Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[syzkaller] divide error in __tcp_select_window #121

Closed
cpaasch opened this issue Dec 7, 2020 · 3 comments
Closed

[syzkaller] divide error in __tcp_select_window #121

cpaasch opened this issue Dec 7, 2020 · 3 comments
Assignees
@pabeni
Labels
bug syzkaller

Comments

@cpaasch
Copy link
Member

cpaasch commented Dec 7, 2020
edited
Loading 

divide error: 0000 [#1] SMP KASAN
CPU: 1 PID: 7698 Comm: syz-executor.5 Not tainted 5.10.0-rc6 #51
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:__tcp_select_window+0x509/0xa60 net/ipv4/tcp_output.c:3008
Code: 44 89 ff e8 f9 72 a9 fe 45 39 e7 0f 8d 20 ff ff ff e8 cb 71 a9 fe 44 89 e3 e9 13 ff ff ff e8 be 71 a9 fe 44 89 e0 44 89 e3 99 <f7> 7c 24 04 29 d3 e9 fc fe ff ff e8 a7 71 a9 fe 44 89 f1 48 89 ea
RSP: 0018:ffffc90002a37668 EFLAGS: 00010216
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc9000484e000
RDX: 0000000000000000 RSI: ffffffff829138a2 RDI: 0000000000000004
RBP: 0000000000000000 R08: ffff888024d99880 R09: ffffed1004cf6442
R10: ffff8880267b220b R11: ffffed1004cf6441 R12: 0000000000000000
R13: 1ffff92000546ed1 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f3ef70fa700(0000) GS:ffff88811b300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f62422e5000 CR3: 00000001061d6004 CR4: 0000000000170ee0
Call Trace:
 tcp_cleanup_rbuf+0x37a/0x5a0 net/ipv4/tcp.c:1587
 mptcp_subflow_cleanup_rbuf+0xe2/0xf0 net/mptcp/protocol.c:454
 mptcp_cleanup_rbuf net/mptcp/protocol.c:476 [inline]
 mptcp_recvmsg+0x151c/0x20d0 net/mptcp/protocol.c:1954
 inet_recvmsg+0x4f3/0x660 net/ipv4/af_inet.c:851
 sock_recvmsg_nosec net/socket.c:885 [inline]
 sock_recvmsg_nosec net/socket.c:882 [inline]
 sock_recvmsg net/socket.c:903 [inline]
 ____sys_recvmsg+0x4b7/0x580 net/socket.c:2554
 ___sys_recvmsg+0xe4/0x150 net/socket.c:2596
 do_recvmmsg+0x24c/0x720 net/socket.c:2696
 __sys_recvmmsg+0x23e/0x250 net/socket.c:2775
 __do_sys_recvmmsg net/socket.c:2798 [inline]
 __se_sys_recvmmsg net/socket.c:2791 [inline]
 __x64_sys_recvmmsg+0xde/0x130 net/socket.c:2791
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f3ef6aae469
Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
RSP: 002b:00007f3ef70f9dc8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 000000000069c248 RCX: 00007f3ef6aae469
RDX: 0000000000000001 RSI: 0000000020000300 RDI: 0000000000000003
RBP: 000000000069c248 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000246 R12: 000000000069c254
R13: 00007ffd92946e8f R14: 000000000041e5bf R15: 0000000000000003
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
---[ end trace 230e955b9624c013 ]---
RIP: 0010:__tcp_select_window+0x509/0xa60 net/ipv4/tcp_output.c:3008
Code: 44 89 ff e8 f9 72 a9 fe 45 39 e7 0f 8d 20 ff ff ff e8 cb 71 a9 fe 44 89 e3 e9 13 ff ff ff e8 be 71 a9 fe 44 89 e0 44 89 e3 99 <f7> 7c 24 04 29 d3 e9 fc fe ff ff e8 a7 71 a9 fe 44 89 f1 48 89 ea
RSP: 0018:ffffc90002a37668 EFLAGS: 00010216
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc9000484e000
RDX: 0000000000000000 RSI: ffffffff829138a2 RDI: 0000000000000004
RBP: 0000000000000000 R08: ffff888024d99880 R09: ffffed1004cf6442
R10: ffff8880267b220b R11: ffffed1004cf6441 R12: 0000000000000000
R13: 1ffff92000546ed1 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f3ef70fa700(0000) GS:ffff88811b300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f62422e5000 CR3: 00000001061d6004 CR4: 0000000000170ee0

