c7b63dec03d0 with gcc (GCC) 8.1.0 kernel signature: 8da571fb6cad5d248c7dfa172c4abe2d8801f633b3b92452cbb8da2b783b1192 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail # git bisect good 210670f32876544b6cb7613dc4d1c7b63dec03d0 Bisecting: 102 revisions left to test after this (roughly 7 steps) [4ded4a2cf506a1aa621901d1289e89a8587963bc] arm64: Make sure permission updates happen for pmd/pud testing commit 4ded4a2cf506a1aa621901d1289e89a8587963bc with gcc (GCC) 8.1.0 kernel signature: 698a1c3172a16607b5e45f2eae2e8b8d8aca4d996be7c5221ed8e9fbcb31e81f all runs: OK # git bisect bad 4ded4a2cf506a1aa621901d1289e89a8587963bc Bisecting: 51 revisions left to test after this (roughly 6 steps) [9df7257626785ede4905f8813adc78ba740d3f72] vlan: fix memory leak in vlan_dev_set_egress_priority testing commit 9df7257626785ede4905f8813adc78ba740d3f72 with gcc (GCC) 8.1.0 kernel signature: 4d9bcd77566b21cd44c28dd72a0626d60bc6b4d41506f94d6c560f19e041b1b9 all runs: OK # git bisect bad 9df7257626785ede4905f8813adc78ba740d3f72 Bisecting: 25 revisions left to test after this (roughly 5 steps) [62dfe5f55d2ca0b350fa76333fbb8a57b31c864a] block: fix memleak when __blk_rq_map_user_iov() is failed testing commit 62dfe5f55d2ca0b350fa76333fbb8a57b31c864a with gcc (GCC) 8.1.0 kernel signature: 26c4c35fa5a365cd40a4ff88bccb8a27c28bc43c2293a3b513cac94d39ad8875 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail # git bisect good 62dfe5f55d2ca0b350fa76333fbb8a57b31c864a Bisecting: 12 revisions left to test after this (roughly 4 steps) [4a953272f2d2db63bba97137b64b3f1770634e00] macvlan: do not assume mac_header is set in macvlan_broadcast() testing commit 4a953272f2d2db63bba97137b64b3f1770634e00 with gcc (GCC) 8.1.0 kernel signature: d33e735282246a3e1b2ec62605087baec448bee3d88e3fe7bb57a9f9de0aab3e all runs: OK # git bisect bad 4a953272f2d2db63bba97137b64b3f1770634e00 Bisecting: 6 revisions left to test after this (roughly 3 steps) [e9eae4143c33ebe33aa2e195c2863c6e1bf3f8cd] PCI/switchtec: Read all 64 bits of part_event_bitmap testing commit e9eae4143c33ebe33aa2e195c2863c6e1bf3f8cd with gcc (GCC) 8.1.0 kernel signature: 5780baf6aae824d8b6da2351bcb2de07cd20f8340c000da7f442191785ca3971 all runs: OK # git bisect bad e9eae4143c33ebe33aa2e195c2863c6e1bf3f8cd Bisecting: 2 revisions left to test after this (roughly 2 steps) [1051a28b7255e6624d379f2bd45713352f9470cf] hv_netvsc: Fix unwanted rx_table reset testing commit 1051a28b7255e6624d379f2bd45713352f9470cf with gcc (GCC) 8.1.0 kernel signature: afd65a76d8ef03c96c7ec9d546858f0a7eac6a3cd44e7cb7a319a4d9cbba03b3 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail # git bisect good 1051a28b7255e6624d379f2bd45713352f9470cf Bisecting: 0 revisions left to test after this (roughly 1 step) [b454ac1b22af130c6fb8d34c344a98339f1cea9a] bpf: Fix passing modified ctx to ld/abs/ind instruction testing commit b454ac1b22af130c6fb8d34c344a98339f1cea9a with gcc (GCC) 8.1.0 kernel signature: ac326edc808511f5d52ae05ede042c1b9b709234710c74a94625c5d8cff8a06f all runs: OK # git bisect bad b454ac1b22af130c6fb8d34c344a98339f1cea9a Bisecting: 0 revisions left to test after this (roughly 0 steps) [7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82] bpf: reject passing modified ctx to helper functions testing commit 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 with gcc (GCC) 8.1.0 kernel signature: 3b1b355ea39b58562ebc6d2f6847ef03dbaeb181f978024ee60942bfb913c557 all runs: OK # git bisect bad 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 is the first bad commit commit 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 Author: Daniel Borkmann Date: Thu Jun 7 17:40:03 2018 +0200 bpf: reject passing modified ctx to helper functions commit 58990d1ff3f7896ee341030e9a7c2e4002570683 upstream. As commit 28e33f9d78ee ("bpf: disallow arithmetic operations on context pointer") already describes, f1174f77b50c ("bpf/verifier: rework value tracking") removed the specific white-listed cases we had previously where we would allow for pointer arithmetic in order to further generalize it, and allow e.g. context access via modified registers. While the dereferencing of modified context pointers had been forbidden through 28e33f9d78ee, syzkaller did recently manage to trigger several KASAN splats for slab out of bounds access and use after frees by simply passing a modified context pointer to a helper function which would then do the bad access since verifier allowed it in adjust_ptr_min_max_vals(). Rejecting arithmetic on ctx pointer in adjust_ptr_min_max_vals() generally could break existing programs as there's a valid use case in tracing in combination with passing the ctx to helpers as bpf_probe_read(), where the register then becomes unknown at verification time due to adding a non-constant offset to it. An access sequence may look like the following: offset = args->filename; /* field __data_loc filename */ bpf_probe_read(&dst, len, (char *)args + offset); // args is ctx There are two options: i) we could special case the ctx and as soon as we add a constant or bounded offset to it (hence ctx type wouldn't change) we could turn the ctx into an unknown scalar, or ii) we generalize the sanity test for ctx member access into a small helper and assert it on the ctx register that was passed as a function argument. Fwiw, latter is more obvious and less complex at the same time, and one case that may potentially be legitimate in future for ctx member access at least would be for ctx to carry a const offset. Therefore, fix follows approach from ii) and adds test cases to BPF kselftests. Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Reported-by: syzbot+3d0b2441dbb71751615e@syzkaller.appspotmail.com Reported-by: syzbot+c8504affd4fdd0c1b626@syzkaller.appspotmail.com Reported-by: syzbot+e5190cb881d8660fb1a3@syzkaller.appspotmail.com Reported-by: syzbot+efae31b384d5badbd620@syzkaller.appspotmail.com Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Acked-by: Yonghong Song Acked-by: Edward Cree Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman kernel/bpf/verifier.c | 45 ++++++++++++++-------- tools/testing/selftests/bpf/test_verifier.c | 58 ++++++++++++++++++++++++++++- 2 files changed, 87 insertions(+), 16 deletions(-) culprit signature: 3b1b355ea39b58562ebc6d2f6847ef03dbaeb181f978024ee60942bfb913c557 parent signature: afd65a76d8ef03c96c7ec9d546858f0a7eac6a3cd44e7cb7a319a4d9cbba03b3 revisions tested: 14, total time: 3h42m43.724806931s (build: 1h59m33.798607043s, test: 1h41m26.167233016s) first good commit: 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 bpf: reject passing modified ctx to helper functions cc: ["ast@kernel.org" "daniel@iogearbox.net" "ecree@solarflare.com" "gregkh@linuxfoundation.org" "yhs@fb.com"]