bisecting fixing commit since 01fd1694b93c92ad54fa684dac9c8068ecda8288 building syzkaller on db7c31ca79638f50cbb920add433b46cd66e9890 testing commit 01fd1694b93c92ad54fa684dac9c8068ecda8288 with gcc (GCC) 8.1.0 kernel signature: 6408f2573dfb5a2bd04868617dc02ae538e7071308aaa9bbc38e2a3f16a72625 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto testing current HEAD 9fa690a2a016e1b55356835f047b952e67d3d73a testing commit 9fa690a2a016e1b55356835f047b952e67d3d73a with gcc (GCC) 8.1.0 kernel signature: d044868f23dee4506cf53168a9a7e708dadf9b9729a4907c01dfa0dc64d914e9 all runs: OK # git bisect start 9fa690a2a016e1b55356835f047b952e67d3d73a 01fd1694b93c92ad54fa684dac9c8068ecda8288 Bisecting: 1541 revisions left to test after this (roughly 11 steps) [fdb507e489275e3433911c8ec04c7420a6a29e1c] scsi: mpt3sas: Don't modify EEDPTagMode field setting on SAS3.5 HBA devices testing commit fdb507e489275e3433911c8ec04c7420a6a29e1c with gcc (GCC) 8.1.0 kernel signature: 99d36ce1e3b382b7b216ca4a9ee4047ab4ebd28e3eec19ac396f94ae3d3b13ee run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #1: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #2: crashed: KASAN: use-after-free Read in bpf_skb_change_proto run #3: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #5: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #8: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto # git bisect good fdb507e489275e3433911c8ec04c7420a6a29e1c Bisecting: 770 revisions left to test after this (roughly 10 steps) [1fecec01675780f80f5fe3496cd9ab956caf51ec] clk: qcom: Allow constant ratio freq tables for rcg testing commit 1fecec01675780f80f5fe3496cd9ab956caf51ec with gcc (GCC) 8.1.0 kernel signature: 1fd9379cbfc9ed8ce5947539adde9e83ff992ed89387645a98d39f5a7c2537ce all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto # git bisect good 1fecec01675780f80f5fe3496cd9ab956caf51ec Bisecting: 385 revisions left to test after this (roughly 9 steps) [e71ab588b09178efc05c401db29b6c8f426b9917] xfs: Sanity check flags of Q_XQUOTARM call testing commit e71ab588b09178efc05c401db29b6c8f426b9917 with gcc (GCC) 8.1.0 kernel signature: 377013808ccd80143abbdd1ef4466ebcb339d9ca3c861d85c54cbb28cb3d6670 all runs: OK # git bisect bad e71ab588b09178efc05c401db29b6c8f426b9917 Bisecting: 192 revisions left to test after this (roughly 8 steps) [19716758430e63e0cf6097cdde2a72b6ac28dc75] net: dsa: mv88e6xxx: Preserve priority when setting CPU port. testing commit 19716758430e63e0cf6097cdde2a72b6ac28dc75 with gcc (GCC) 8.1.0 kernel signature: a6c8c98fb5fbaa10e0a74111a1f29cadd875ceac908fb7cf1826e9cf03c1f18a all runs: OK # git bisect bad 19716758430e63e0cf6097cdde2a72b6ac28dc75 Bisecting: 95 revisions left to test after this (roughly 7 steps) [d106de1b9e3670abffb2a4e18dbc88170c30b452] media: cec: CEC 2.0-only bcast messages were ignored testing commit d106de1b9e3670abffb2a4e18dbc88170c30b452 with gcc (GCC) 8.1.0 kernel signature: aa71c6913d2c820651621294953c125f32a6d11b5b6db2cf636ae4887b8a9209 run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #1: crashed: KASAN: use-after-free Read in bpf_skb_change_proto run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #3: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #5: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #8: crashed: KASAN: use-after-free Read in bpf_skb_change_proto run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto # git bisect good d106de1b9e3670abffb2a4e18dbc88170c30b452 Bisecting: 47 revisions left to test after this (roughly 6 steps) [f0e24d683636a9193a2adcc928b78ba74bd46f1a] USB: dummy-hcd: increase max number of devices to 32 testing commit f0e24d683636a9193a2adcc928b78ba74bd46f1a with gcc (GCC) 8.1.0 kernel signature: 35b7dfc2e2836056743b163fa825689c5b427c1b7becdc241b5a9f291be8bdab all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto # git bisect good f0e24d683636a9193a2adcc928b78ba74bd46f1a Bisecting: 23 revisions left to test after this (roughly 5 steps) [c7a6c3d2c372a592c975cda98a479287ebd169d1] rfkill: Fix incorrect check to avoid NULL pointer dereference testing commit c7a6c3d2c372a592c975cda98a479287ebd169d1 with gcc (GCC) 8.1.0 kernel signature: 835a53dbf00b3d2517a4d587aa7a903fa0a529d4a1bb0f731a97a643ea2479b6 run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #1: crashed: KASAN: use-after-free Read in bpf_skb_change_proto run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #3: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #5: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #8: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto # git bisect good c7a6c3d2c372a592c975cda98a479287ebd169d1 Bisecting: 11 revisions left to test after this (roughly 4 steps) [3a8d4b961747e79a9d28e9f7621216045403b2bb] llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) testing commit 3a8d4b961747e79a9d28e9f7621216045403b2bb with gcc (GCC) 8.1.0 kernel signature: fd6a1ac5f9923fb772a1444b05b46aa827f76c4af1a4ebbeae5d59202f2087ee all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto # git bisect good 3a8d4b961747e79a9d28e9f7621216045403b2bb Bisecting: 5 revisions left to test after this (roughly 3 steps) [ae4e8ce0d86159bbba7cfaa44f6276d38b1f2200] mmc: block: Delete mmc_access_rpmb() testing commit ae4e8ce0d86159bbba7cfaa44f6276d38b1f2200 with gcc (GCC) 8.1.0 kernel signature: 5480f67455afa5555069d1809011dd8c6918f043ad63f2a3524b417cb9cfa99e all runs: OK # git bisect bad ae4e8ce0d86159bbba7cfaa44f6276d38b1f2200 Bisecting: 2 revisions left to test after this (roughly 2 steps) [b454ac1b22af130c6fb8d34c344a98339f1cea9a] bpf: Fix passing modified ctx to ld/abs/ind instruction testing commit b454ac1b22af130c6fb8d34c344a98339f1cea9a with gcc (GCC) 8.1.0 kernel signature: 821507901602ac0f619cd9264394bb27a670d7965c733aed37a4d4f6cdbcbb2f all runs: OK # git bisect bad b454ac1b22af130c6fb8d34c344a98339f1cea9a Bisecting: 0 revisions left to test after this (roughly 1 step) [7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82] bpf: reject passing modified ctx to helper functions testing commit 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 with gcc (GCC) 8.1.0 kernel signature: 7e6bd2e5f6194adec742ba8f489ebcca0179e57945bd3c7f4bb12845245e69a5 all runs: OK # git bisect bad 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 Bisecting: 0 revisions left to test after this (roughly 0 steps) [1051a28b7255e6624d379f2bd45713352f9470cf] hv_netvsc: Fix unwanted rx_table reset testing commit 1051a28b7255e6624d379f2bd45713352f9470cf with gcc (GCC) 8.1.0 kernel signature: 2807510b9fbac83de2337c1723532bdc84aed3e2c0db2f6c01cc3cda791621b9 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto # git bisect good 1051a28b7255e6624d379f2bd45713352f9470cf 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 is the first bad commit commit 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 Author: Daniel Borkmann Date: Thu Jun 7 17:40:03 2018 +0200 bpf: reject passing modified ctx to helper functions commit 58990d1ff3f7896ee341030e9a7c2e4002570683 upstream. As commit 28e33f9d78ee ("bpf: disallow arithmetic operations on context pointer") already describes, f1174f77b50c ("bpf/verifier: rework value tracking") removed the specific white-listed cases we had previously where we would allow for pointer arithmetic in order to further generalize it, and allow e.g. context access via modified registers. While the dereferencing of modified context pointers had been forbidden through 28e33f9d78ee, syzkaller did recently manage to trigger several KASAN splats for slab out of bounds access and use after frees by simply passing a modified context pointer to a helper function which would then do the bad access since verifier allowed it in adjust_ptr_min_max_vals(). Rejecting arithmetic on ctx pointer in adjust_ptr_min_max_vals() generally could break existing programs as there's a valid use case in tracing in combination with passing the ctx to helpers as bpf_probe_read(), where the register then becomes unknown at verification time due to adding a non-constant offset to it. An access sequence may look like the following: offset = args->filename; /* field __data_loc filename */ bpf_probe_read(&dst, len, (char *)args + offset); // args is ctx There are two options: i) we could special case the ctx and as soon as we add a constant or bounded offset to it (hence ctx type wouldn't change) we could turn the ctx into an unknown scalar, or ii) we generalize the sanity test for ctx member access into a small helper and assert it on the ctx register that was passed as a function argument. Fwiw, latter is more obvious and less complex at the same time, and one case that may potentially be legitimate in future for ctx member access at least would be for ctx to carry a const offset. Therefore, fix follows approach from ii) and adds test cases to BPF kselftests. Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Reported-by: syzbot+3d0b2441dbb71751615e@syzkaller.appspotmail.com Reported-by: syzbot+c8504affd4fdd0c1b626@syzkaller.appspotmail.com Reported-by: syzbot+e5190cb881d8660fb1a3@syzkaller.appspotmail.com Reported-by: syzbot+efae31b384d5badbd620@syzkaller.appspotmail.com Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Acked-by: Yonghong Song Acked-by: Edward Cree Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman kernel/bpf/verifier.c | 45 ++++++++++++++-------- tools/testing/selftests/bpf/test_verifier.c | 58 ++++++++++++++++++++++++++++- 2 files changed, 87 insertions(+), 16 deletions(-) culprit signature: 7e6bd2e5f6194adec742ba8f489ebcca0179e57945bd3c7f4bb12845245e69a5 parent signature: 2807510b9fbac83de2337c1723532bdc84aed3e2c0db2f6c01cc3cda791621b9 revisions tested: 14, total time: 3h25m34.957167178s (build: 1h57m12.260211663s, test: 1h26m39.674061262s) first good commit: 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 bpf: reject passing modified ctx to helper functions cc: ["ast@kernel.org" "daniel@iogearbox.net" "ecree@solarflare.com" "gregkh@linuxfoundation.org" "yhs@fb.com"]