leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6e6fddc783
linux/tools/testing/selftests/bpf
History
Daniel Borkmann 6e6fddc783 bpf: fix panic due to oob in bpf_prog_test_run_skb 
sykzaller triggered several panics similar to the below:

  [...]
  [  248.851531] BUG: KASAN: use-after-free in _copy_to_user+0x5c/0x90
  [  248.857656] Read of size 985 at addr ffff8808017ffff2 by task a.out/1425
  [...]
  [  248.865902] CPU: 1 PID: 1425 Comm: a.out Not tainted 4.18.0-rc4+ #13
  [  248.865903] Hardware name: Supermicro SYS-5039MS-H12TRF/X11SSE-F, BIOS 2.1a 03/08/2018
  [  248.865905] Call Trace:
  [  248.865910]  dump_stack+0xd6/0x185
  [  248.865911]  ? show_regs_print_info+0xb/0xb
  [  248.865913]  ? printk+0x9c/0xc3
  [  248.865915]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
  [  248.865919]  print_address_description+0x6f/0x270
  [  248.865920]  kasan_report+0x25b/0x380
  [  248.865922]  ? _copy_to_user+0x5c/0x90
  [  248.865924]  check_memory_region+0x137/0x190
  [  248.865925]  kasan_check_read+0x11/0x20
  [  248.865927]  _copy_to_user+0x5c/0x90
  [  248.865930]  bpf_test_finish.isra.8+0x4f/0xc0
  [  248.865932]  bpf_prog_test_run_skb+0x6a0/0xba0
  [...]

After scrubbing the BPF prog a bit from the noise, turns out it called
bpf_skb_change_head() for the lwt_xmit prog with headroom of 2. Nothing
wrong in that, however, this was run with repeat >> 0 in bpf_prog_test_run_skb()
and the same skb thus keeps changing until the pskb_expand_head() called
from skb_cow() keeps bailing out in atomic alloc context with -ENOMEM.
So upon return we'll basically have 0 headroom left yet blindly do the
__skb_push() of 14 bytes and keep copying data from there in bpf_test_finish()
out of bounds. Fix to check if we have enough headroom and if pskb_expand_head()
fails, bail out with error.

Another bug independent of this fix (but related in triggering above) is
that BPF_PROG_TEST_RUN should be reworked to reset the skb/xdp buffer to
it's original state from input as otherwise repeating the same test in a
loop won't work for benchmarking when underlying input buffer is getting
changed by the prog each time and reused for the next run leading to
unexpected results.

Fixes: 1cf1cae963 ("bpf: introduce BPF_PROG_TEST_RUN command")
Reported-by: syzbot+709412e651e55ed96498@syzkaller.appspotmail.com
Reported-by: syzbot+54f39d6ab58f39720a55@syzkaller.appspotmail.com
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2018-07-11 16:10:57 -07:00
..
gnu selftests/bpf: get rid of -D__x86_64__ 2017-05-03 09:51:25 -04:00
include/uapi/linux License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
.gitignore tools/bpf: add a selftest for bpf_get_current_cgroup_id() helper 2018-06-03 18:22:41 -07:00
bpf_endian.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
bpf_helpers.h tools/bpf: sync uapi bpf.h for bpf_get_current_cgroup_id() helper 2018-06-03 18:22:41 -07:00
bpf_rand.h bpf: add ld64 imm test cases 2018-05-14 19:11:45 -07:00
bpf_rlimit.h bpf: unify rlimit handling in selftests 2018-02-26 20:11:23 -08:00
bpf_util.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cgroup_helpers.c tools/bpf: add a selftest for bpf_get_current_cgroup_id() helper 2018-06-03 18:22:41 -07:00