Reproducer:

# {Threaded:false Collide:false Repeat:false RepeatTimes:0 Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false}
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
listen(r0, 0x7fffffff)
shutdown(r0, 0x1)
recvmmsg(r0, &(0x7f0000000300)=[{{0x0, 0x0, &(0x7f00000001c0)=[{&(0x7f00000000c0)=""/96, 0x60}], 0x1}}], 0x1, 0x100, 0x0)
open(0x0, 0x44242, 0x0)

212235f ("DO-NOT-MERGE: mptcp: enabled by default") (HEAD, tag: export/20201204T192621, mptcp_net-next/export) (3 days ago)
a86bbdf ("DO-NOT-MERGE: mptcp: add GitHub Actions") (3 days ago)
eb38849 ("DO-NOT-MERGE: mptcp: use kmalloc on kasan build") (3 days ago)
7e6ca7e ("mptcp: let MPTCP create max size skbs") (3 days ago)
cb4d5c2 ("mptcp: pm: simplify select_local_address()") (3 days ago)
aa1ec1a ("mptcp: parse and act on incoming FASTCLOSE option") (3 days ago)
f8f57f2 ("tcp: parse mptcp options contained in reset packets") (3 days ago)
cc6660c ("mptcp: hold mptcp socket before calling tcp_done") (3 days ago)
e07be7d ("mptcp: use MPTCPOPT_HMAC_LEN macro") (3 days ago)
8b88d3c ("selftests: mptcp: add the flush addrs testcase") (3 days ago)
c5e25c1 ("mptcp: remove address when netlink flushes addrs") (3 days ago)
4d220e7 ("mptcp: use the variable sk instead of open-coding") (3 days ago)
afcc1b0 ("mptcp: rename add_addr_signal and mptcp_add_addr_status") (3 days ago)
72d1f61 ("mptcp: drop rm_addr_signal flag") (3 days ago)
f51cdd6 ("mptcp: print out port and ahmac when receiving ADD_ADDR") (3 days ago)
3095efe ("mptcp: add port parameter for mptcp_pm_announce_addr") (3 days ago)
1beb716 ("mptcp: send out dedicated packet for ADD_ADDR using port") (3 days ago)
300711c ("mptcp: add the outgoing ADD_ADDR port support") (3 days ago)
f27ef3e ("mptcp: use adding up size to get ADD_ADDR length") (3 days ago)
45ae172 ("mptcp: add port support for ADD_ADDR suboption writing") (3 days ago)
64368db ("mptcp: unify ADD_ADDR and ADD_ADDR6 suboptions writing") (3 days ago)
f664b21 ("mptcp: unify ADD_ADDR and echo suboptions writing") (3 days ago)
0cd0f00 ("bpf:selftests: add bpf_mptcp_sock() verifier tests") (3 days ago)
32551f2 ("bpf:selftests: add MPTCP test base") (3 days ago)
2452ebf ("bpf: add 'bpf_mptcp_sock' structure and helper") (3 days ago)
5184888 ("mptcp: attach subflow socket to parent cgroup") (3 days ago)
3fb142d ("bpf: expose is_mptcp flag to bpf_tcp_sock") (3 days ago)
7b825c4 ("mptcp: be careful on subflows shutdown") (3 days ago)
a1cf928 ("mptcp: plug subflow context memory leak") (3 days ago)
8397c4e ("mptcp: link MPC subflow into msk only after accept") (3 days ago)
55fd59b ("Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net") (mptcp_net-next/net-next) (4 days ago)

@matttbe
Copy link
Member

matttbe commented Dec 8, 2020

It looks close to #111 but you already have the upstream fix for this one.

@cpaasch
Copy link
Member Author

cpaasch commented Dec 11, 2020

Update 12/11: Added reproducer

@matttbe
Copy link
Member

matttbe commented Jan 13, 2021

This should be fixed thanks to @pabeni 's patches (even if a minor extra fix is in preparation)

Also in our tree:

  • 0b6dd0e: mptcp: more strict state checking for acks
  • 5ad3c4e: mptcp: better msk-level shutdown.

