bisecting fixing commit since f56f3d0e65adb447b8b583c8ed4fbbe544c9bfde building syzkaller on 8098ea0f3397d5db00e4852b1b29d0958f2189c6 testing commit f56f3d0e65adb447b8b583c8ed4fbbe544c9bfde with gcc (GCC) 8.1.0 kernel signature: 906b430f871461cca7d2dc2b10d7f90d23d1ae0f145a19a82b156fde47393162 run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #1: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #3: crashed: KASAN: use-after-free Read in bpf_clone_redirect run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #5: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #8: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #9: crashed: general protection fault in bpf_clone_redirect testing current HEAD 9a95f25269bd9257ab9fba7bb14355d50b5f39ec testing commit 9a95f25269bd9257ab9fba7bb14355d50b5f39ec with gcc (GCC) 8.1.0 kernel signature: 7986887b214deb39e864745063fe8eeb0e91e1124beff377bcd0c7bc104ef5b7 all runs: OK # git bisect start 9a95f25269bd9257ab9fba7bb14355d50b5f39ec f56f3d0e65adb447b8b583c8ed4fbbe544c9bfde Bisecting: 879 revisions left to test after this (roughly 10 steps) [7642460c2780aab4e66852576d1de5484de8da63] IB/iser: bound protection_sg size by data_sg size testing commit 7642460c2780aab4e66852576d1de5484de8da63 with gcc (GCC) 8.1.0 kernel signature: 4cb499682e308a98392527e991a9168e53e8b5f210d7ff5efd56bf7f5d4c26c8 run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #1: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #3: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #5: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #7: crashed: KASAN: use-after-free Read in bpf_clone_redirect run #8: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect # git bisect good 7642460c2780aab4e66852576d1de5484de8da63 Bisecting: 439 revisions left to test after this (roughly 9 steps) [34ed0dfdd8f561a05bbc62aae31ac29cc9cb8d07] NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn testing commit 34ed0dfdd8f561a05bbc62aae31ac29cc9cb8d07 with gcc (GCC) 8.1.0 kernel signature: bfebe8c85973ff9b25cc6aa8daaf957cfec69680a84596ea3f09d4f70b66cf7b all runs: OK # git bisect bad 34ed0dfdd8f561a05bbc62aae31ac29cc9cb8d07 Bisecting: 219 revisions left to test after this (roughly 8 steps) [e4e33e48ac71512c00fcf3d489af7bb054198024] tcp: do not send empty skb from tcp_write_xmit() testing commit e4e33e48ac71512c00fcf3d489af7bb054198024 with gcc (GCC) 8.1.0 kernel signature: 4fe8045197ef7059141c6c9de1cc1c4d10f6d2c463db96b415d5b0b96ba21e1b run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #1: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #3: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #5: crashed: general protection fault in corrupted run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #8: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect # git bisect good e4e33e48ac71512c00fcf3d489af7bb054198024 Bisecting: 109 revisions left to test after this (roughly 7 steps) [aa6bf9433ef76485243428754e723e71642f4a6d] net: stmmac: Do not accept invalid MTU values testing commit aa6bf9433ef76485243428754e723e71642f4a6d with gcc (GCC) 8.1.0 kernel signature: 1ec5591b1b408a59ffdc1a6e4c9dfa9c510881bcdd499c3f8577d585f36e60fb all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect # git bisect good aa6bf9433ef76485243428754e723e71642f4a6d Bisecting: 54 revisions left to test after this (roughly 6 steps) [0c703639c11a17db7e479e71fea8778d098c95c2] drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ testing commit 0c703639c11a17db7e479e71fea8778d098c95c2 with gcc (GCC) 8.1.0 kernel signature: 0dfa8a47b27126a3e9588461a9e23f934696a78ca9c81fc06a5aa9585331989d all runs: OK # git bisect bad 0c703639c11a17db7e479e71fea8778d098c95c2 Bisecting: 27 revisions left to test after this (roughly 5 steps) [36821b48f5203d5490349e514c2774ff9784bebc] vxlan: fix tos value before xmit testing commit 36821b48f5203d5490349e514c2774ff9784bebc with gcc (GCC) 8.1.0 kernel signature: e3f745526b973d50735aa1c0f1f8a7e8b537026ac2bb0ee01895aa82dac35f93 all runs: OK # git bisect bad 36821b48f5203d5490349e514c2774ff9784bebc Bisecting: 13 revisions left to test after this (roughly 4 steps) [3879a509ac7f02e0ba899d22cad53d366b656f67] mmc: block: Fix bug when removing RPMB chardev testing commit 3879a509ac7f02e0ba899d22cad53d366b656f67 with gcc (GCC) 8.1.0 kernel signature: 5a03ed697394ecf7931729a0d7d606416584393b0d5640e5be6afb0de5a829fb all runs: OK # git bisect bad 3879a509ac7f02e0ba899d22cad53d366b656f67 Bisecting: 6 revisions left to test after this (roughly 3 steps) [3a8d4b961747e79a9d28e9f7621216045403b2bb] llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) testing commit 3a8d4b961747e79a9d28e9f7621216045403b2bb with gcc (GCC) 8.1.0 kernel signature: 465c3a037867349e213e1fe8ca6aa010e091ed17c02c53cf5f30d49fac6b1b1e run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #1: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #3: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #5: