general protection fault in bpf_check/do_misc_fixups

From: xingwei lee
Date: Thu Mar 21 2024 - 05:52:57 EST


Hello I found a bug titled "general protection fault in bpf_check"
with modified syzkaller, and maybe it is related to net/bpf.
I also confirmed in the latest net/bpf/bpf-next tree.

If you fix this issue, please add the following tag to the commit:
Reported-by: xingwei lee <xrivendell7@xxxxxxxxx>
Reported-by: yue sun <samsun1006219@xxxxxxxxx>

kernel: bpf-next cc9b22dfa735800980e7362f02aff6f1c2280996
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=9f47e8dfa53b0b11
with KASAN enabled
compiler: gcc (Debian 12.2.0-14) 12.2.0

[ 413.543678][ T8244] general protection fault, probably for
non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
NOPTI
[ 413.546252][ T8244] KASAN: null-ptr-deref in range
[0x0000000000000030-0x0000000000000037]
[ 413.547723][ T8244] CPU: 0 PID: 8244 Comm: 477 Not tainted
6.8.0-05230-g114b5b3b4bde #5
[ 413.549221][ T8244] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.16.2-1.fc38 04/01/2014
[ 413.550994][ T8244] RIP: 0010:do_misc_fixups+0xf58/0x5610
[ 413.552073][ T8244] Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42
80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89
f8 48f
[ 413.555539][ T8244] RSP: 0018:ffffc9000e17f538 EFLAGS: 00010216
[ 413.556688][ T8244] RAX: 0000000000000006 RBX: ffffc9000219e05a
RCX: ffffffff81a6bda1
[ 413.558131][ T8244] RDX: ffff88801f339ec0 RSI: ffffffff81a6b296
RDI: 0000000000000030
[ 413.559606][ T8244] RBP: 0000000000000000 R08: 0000000000000005
R09: 0000000000000001
[ 413.561027][ T8244] R10: 0000000000010000 R11: ffff8880296fd66c
R12: 0000000000010000
[ 413.562467][ T8244] R13: dffffc0000000000 R14: 0000000000000002
R15: ffffc9000219e058
[ 413.563913][ T8244] FS: 0000000017f1a380(0000)
GS:ffff8880b9200000(0000) knlGS:0000000000000000
[ 413.565538][ T8244] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 413.566730][ T8244] CR2: 0000000020000300 CR3: 0000000020f26000
CR4: 0000000000750ef0
[ 413.568167][ T8244] PKRU: 55555554
[ 413.568869][ T8244] Call Trace:
[ 413.569513][ T8244] <TASK>
[ 413.570058][ T8244] ? show_regs+0x97/0xa0
[ 413.570867][ T8244] ? die_addr+0x56/0xe0
[ 413.571654][ T8244] ? exc_general_protection+0x155/0x230
[ 413.572715][ T8244] ? asm_exc_general_protection+0x26/0x30
[ 413.573792][ T8244] ? do_misc_fixups+0x1a01/0x5610
[ 413.574744][ T8244] ? do_misc_fixups+0xef6/0x5610
[ 413.575684][ T8244] ? do_misc_fixups+0xf58/0x5610
[ 413.576630][ T8244] ? do_misc_fixups+0xef6/0x5610
[ 413.577586][ T8244] ? kvfree+0x50/0x60
[ 413.578371][ T8244] ? __kasan_slab_free+0x11d/0x1a0
[ 413.579349][ T8244] ? kfree+0x129/0x370
[ 413.580148][ T8244] ? __x64_sys_bpf+0x7d/0xc0
[ 413.581034][ T8244] ? __pfx_do_misc_fixups+0x10/0x10
[ 413.582047][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.583165][ T8244] ? __sanitizer_cov_trace_switch+0x54/0x90
[ 413.584336][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.585458][ T8244] ? convert_ctx_accesses+0x1275/0x1860
[ 413.586560][ T8244] ? __pfx_convert_ctx_accesses+0x10/0x10
[ 413.587658][ T8244] ? __pfx_check_max_stack_depth_subprog+0x10/0x10
[ 413.588909][ T8244] ? kvfree+0x50/0x60
[ 413.589714][ T8244] bpf_check+0x38a5/0xb3b0
[ 413.590651][ T8244] ? pcpu_memcg_post_alloc_hook+0x260/0x6f0
[ 413.591807][ T8244] ? __pfx_bpf_check+0x10/0x10
[ 413.592767][ T8244] ? find_held_lock+0x2d/0x110
[ 413.593752][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.594898][ T8244] ? bpf_prog_load+0xe3c/0x27e0
[ 413.595900][ T8244] ? __pfx_lock_release+0x10/0x10
[ 413.596947][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.598122][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.599280][ T8244] ? __pfx___might_resched+0x10/0x10
[ 413.600306][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.601402][ T8244] ? ktime_get_with_offset+0x326/0x560
[ 413.602469][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.603551][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.604659][ T8244] bpf_prog_load+0xf3b/0x27e0
[ 413.605595][ T8244] ? __pfx_bpf_prog_load+0x10/0x10
[ 413.606583][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.607669][ T8244] ? find_held_lock+0x2d/0x110
[ 413.608610][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.609786][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.610878][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.611964][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.613106][ T8244] __sys_bpf+0xa17/0x4ef0
[ 413.614002][ T8244] ? __pfx___sys_bpf+0x10/0x10
[ 413.614957][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.616043][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.617128][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.618211][ T8244] ? find_held_lock+0x2d/0x110
[ 413.619173][ T8244] ? __pfx___up_read+0x10/0x10
[ 413.620107][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.621230][ T8244] ? handle_mm_fault+0x541/0xab0
[ 413.622251][ T8244] __x64_sys_bpf+0x7d/0xc0
[ 413.623117][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
[ 413.624208][ T8244] ? lockdep_hardirqs_on+0x7c/0x110
[ 413.625212][ T8244] do_syscall_64+0xd5/0x260
[ 413.626098][ T8244] entry_SYSCALL_64_after_hwframe+0x6d/0x75