@cpaasch please re-open it if the reproducer still has an issue with this one :) But please also note that the export branch should be updated in minimum ~1 hour (the job has been queued)

@matttbe matttbe closed this as completed Jan 13, 2021
matttbe pushed a commit that referenced this issue Jan 26, 2024
@chenhengqi @chenhuacai
LoongArch: BPF: Support 64-bit pointers to kfuncs
21c5ae5 
Like commit 1cf3bfc ("bpf: Support 64-bit pointers to kfuncs")
for s390x, add support for 64-bit pointers to kfuncs for LoongArch.
Since the infrastructure is already implemented in BPF core, the only
thing need to be done is to override bpf_jit_supports_far_kfunc_call().

Before this change, several test_verifier tests failed:

  # ./test_verifier | grep # | grep FAIL
  #119/p calls: invalid kfunc call: ptr_to_mem to struct with non-scalar FAIL
  #120/p calls: invalid kfunc call: ptr_to_mem to struct with nesting depth > 4 FAIL
  #121/p calls: invalid kfunc call: ptr_to_mem to struct with FAM FAIL
  #122/p calls: invalid kfunc call: reg->type != PTR_TO_CTX FAIL
  #123/p calls: invalid kfunc call: void * not allowed in func proto without mem size arg FAIL
  #124/p calls: trigger reg2btf_ids[reg->type] for reg->type > __BPF_REG_TYPE_MAX FAIL
  #125/p calls: invalid kfunc call: reg->off must be zero when passed to release kfunc FAIL
  #126/p calls: invalid kfunc call: don't match first member type when passed to release kfunc FAIL
  #127/p calls: invalid kfunc call: PTR_TO_BTF_ID with negative offset FAIL
  #128/p calls: invalid kfunc call: PTR_TO_BTF_ID with variable offset FAIL
  #129/p calls: invalid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID FAIL
  #130/p calls: valid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID FAIL
  #486/p map_kptr: ref: reference state created and released on xchg FAIL

This is because the kfuncs in the loaded module are far away from
__bpf_call_base:

  ffff800002009440 t bpf_kfunc_call_test_fail1    [bpf_testmod]
  9000000002e128d8 T __bpf_call_base

The offset relative to __bpf_call_base does NOT fit in s32, which breaks
the assumption in BPF core. Enable bpf_jit_supports_far_kfunc_call() lifts
this limit.

Note that to reproduce the above result, tools/testing/selftests/bpf/config
should be applied, and run the test with JIT enabled, unpriv BPF enabled.

With this change, the test_verifier tests now all passed:

  # ./test_verifier
  ...
  Summary: 777 PASSED, 0 SKIPPED, 0 FAILED

Tested-by: Tiezhu Yang <[email protected]>
Signed-off-by: Hengqi Chen <[email protected]>
Signed-off-by: Huacai Chen <[email protected]>
matttbe pushed a commit that referenced this issue Jan 14, 2025
@dTenebrae @davem330
pktgen: Avoid out-of-bounds access in get_imix_entries
76201b5 
Passing a sufficient amount of imix entries leads to invalid access to the
pkt_dev->imix_entries array because of the incorrect boundary check.

UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24
index 20 is out of range for type 'imix_pkt [20]'
CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
<TASK>
dump_stack_lvl lib/dump_stack.c:117
__ubsan_handle_out_of_bounds lib/ubsan.c:429
get_imix_entries net/core/pktgen.c:874
pktgen_if_write net/core/pktgen.c:1063
pde_write fs/proc/inode.c:334
proc_reg_write fs/proc/inode.c:346
vfs_write fs/read_write.c:593
ksys_write fs/read_write.c:644
do_syscall_64 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 52a62f8 ("pktgen: Parse internet mix (imix) input")
Signed-off-by: Artem Chernyshev <[email protected]>
[ fp: allow to fill the array completely; minor changelog cleanup ]
Signed-off-by: Fedor Pchelkin <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pabeni pabeni

Labels
bug syzkaller
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cpaasch @matttbe @pabeni