crashed: general protection fault in bpf_clone_redirect run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect run #8: crashed: general protection fault in corrupted run #9: crashed: KASAN: use-after-free Read in bpf_clone_redirect # git bisect good 3a8d4b961747e79a9d28e9f7621216045403b2bb Bisecting: 3 revisions left to test after this (roughly 2 steps) [b454ac1b22af130c6fb8d34c344a98339f1cea9a] bpf: Fix passing modified ctx to ld/abs/ind instruction testing commit b454ac1b22af130c6fb8d34c344a98339f1cea9a with gcc (GCC) 8.1.0 kernel signature: 6a939584185860a9cc9bc4b18cf94e376260ab8c861e5a402412808077f96e8f all runs: OK # git bisect bad b454ac1b22af130c6fb8d34c344a98339f1cea9a Bisecting: 0 revisions left to test after this (roughly 1 step) [7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82] bpf: reject passing modified ctx to helper functions testing commit 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 with gcc (GCC) 8.1.0 kernel signature: 2da2c9dabc8125bc96df2b9cee38513777ae5f62ea11c75cc437a1c01b7ed7d7 all runs: OK # git bisect bad 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 Bisecting: 0 revisions left to test after this (roughly 0 steps) [1051a28b7255e6624d379f2bd45713352f9470cf] hv_netvsc: Fix unwanted rx_table reset testing commit 1051a28b7255e6624d379f2bd45713352f9470cf with gcc (GCC) 8.1.0 kernel signature: ff32a428f8f782ad1f60787f410f99c0ec7b04d90e9628ff6499eda9dfc780e2 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_clone_redirect # git bisect good 1051a28b7255e6624d379f2bd45713352f9470cf 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 is the first bad commit commit 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 Author: Daniel Borkmann Date: Thu Jun 7 17:40:03 2018 +0200 bpf: reject passing modified ctx to helper functions commit 58990d1ff3f7896ee341030e9a7c2e4002570683 upstream. As commit 28e33f9d78ee ("bpf: disallow arithmetic operations on context pointer") already describes, f1174f77b50c ("bpf/verifier: rework value tracking") removed the specific white-listed cases we had previously where we would allow for pointer arithmetic in order to further generalize it, and allow e.g. context access via modified registers. While the dereferencing of modified context pointers had been forbidden through 28e33f9d78ee, syzkaller did recently manage to trigger several KASAN splats for slab out of bounds access and use after frees by simply passing a modified context pointer to a helper function which would then do the bad access since verifier allowed it in adjust_ptr_min_max_vals(). Rejecting arithmetic on ctx pointer in adjust_ptr_min_max_vals() generally could break existing programs as there's a valid use case in tracing in combination with passing the ctx to helpers as bpf_probe_read(), where the register then becomes unknown at verification time due to adding a non-constant offset to it. An access sequence may look like the following: offset = args->filename; /* field __data_loc filename */ bpf_probe_read(&dst, len, (char *)args + offset); // args is ctx There are two options: i) we could special case the ctx and as soon as we add a constant or bounded offset to it (hence ctx type wouldn't change) we could turn the ctx into an unknown scalar, or ii) we generalize the sanity test for ctx member access into a small helper and assert it on the ctx register that was passed as a function argument. Fwiw, latter is more obvious and less complex at the same time, and one case that may potentially be legitimate in future for ctx member access at least would be for ctx to carry a const offset. Therefore, fix follows approach from ii) and adds test cases to BPF kselftests. Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Reported-by: syzbot+3d0b2441dbb71751615e@syzkaller.appspotmail.com Reported-by: syzbot+c8504affd4fdd0c1b626@syzkaller.appspotmail.com Reported-by: syzbot+e5190cb881d8660fb1a3@syzkaller.appspotmail.com Reported-by: syzbot+efae31b384d5badbd620@syzkaller.appspotmail.com Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Acked-by: Yonghong Song Acked-by: Edward Cree Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman kernel/bpf/verifier.c | 45 ++++++++++++++-------- tools/testing/selftests/bpf/test_verifier.c | 58 ++++++++++++++++++++++++++++- 2 files changed, 87 insertions(+), 16 deletions(-) culprit signature: 2da2c9dabc8125bc96df2b9cee38513777ae5f62ea11c75cc437a1c01b7ed7d7 parent signature: ff32a428f8f782ad1f60787f410f99c0ec7b04d90e9628ff6499eda9dfc780e2 revisions tested: 13, total time: 3h22m32.062291309s (build: 1h50m3.991279006s, test: 1h30m51.412147482s) first good commit: 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 bpf: reject passing modified ctx to helper functions cc: ["ast@kernel.org" "daniel@iogearbox.net" "ecree@solarflare.com" "gregkh@linuxfoundation.org" "yhs@fb.com"]