Re: [REPORT] BPF: Reproducible triggering of BUG() from userspace PoC

[Jiri Olsa]

On Wed, Nov 08, 2023 at 03:46:26PM +0000, Lee Jones wrote:
> Good afternoon,
> 
> After coming across a recent Syzkaller report [0] I thought I'd take
> some time to firstly reproduce the issue, then see if there was a
> trivial way to mitigate it.  The report suggests that a BUG() in
> prog_array_map_poke_run() [1] can be trivially and reliably triggered
> from userspace using the PoC provided [2].
> 
>         ret = bpf_arch_text_poke(poke->tailcall_bypass,
>                                  BPF_MOD_JUMP,
>                                  old_bypass_addr,
>                                  poke->bypass_addr);
>         BUG_ON(ret < 0 && ret != -EINVAL);
> 
> Indeed the PoC does seem to be able to consistently trigger the BUG(),
> not only on the reported kernel (v6.1), but also on linux-next.  I went
> to the trouble of checking LORE, but failed to find any patches which
> may be attempting to fix this.
> 
>     kernel BUG at kernel/bpf/arraymap.c:1094!
>     invalid opcode: 0000 [#1] PREEMPT SMP KASAN
>     CPU: 5 PID: 45 Comm: kworker/5:0 Not tainted 6.6.0-rc3-next-20230929-dirty #74
>     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
>     Workqueue: events prog_array_map_clear_deferred
>     RIP: 0010:prog_array_map_poke_run+0x6b4/0x6d0
>     Code: ff 0f 0b e8 1e 27 e1 ff 48 c7 c7 60 80 93 85 48 c7 c6 00 7f 93 85 48 c7 c2 bb c2 39 86 b9 45 04 00 00 45 89 f8 e8 9c 890
>     RSP: 0018:ffffc9000036fb50 EFLAGS: 00010246
>     RAX: 0000000000000044 RBX: ffff88811f337490 RCX: 63af48a1314f9900
>     RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
>     RBP: ffffc9000036fbe8 R08: ffffffff815c23c5 R09: 1ffff11084c14eba
>     R10: dfffe91084c14ebc R11: ffffed1084c14ebb R12: ffff888116517800
>     R13: dffffc0000000000 R14: ffff888125a1a400 R15: 00000000fffffff0
>     FS:  0000000000000000(0000) GS:ffff888426080000(0000) knlGS:0000000000000000
>     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>     CR2: 00000000004ab678 CR3: 0000000122ac4000 CR4: 0000000000350eb0
>     DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>     DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>     Call Trace:
>      <TASK>
>      ? __die_body+0x92/0xf0
>      ? die+0xa2/0xe0
>      ? do_trap+0x12f/0x370
>      ? handle_invalid_op+0xa6/0x140
>      ? handle_invalid_op+0xdf/0x140
>      ? prog_array_map_poke_run+0x6b4/0x6d0
>      ? prog_array_map_poke_run+0x6b4/0x6d0
>      ? exc_invalid_op+0x32/0x50
>      ? asm_exc_invalid_op+0x1b/0x20
>      ? __wake_up_klogd+0xd5/0x110
>      ? prog_array_map_poke_run+0x6b4/0x6d0
>      ? bpf_prog_6781ebc2dae4bad9+0xb/0x53
>      fd_array_map_delete_elem+0x152/0x250
>      prog_array_map_clear_deferred+0xf6/0x210
>      ? __bpf_array_map_seq_show+0xa40/0xa40
>      ? kick_pool+0x164/0x350
>      ? process_one_work+0x57a/0xd00
>      process_one_work+0x5e4/0xd00
>      worker_thread+0x9cf/0xea0
>      kthread+0x2b4/0x350
>      ? pr_cont_work+0x580/0x580
>      ? kthread_blkcg+0xd0/0xd0
>      ret_from_fork+0x4a/0x80
>      ? kthread_blkcg+0xd0/0xd0
>      ret_from_fork_asm+0x11/0x20
>      </TASK>
>     Modules linked in:
>     ---[ end trace 0000000000000000 ]---
> 
> However, with my very limited BPF subsystem knowledge I was unable to
> trivially fix the issue.  Hopefully some knowledgable person would be
> kind enough to provide me with some pointers.
> 
> bpf_arch_text_poke() seems to be returning -EBUSY due to a negative
> memcmp() result from [3].
> 
>         ret = -EBUSY;
>         mutex_lock(&text_mutex);
>         if (memcmp(ip, old_insn, X86_PATCH_SIZE)) {
>                 goto out;
>         [...]
> 
> When spitting out the memory at those locations, this is the result:
> 
>     ip:        e9 06 00 00 00
>     old_insn:  0f 1f 44 00 00
>     nop_insn:  0f 1f 44 00 00
> 
> As you can see, the information stored in 'ip' does not match that of
> the data stored in 'old_insn', causing bpf_arch_text_poke() to return
> early with the error -EBUSY, suggesting that the data pointed to by
> 'old_insn', and by extension 'prog' should have been changed when
> emit_call()ing, to the value of 'ip', but wasn't.

hi,
thanks for the report.. I can reproduce that easily with [2]

AFAICS it looks like previous update fails because we use bpf_arch_text_poke,
which can't find poke->tailcall_bypass value as bpf program symbol and fails
with -EINVAL

then the following update fails to find expected jmp/nop because it was never
updated.. I think we should use __bpf_arch_text_poke like we do in
bpf_tail_call_direct_fixup and skip the bpf symbol check

with the patch below I can't reproduce the issue anymore, I'll do some more
checking though

jirka


---
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
index 8c10d9abc239..35c2988caf29 100644
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -391,8 +391,8 @@ static int emit_jump(u8 **pprog, void *func, void *ip)
 	return emit_patch(pprog, func, ip, 0xE9);
 }
 
-static int __bpf_arch_text_poke(void *ip, enum bpf_text_poke_type t,
-				void *old_addr, void *new_addr)
+int __bpf_arch_text_poke(void *ip, enum bpf_text_poke_type t,
+			 void *old_addr, void *new_addr)
 {
 	const u8 *nop_insn = x86_nops[5];
 	u8 old_insn[X86_PATCH_SIZE];
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index eb84caf133df..0d7b8311fada 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -3172,6 +3172,8 @@ enum bpf_text_poke_type {
 
 int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type t,
 		       void *addr1, void *addr2);
+int __bpf_arch_text_poke(void *ip, enum bpf_text_poke_type t,
+			 void *old_addr, void *new_addr);
 
 void *bpf_arch_text_copy(void *dst, void *src, size_t len);
 int bpf_arch_text_invalidate(void *dst, size_t len);
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index 2058e89b5ddd..4ab5864746ce 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -1073,33 +1073,33 @@ static void prog_array_map_poke_run(struct bpf_map *map, u32 key,
 			new_addr = new ? (u8 *)new->bpf_func + poke->adj_off : NULL;
 
 			if (new) {
-				ret = bpf_arch_text_poke(poke->tailcall_target,
+				ret = __bpf_arch_text_poke(poke->tailcall_target,
 							 BPF_MOD_JUMP,
 							 old_addr, new_addr);
 				BUG_ON(ret < 0 && ret != -EINVAL);
 				if (!old) {
-					ret = bpf_arch_text_poke(poke->tailcall_bypass,
+					ret = __bpf_arch_text_poke(poke->tailcall_bypass,
 								 BPF_MOD_JUMP,
 								 poke->bypass_addr,
 								 NULL);
-					BUG_ON(ret < 0 && ret != -EINVAL);
+					BUG_ON(ret < 0);
 				}
 			} else {
-				ret = bpf_arch_text_poke(poke->tailcall_bypass,
+				ret = __bpf_arch_text_poke(poke->tailcall_bypass,
 							 BPF_MOD_JUMP,
 							 old_bypass_addr,
 							 poke->bypass_addr);
-				BUG_ON(ret < 0 && ret != -EINVAL);
+				BUG_ON(ret < 0);
 				/* let other CPUs finish the execution of program
 				 * so that it will not possible to expose them
 				 * to invalid nop, stack unwind, nop state
 				 */
 				if (!ret)
 					synchronize_rcu();
-				ret = bpf_arch_text_poke(poke->tailcall_target,
+				ret = __bpf_arch_text_poke(poke->tailcall_target,
 							 BPF_MOD_JUMP,
 							 old_addr, NULL);
-				BUG_ON(ret < 0 && ret != -EINVAL);
+				BUG_ON(ret < 0);
 			}
 		}
 	}