Re: WARNING in bpf_check (2)
From: Edward Cree
Date: Thu Nov 15 2018 - 14:50:40 EST
On 15/11/18 07:49, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:ÂÂÂ ccda4af0f4b9 Linux 4.20-rc2
> git tree:ÂÂÂÂÂÂ upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=129edfbd400000
> kernel config:Â https://syzkaller.appspot.com/x/.config?x=4a0a89f12ca9b0f5
> dashboard link: https://syzkaller.appspot.com/bug?extid=4fc427c7af994b0948be
> compiler:ÂÂÂÂÂÂ gcc (GCC) 8.0.1 20180413 (experimental)
> syz repro:ÂÂÂÂÂ https://syzkaller.appspot.com/x/repro.syz?x=172b626d400000
> C reproducer:ÂÂ https://syzkaller.appspot.com/x/repro.c?x=148dcb0b400000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+4fc427c7af994b0948be@xxxxxxxxxxxxxxxxxxxxxxxxx
I'm investigating this. So far I have disassembled the prog and reproduced
Âthe failure by adding the following to test_verifier.c:
ÂÂÂ {
ÂÂÂ ÂÂÂ "syz found: explosion",
ÂÂÂ ÂÂÂ .insns = {
ÂÂÂ ÂÂÂ ÂÂÂ BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
ÂÂÂ ÂÂÂ ÂÂÂ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
ÂÂÂ ÂÂÂ ÂÂÂ BPF_JMP_REG(BPF_JSGT, BPF_REG_0, BPF_REG_0, 0),
ÂÂÂ ÂÂÂ ÂÂÂ BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
ÂÂÂ ÂÂÂ ÂÂÂ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
ÂÂÂ ÂÂÂ ÂÂÂ BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
ÂÂÂ ÂÂÂ ÂÂÂ BPF_EXIT_INSN(),
ÂÂÂ ÂÂÂ ÂÂÂ BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
ÂÂÂ ÂÂÂ ÂÂÂ BPF_MOV64_IMM(BPF_REG_0, 0),
ÂÂÂ ÂÂÂ ÂÂÂ BPF_EXIT_INSN(),
ÂÂÂ ÂÂÂ },
ÂÂÂ ÂÂÂ .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
ÂÂÂ ÂÂÂ .result = ACCEPT,
ÂÂÂ },
A subprog _does_ start at insn 7, and the verifier was happy with it until
Âjit_subprogs, suggesting that something has mangled env->subprog_info[].start
Âor else insns have been inserted but the call insns not adjusted.
The obvious suspect would be adjust_subprog_starts() and/or
Âbpf_patch_insn_data().
-Ed