Re: [syzbot] [bpf?] KASAN: stack-out-of-bounds Read in hash
From: Hou Tao
Date: Sun Apr 07 2024 - 05:09:51 EST
Hi,
On 4/6/2024 9:44 PM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 443574b03387 riscv, bpf: Fix kfunc parameters incompatibil..
> git tree: bpf
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=148ad855180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440
> dashboard link: https://syzkaller.appspot.com/bug?extid=9459b5d7fab774cf182f
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d86795180000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143eff76180000
According to the reproducer, it passes a big value_size (0xfffffe00)
when creating bloom filter map. The big value_size bypasses the check in
check_stack_access_within_bounds(). I think a proper fix needs to add
these following two checks:
(1) in check_stack_access_within_bounds() add check for negative
access_size
(2) in bloom_map_alloc() limit the max value of bloom_map_alloc().
Will post a patch to fix the syzbot report. Will also check whether or
not there are similar problems for other bpf maps.