bisecting fixing commit since 43598c571e7ed29e4c81e35b4a870fe6b9f8d58e building syzkaller on 598ca6c8b8766304c3b2865e38f5f301c39bd299 testing commit 43598c571e7ed29e4c81e35b4a870fe6b9f8d58e with gcc (GCC) 8.1.0 kernel signature: 9f7dce502c7b0f837d67d9e420afab6a0100c584f4fd7b352d92be048e14671f run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #1: crashed: KASAN: use-after-free Read in bpf_skb_change_head run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #3: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #5: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #8: crashed: KASAN: use-after-free Read in bpf_skb_change_head run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head testing current HEAD 8bac50406cca10a219aa899243d49c57ddaf7c5b testing commit 8bac50406cca10a219aa899243d49c57ddaf7c5b with gcc (GCC) 8.1.0 kernel signature: 4df86b629e039fa238d13a5f974bf243a56dbebe7645a32c67eb4d041a06fdff all runs: OK # git bisect start 8bac50406cca10a219aa899243d49c57ddaf7c5b 43598c571e7ed29e4c81e35b4a870fe6b9f8d58e Bisecting: 647 revisions left to test after this (roughly 9 steps) [f780a35182bf0c37668f734d2bbf8e5dd63d8713] quota: Check that quota is not dirty before release testing commit f780a35182bf0c37668f734d2bbf8e5dd63d8713 with gcc (GCC) 8.1.0 kernel signature: 0d98fc4b273680c9a7f138c01deff034e438a7de44ca471c9ddfcaf1e8c1d6ff run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #1: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #3: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #5: crashed: general protection fault in bpf_skb_change_head run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #8: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head # git bisect good f780a35182bf0c37668f734d2bbf8e5dd63d8713 Bisecting: 323 revisions left to test after this (roughly 8 steps) [7b296da1aca79471cbcc022b2e71efd65ab0eacd] vti: do not confirm neighbor when do pmtu update testing commit 7b296da1aca79471cbcc022b2e71efd65ab0eacd with gcc (GCC) 8.1.0 kernel signature: 37e14edbcfec67c7a547a8bbc85a5d7edd7677a7f9a53ab6e9557e9c7b8d4b5e run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #1: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #3: crashed: KASAN: use-after-free Read in bpf_skb_change_head run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #5: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #8: crashed: KASAN: use-after-free Read in bpf_skb_change_head run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head # git bisect good 7b296da1aca79471cbcc022b2e71efd65ab0eacd Bisecting: 161 revisions left to test after this (roughly 7 steps) [b095f9e2e8ea53c4830ba81183a3ce8721aea0ce] usb: musb: fix idling for suspend after disconnect interrupt testing commit b095f9e2e8ea53c4830ba81183a3ce8721aea0ce with gcc (GCC) 8.1.0 kernel signature: d2525d6f0886340f3ecc275a1f982a92373c03069af908f5b8d2a99e02f2761e all runs: OK # git bisect bad b095f9e2e8ea53c4830ba81183a3ce8721aea0ce Bisecting: 80 revisions left to test after this (roughly 6 steps) [c8b4d608f6efb84b12d9e98d0aed33676f893363] perf/x86/intel/bts: Fix the use of page_private() testing commit c8b4d608f6efb84b12d9e98d0aed33676f893363 with gcc (GCC) 8.1.0 kernel signature: dc26d76b15bdd62aca5667385b2b869011493420581bdbf81854b96e5faebf16 run #0: crashed: general protection fault in bpf_skb_change_head run #1: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #3: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #5: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #8: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head # git bisect good c8b4d608f6efb84b12d9e98d0aed33676f893363 Bisecting: 40 revisions left to test after this (roughly 5 steps) [1051a28b7255e6624d379f2bd45713352f9470cf] hv_netvsc: Fix unwanted rx_table reset testing commit 1051a28b7255e6624d379f2bd45713352f9470cf with gcc (GCC) 8.1.0 kernel signature: 93967fdfeb6c600193d97f75f875c54e0ed444eb0cd50aba6f4d247788146cf5 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head # git bisect good 1051a28b7255e6624d379f2bd45713352f9470cf Bisecting: 20 revisions left to test after this (roughly 4 steps) [36821b48f5203d5490349e514c2774ff9784bebc] vxlan: fix tos value before xmit testing commit 36821b48f5203d5490349e514c2774ff9784bebc with gcc (GCC) 8.1.0 kernel signature: c6b6fb322305adef82b420968fdcdf1c0f508cf42b120637d4d07ffbfeb7a77e all runs: OK # git bisect bad 36821b48f5203d5490349e514c2774ff9784bebc Bisecting: 9 revisions left to test after this (roughly 3 steps) [4a953272f2d2db63bba97137b64b3f1770634e00] macvlan: do not assume mac_header is set in macvlan_broadcast() testing commit 4a953272f2d2db63bba97137b64b3f1770634e00 with gcc (GCC) 8.1.0 kernel signature: 13243e1dda4f9817a4c020778d07823661d91361df62f2149163fe46d5c5d688 all runs: OK # git bisect bad 4a953272f2d2db63bba97137b64b3f1770634e00 Bisecting: 4 revisions left to test after this (roughly 2 steps) [ae4e8ce0d86159bbba7cfaa44f6276d38b1f2200] mmc: block: Delete mmc_access_rpmb() testing commit ae4e8ce0d86159bbba7cfaa44f6276d38b1f2200 with gcc (GCC) 8.1.0 kernel signature: ba12430fc84b1d1fff93df6f95aa59b35b35090f599984dd463531fb7f4f8e0f all runs: OK # git bisect bad ae4e8ce0d86159bbba7cfaa44f6276d38b1f2200 Bisecting: 2 revisions left to test after this (roughly 1 step) [b454ac1b22af130c6fb8d34c344a98339f1cea9a] bpf: Fix passing modified ctx to ld/abs/ind instruction testing commit b454ac1b22af130c6fb8d34c344a98339f1cea9a with gcc (GCC) 8.1.0 kernel signature: 6db0abcaae8884ab849e44ef87e702d08ac90b97ab3014fa3d85a71c4ef2075a all runs: OK # git bisect bad b454ac1b22af130c6fb8d34c344a98339f1cea9a Bisecting: 0 revisions left to test after this (roughly 0 steps) [7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82] bpf: reject passing modified ctx to helper functions testing commit 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 with gcc (GCC) 8.1.0 kernel signature: 1bbb003a59b287b8298bba365cb39fae6c1942a3df5a5c3042a290280f1ad109 all runs: OK # git bisect bad 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 is the first bad commit commit 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 Author: Daniel Borkmann Date: Thu Jun 7 17:40:03 2018 +0200 bpf: reject passing modified ctx to helper functions commit 58990d1ff3f7896ee341030e9a7c2e4002570683 upstream. As commit 28e33f9d78ee ("bpf: disallow arithmetic operations on context pointer") already describes, f1174f77b50c ("bpf/verifier: rework value tracking") removed the specific white-listed cases we had previously where we would allow for pointer arithmetic in order to further generalize it, and allow e.g. context access via modified registers. While the dereferencing of modified context pointers had been forbidden through 28e33f9d78ee, syzkaller did recently manage to trigger several KASAN splats for slab out of bounds access and use after frees by simply passing a modified context pointer to a helper function which would then do the bad access since verifier allowed it in adjust_ptr_min_max_vals(). Rejecting arithmetic on ctx pointer in adjust_ptr_min_max_vals() generally could break existing programs as there's a valid use case in tracing in combination with passing the ctx to helpers as bpf_probe_read(), where the register then becomes unknown at verification time due to adding a non-constant offset to it. An access sequence may look like the following: offset = args->filename; /* field __data_loc filename */ bpf_probe_read(&dst, len, (char *)args + offset); // args is ctx There are two options: i) we could special case the ctx and as soon as we add a constant or bounded offset to it (hence ctx type wouldn't change) we could turn the ctx into an unknown scalar, or ii) we generalize the sanity test for ctx member access into a small helper and assert it on the ctx register that was passed as a function argument. Fwiw, latter is more obvious and less complex at the same time, and one case that may potentially be legitimate in future for ctx member access at least would be for ctx to carry a const offset. Therefore, fix follows approach from ii) and adds test cases to BPF kselftests. Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Reported-by: syzbot+3d0b2441dbb71751615e@syzkaller.appspotmail.com Reported-by: syzbot+c8504affd4fdd0c1b626@syzkaller.appspotmail.com Reported-by: syzbot+e5190cb881d8660fb1a3@syzkaller.appspotmail.com Reported-by: syzbot+efae31b384d5badbd620@syzkaller.appspotmail.com Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Acked-by: Yonghong Song Acked-by: Edward Cree Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman kernel/bpf/verifier.c | 45 ++++++++++++++-------- tools/testing/selftests/bpf/test_verifier.c | 58 ++++++++++++++++++++++++++++- 2 files changed, 87 insertions(+), 16 deletions(-) culprit signature: 1bbb003a59b287b8298bba365cb39fae6c1942a3df5a5c3042a290280f1ad109 parent signature: 93967fdfeb6c600193d97f75f875c54e0ed444eb0cd50aba6f4d247788146cf5 revisions tested: 12, total time: 3h9m30.090149075s (build: 1h40m30.054907063s, test: 1h27m48.993377077s) first good commit: 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 bpf: reject passing modified ctx to helper functions cc: ["ast@kernel.org" "daniel@iogearbox.net" "ecree@solarflare.com" "gregkh@linuxfoundation.org" "yhs@fb.com"]