=* repro.c =*
#define _GNU_SOURCE

#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

int main(void) {
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);

*(uint32_t*)0x20000300 = 0x18;
*(uint32_t*)0x20000304 = 4;
*(uint64_t*)0x20000308 = 0x200000c0;
memcpy((void*)0x200000c0,
"\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xbf"
"\x02\x01\x00\x00\x00\x01\x00\x95",
25);
*(uint64_t*)0x20000310 = 0x20000000;
memcpy((void*)0x20000000, "syzkaller\000", 10);
*(uint32_t*)0x20000318 = 2;
*(uint32_t*)0x2000031c = 0;
*(uint64_t*)0x20000320 = 0;
*(uint32_t*)0x20000328 = 0;
*(uint32_t*)0x2000032c = 0;
memset((void*)0x20000330, 0, 16);
*(uint32_t*)0x20000340 = 0;
*(uint32_t*)0x20000344 = 0;
*(uint32_t*)0x20000348 = -1;
*(uint32_t*)0x2000034c = 8;
*(uint64_t*)0x20000350 = 0;
*(uint32_t*)0x20000358 = 0;
*(uint32_t*)0x2000035c = 0x10;
*(uint64_t*)0x20000360 = 0;
*(uint32_t*)0x20000368 = 0;
*(uint32_t*)0x2000036c = 0;
*(uint32_t*)0x20000370 = 0;
*(uint32_t*)0x20000374 = 0;
*(uint64_t*)0x20000378 = 0;
*(uint64_t*)0x20000380 = 0;
*(uint32_t*)0x20000388 = 0x10;
*(uint32_t*)0x2000038c = 0;
syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000300ul, /*size=*/0x90ul);
return 0;
}

=* repro.txt =*
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000300)={0x18, 0x4,
&(0x7f00000000c0)=ANY=[@ANYBLOB="18000000000000000000000000ffffffbf0201000000010095"],
&(0x7f0000000000)='syzkaller\x00', 0x2}, 0x90)

see aslo https://gist.github.com/xrivendell7/22f4cb7e2a991946919aa94ae1418f17.

I hope it helps.
best regards.
xingwei Lee