cgroup_helpers.h tools/bpf: add a selftest for bpf_get_current_cgroup_id() helper 2018-06-03 18:22:41 -07:00
config selftests: bpf: add missing NET_SCHED to config 2018-06-26 12:05:40 +02:00
connect4_prog.c selftests/bpf: Selftest for sys_connect hooks 2018-03-31 02:16:14 +02:00
connect6_prog.c selftests/bpf: Selftest for sys_connect hooks 2018-03-31 02:16:14 +02:00
dev_cgroup.c selftests/bpf: add a test for device cgroup controller 2017-11-05 23:26:51 +09:00
get_cgroup_id_kern.c tools/bpf: fix selftest get_cgroup_id_user 2018-06-08 00:10:07 +02:00
get_cgroup_id_user.c tools/bpf: fix selftest get_cgroup_id_user 2018-06-08 00:10:07 +02:00
Makefile selftests: bpf: fix urandom_read build issue 2018-06-11 12:55:56 +02:00
sample_map_ret0.c selftest/bpf: extend the offload test with map checks 2018-01-18 22:54:26 +01:00
sample_ret0.c selftests/bpf: add offload test based on netdevsim 2017-12-03 00:27:58 +01:00
sendmsg4_prog.c selftests/bpf: Selftest for sys_sendmsg hooks 2018-05-28 17:41:05 +02:00
sendmsg6_prog.c selftests/bpf: Selftest for sys_sendmsg hooks 2018-05-28 17:41:05 +02:00
sockmap_parse_prog.c bpf: add map tests for BPF_PROG_TYPE_SK_MSG 2018-03-19 21:14:39 +01:00
sockmap_tcp_msg_prog.c bpf: add map tests for BPF_PROG_TYPE_SK_MSG 2018-03-19 21:14:39 +01:00
sockmap_verdict_prog.c bpf: add map tests for BPF_PROG_TYPE_SK_MSG 2018-03-19 21:14:39 +01:00
tcp_client.py bpf: add selftest for tcpbpf 2018-01-25 16:41:15 -08:00
tcp_server.py bpf: add selftest for tcpbpf 2018-01-25 16:41:15 -08:00
test_adjust_tail.c bpf: adding tests for bpf_xdp_adjust_tail 2018-04-18 23:34:17 +02:00
test_align.c bpf: unify rlimit handling in selftests 2018-02-26 20:11:23 -08:00
test_btf_haskv.c bpf: btf: Add BTF tests 2018-04-19 21:47:42 +02:00
test_btf_nokv.c bpf: btf: Add BTF tests 2018-04-19 21:47:42 +02:00
test_btf.c bpf: btf: Ensure t->type == 0 for BTF_KIND_FWD 2018-06-02 11:22:36 -07:00
test_dev_cgroup.c bpf: unify rlimit handling in selftests 2018-02-26 20:11:23 -08:00
test_get_stack_rawtp.c tools/bpf: add a test for bpf_get_stack with raw tracepoint prog 2018-04-29 08:45:54 -07:00
test_iptunnel_common.h selftests/bpf: add a test for basic XDP functionality 2017-04-01 12:45:57 -07:00
test_kmod.sh selftests: bpf: notification about privilege required to run test_kmod.sh testing script 2018-06-22 00:30:02 +02:00
test_l4lb_noinline.c selftests/bpf: add bpf_call test 2017-12-17 20:34:36 +01:00
test_l4lb.c bpf: Move endianness BPF helpers out of bpf_util.h 2017-05-01 12:43:49 -07:00
test_libbpf_open.c selftests/bpf: add test program for loading BPF ELF files 2018-02-09 00:24:38 +01:00
test_libbpf.sh selftests/bpf: add selftest that use test_libbpf_open 2018-02-09 00:25:12 +01:00
test_lirc_mode2_kern.c bpf: add selftest for lirc_mode2 type program 2018-05-30 12:40:14 +02:00
test_lirc_mode2_user.c bpf: add selftest for lirc_mode2 type program 2018-05-30 12:40:14 +02:00
test_lirc_mode2.sh selftests: bpf: notification about privilege required to run test_lirc_mode2.sh testing script 2018-06-26 12:15:28 +02:00
test_lpm_map.c bpf: unify rlimit handling in selftests 2018-02-26 20:11:23 -08:00
test_lru_map.c bpf: unify rlimit handling in selftests 2018-02-26 20:11:23 -08:00
test_lwt_seg6local.c selftests/bpf: test for seg6local End.BPF action 2018-05-24 11:57:36 +02:00
