On Thu, Jun 15, 2023 at 4:56 PM Florent Revest <revest@xxxxxxxxxxxx> wrote:
>
> When building a kernel with LLVM=1, LLVM_IAS=0 and CONFIG_KASAN=y, LLVM
> leaves DWARF tags for the "asan.module_ctor" & co symbols.
To be fair I can't tell if this is an LLVM bug. It's sort of curious
that with LLVM_IAS=1, these debugging symbols are not kept and they
are with LLVM_IAS=0 but I don't know what the expected behavior should
be and how BTF should deal with it. I'll let people with more context
comment on this! :)
An easy reproducer is:
$ touch pwet.c
$ clang -g -fsanitize=kernel-address -c -o pwet.o pwet.c
$ llvm-dwarfdump pwet.o | grep module_ctor
$ clang -fno-integrated-as -g -fsanitize=kernel-address -c -o pwet.o pwet.c
$ llvm-dwarfdump pwet.o | grep module_ctor
DW_AT_name ("asan.module_ctor")
> In a dramatic turn of event, this BTF verification failure can cause
> the netfilter_bpf initialization to fail, causing netfilter_core to
> free the netfilter_helper hashmap and netfilter_ftp to trigger a
> use-after-free. The risk of u-a-f in netfilter will be addressed
> separately
To be precise, I meant "netfilter conntrack".
I sent the following patch as a more targeted mitigation for the uaf
https://lore.kernel.org/netfilter-devel/20230615152918.3484699-1-revest@xxxxxxxxxxxx/T/#u
