On Tue, Nov 14, 2023 at 1:03 AM Andrei Matei <andreimatei1@xxxxxxxxx> wrote: > > I have sent https://lore.kernel.org/bpf/20231113235008.127238-1-andreimatei1@xxxxxxxxx/T/#u > as a fix. > > Hao, thanks again for the report. For my edification, how did you get > the KASAN bug report with your repro / which tree exactly were you > running against and with what config? I've run your repro program in > the VM created by vmtest.sh, with an added CONFIG_KASAN=y in the > config, and I did not get the bug report in dmesg; I got nothing. > However, if I change the variable offset bounds to be around 200 bytes > instead of 12, then I do get a kernel panic because of a page fault. I guess the key difference is that I do not use JIT (CONFIG_BPF_JIT=n). With KASAN, the interpreter is instrumented for memory access checking, but JITed eBPF programs will not, that's why you need to increase the off to trigger the page fault. Here is my config: https://pastebin.com/raw/q170XGxd Also, this bug can be exploited by users with CAP_PERFMON, and kernels after v5.10.33 are all impacted. So we should CC stable kernel: Cc: stable@xxxxxxxxxxxxxxx