test_lwt_seg6local.sh selftests: bpf: notification about privilege required to run test_lwt_seg6local.sh testing script 2018-06-26 12:16:36 +02:00
test_maps.c bpf: add map tests for BPF_PROG_TYPE_SK_MSG 2018-03-19 21:14:39 +01:00
test_obj_id.c bpf: Fix test_obj_id.c for llvm 5.0 2017-06-09 15:15:11 -04:00
test_offload.py selftests/bpf: test offloads even with BPF programs present 2018-06-15 03:13:17 +02:00
test_pkt_access.c selftests/bpf: fix broken build due to types.h 2017-05-17 18:45:14 -04:00
test_pkt_md_access.c bpf: fix selftest/bpf/test_pkt_md_access on s390x 2017-08-07 10:06:27 -07:00
test_progs.c tools/bpf: add two BPF_TASK_FD_QUERY tests in test_progs 2018-05-24 18:18:20 -07:00
test_sock_addr.c selftests/bpf: Selftest for sys_sendmsg hooks 2018-05-28 17:41:05 +02:00
test_sock_addr.sh tools/bpf: fix test_sock and test_sock_addr.sh failure 2018-04-19 00:16:37 +02:00
test_sock.c tools/bpf: fix test_sock and test_sock_addr.sh failure 2018-04-19 00:16:37 +02:00
test_sockhash_kern.c bpf: selftest additions for SOCKHASH 2018-05-16 22:00:12 +02:00
test_sockmap_kern.c bpf: selftest additions for SOCKHASH 2018-05-16 22:00:12 +02:00
test_sockmap_kern.h bpf: selftest additions for SOCKHASH 2018-05-16 22:00:12 +02:00
test_sockmap.c tools/bpf: fix test_sockmap failure 2018-06-22 00:31:42 +02:00
test_stacktrace_build_id.c tools/bpf: add a test for bpf_get_stack with tracepoint prog 2018-04-29 08:45:54 -07:00
test_stacktrace_map.c tools/bpf: add a test for bpf_get_stack with tracepoint prog 2018-04-29 08:45:54 -07:00
test_tag.c bpf: unify rlimit handling in selftests 2018-02-26 20:11:23 -08:00
test_tcp_estats.c selftests/bpf: add a test case to check verifier pointer arithmetic 2017-05-03 09:51:25 -04:00
test_tcpbpf_kern.c selftests/bpf: tcpbpf_kern: use in6_* macros from glibc 2018-02-22 01:19:37 +01:00
test_tcpbpf_user.c bpf: unify rlimit handling in selftests 2018-02-26 20:11:23 -08:00
test_tcpbpf.h bpf: add selftest for tcpbpf 2018-01-25 16:41:15 -08:00
test_tracepoint.c bpf/tracing: add a bpf test for new ioctl query interface 2017-12-12 08:46:40 -08:00
test_tunnel_kern.c selftests/bpf: bpf tunnel test. 2018-04-27 00:11:14 +02:00
test_tunnel.sh bpf, selftests: delete xfrm tunnel when test exits. 2018-06-15 03:31:52 +02:00
test_verifier_log.c bpf: unify rlimit handling in selftests 2018-02-26 20:11:23 -08:00
test_verifier.c bpf: fix panic due to oob in bpf_prog_test_run_skb 2018-07-11 16:10:57 -07:00
test_xdp_meta.c bpf: improve selftests and add tests for meta pointer 2017-09-26 13:36:44 -07:00
test_xdp_meta.sh tools/bpf: fix batch-mode test failure of test_xdp_redirect.sh 2018-02-06 11:34:42 +01:00
test_xdp_noinline.c selftests/bpf: add xdp noinline test 2017-12-17 20:34:36 +01:00
test_xdp_redirect.c selftests: bpf: add a test for XDP redirect 2017-08-08 18:12:50 -07:00
test_xdp_redirect.sh tools/bpf: fix batch-mode test failure of test_xdp_redirect.sh 2018-02-06 11:34:42 +01:00
test_xdp.c selftests: bpf: Use bpf_endian.h in test_xdp.c 2017-05-02 07:52:01 -07:00
trace_helpers.c tools/bpf: add ksym_get_addr() in trace_helpers 2018-05-24 18:18:20 -07:00
trace_helpers.h tools/bpf: add ksym_get_addr() in trace_helpers 2018-05-24 18:18:20 -07:00
urandom_read.c bpf: add selftest for stackmap with build_id in NMI context 2018-05-14 23:29:45 +02:00