Re: KASAN: use-after-free Read in ___bpf_prog_run

From: Yonghong Song
Date: Sat Dec 17 2022 - 11:57:49 EST

Next message: Borislav Petkov: "[PATCH] x86/tsc: Make recalibrate_cpu_khz() export GPL only"
Previous message: Péter Ujfalusi: "Re: [PATCH v3 0/5] dmaengine: Add support for AM62A SoC DMAs"
In reply to: Hao Sun: "Re: KASAN: use-after-free Read in ___bpf_prog_run"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/16/22 10:54 PM, Hao Sun wrote:

On 17 Dec 2022, at 1:07 PM, Yonghong Song <yhs@xxxxxxxx> wrote:

On 12/14/22 11:49 PM, Hao Sun wrote:

Hi,
The following KASAN report can be triggered by loading and test
running this simple BPF prog with a random data/ctx:
0: r0 = bpf_get_current_task_btf ;
R0_w=trusted_ptr_task_struct(off=0,imm=0)
1: r0 = *(u32 *)(r0 +8192) ;
R0_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff))
2: exit
I've simplified the C reproducer but didn't find the root cause.
JIT was disabled, and the interpreter triggered UAF when executing
the load insn. A slab-out-of-bound read can also be triggered:
https://pastebin.com/raw/g9zXr8jU
This can be reproduced on:
HEAD commit: b148c8b9b926 selftests/bpf: Add few corner cases to test
padding handling of btf_dump
git tree: bpf-next
console log: https://pastebin.com/raw/1EUi9tJe
kernel config: https://pastebin.com/raw/rgY3AJDZ
C reproducer: https://pastebin.com/raw/cfVGuCBm

I I tried with your above kernel config and C reproducer and cannot reproduce the kasan issue you reported.

[root@arch-fb-vm1 bpf-next]# ./a.out
func#0 @0
0: R1=ctx(off=0,imm=0) R10=fp0
0: (85) call bpf_get_current_task_btf#158 ; R0_w=trusted_ptr_task_struct(off=0,imm=0)
1: (61) r0 = *(u32 *)(r0 +8192) ; R0_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff))
2: (95) exit
processed 3 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0

prog fd: 3
[root@arch-fb-vm1 bpf-next]#

Your config indeed has kasan on.

Hi,

I can still reproduce this on a latest bpf-next build: 0e43662e61f25
(“tools/resolve_btfids: Use pkg-config to locate libelf”).
The simplified C reproducer sometime need to be run twice to trigger
the UAF. Also note that interpreter is required. Here is the original
C reproducer that loads and runs the BPF prog continuously for your
convenience:
https://pastebin.com/raw/WSJuNnVU

I still cannot reproduce with more than 10 runs. The config has jit off so it already uses interpreter. It has kasan on as well.
# CONFIG_BPF_JIT is not set

Since you can reproduce it, I guess it would be great if you can continue to debug this.

==================================================================
BUG: KASAN: use-after-free in ___bpf_prog_run+0x7f35/0x8fd0
kernel/bpf/core.c:1937
Read of size 4 at addr ffff88801f1f2000 by task a.out/7137
CPU: 3 PID: 7137 Comm: a.out Not tainted
6.1.0-rc8-02212-gef3911a3e4d6-dirty #137
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux
1.16.1-1-1 04/01/2014
Call Trace:

[...]

Next message: Borislav Petkov: "[PATCH] x86/tsc: Make recalibrate_cpu_khz() export GPL only"
Previous message: Péter Ujfalusi: "Re: [PATCH v3 0/5] dmaengine: Add support for AM62A SoC DMAs"
In reply to: Hao Sun: "Re: KASAN: use-after-free Read in ___bpf_prog_run"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]