Re: bpf: incorrect stack_depth after var off stack access causes OOB

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 14, 2023 at 1:03 AM Andrei Matei <andreimatei1@xxxxxxxxx> wrote:
>
> I have sent https://lore.kernel.org/bpf/20231113235008.127238-1-andreimatei1@xxxxxxxxx/T/#u
> as a fix.
>
> Hao, thanks again for the report. For my edification, how did you get
> the KASAN bug report with your repro / which tree exactly were you
> running against and with what config? I've run your repro program in
> the VM created by vmtest.sh, with an added CONFIG_KASAN=y in the
> config, and I did not get the bug report in dmesg; I got nothing.
> However, if I change the variable offset bounds to be around 200 bytes
> instead of 12, then I do get a kernel panic because of a page fault.

I guess the key difference is that I do not use JIT (CONFIG_BPF_JIT=n).
With KASAN, the interpreter is instrumented for memory access checking,
but JITed eBPF programs will not, that's why you need to increase the off
to trigger the page fault.

Here is my config: https://pastebin.com/raw/q170XGxd

Also, this bug can be exploited by users with CAP_PERFMON, and kernels
after v5.10.33 are all impacted. So we should CC stable kernel:

Cc: stable@xxxxxxxxxxxxxxx





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux