Created
July 18, 2023 17:03
-
-
Save zhaiyan920/8fbac245b261fe316a7ef04c9b1eba48 to your computer and use it in GitHub Desktop.
bpf redirect bug found by KASAN
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ 59.517224][ T938] ================================================================== | |
[ 59.518510][ T938] BUG: KASAN: use-after-free in ip_finish_output2 (./include/linux/skbuff.h:2837 ./include/linux/ip.h:21 ./include/net/route.h:400 net/ipv4/ip_output.c:222) | |
[ 59.519682][ T938] Read of size 8 at addr ffff888007e1d848 by task ping/938 | |
[ 59.520753][ T938] | |
[ 59.521088][ T938] CPU: 0 PID: 938 Comm: ping Not tainted 6.1.38 #7 | |
[ 59.521693][ T938] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 | |
[ 59.522070][ T938] Call Trace: | |
[ 59.522207][ T938] <TASK> | |
[ 59.522332][ T938] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) | |
[ 59.522525][ T938] print_report (mm/kasan/report.c:285 mm/kasan/report.c:395) | |
[ 59.522718][ T938] ? __virt_addr_valid (./include/linux/mmzone.h:1759 ./include/linux/mmzone.h:1855 arch/x86/mm/physaddr.c:65) | |
[ 59.522929][ T938] ? ip_finish_output2 (./include/linux/skbuff.h:2837 ./include/linux/ip.h:21 ./include/net/route.h:400 net/ipv4/ip_output.c:222) | |
[ 59.523144][ T938] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497) | |
[ 59.523333][ T938] ? ip_finish_output2 (./include/linux/skbuff.h:2837 ./include/linux/ip.h:21 ./include/net/route.h:400 net/ipv4/ip_output.c:222) | |
[ 59.523549][ T938] ip_finish_output2 (./include/linux/skbuff.h:2837 ./include/linux/ip.h:21 ./include/net/route.h:400 net/ipv4/ip_output.c:222) | |
[ 59.523757][ T938] ? get_random_u32 (./arch/x86/include/asm/irqflags.h:137 (discriminator 21) drivers/char/random.c:513 (discriminator 21)) | |
[ 59.523962][ T938] ? ip_fraglist_init (net/ipv4/ip_output.c:195) | |
[ 59.524173][ T938] ? ip_skb_dst_mtu (./include/net/lwtunnel.h:105 ./include/net/ip.h:490 ./include/net/ip.h:478) | |
[ 59.524375][ T938] ip_output (net/ipv4/ip_output.c:422) | |
[ 59.524554][ T938] ? ip_finish_output (net/ipv4/ip_output.c:422) | |
[ 59.524825][ T938] ? icmp_out_count (net/ipv4/icmp.c:337) | |
[ 59.525202][ T938] ? __ip_make_skb (net/ipv4/ip_output.c:1482 net/ipv4/ip_output.c:1587) | |
[ 59.525453][ T938] ? raw_destroy (net/ipv4/raw.c:441) | |
[ 59.525688][ T938] ip_push_pending_frames (./include/net/dst.h:444 net/ipv4/ip_output.c:126 net/ipv4/ip_output.c:1596 net/ipv4/ip_output.c:1616) | |
[ 59.525990][ T938] raw_sendmsg (net/ipv4/raw.c:648) | |
[ 59.526233][ T938] ? raw_recvmsg (net/ipv4/raw.c:471) | |
[ 59.526500][ T938] ? prepare_creds (kernel/cred.c:261) | |
[ 59.526744][ T938] ? kasan_save_stack (mm/kasan/common.c:47) | |
[ 59.526999][ T938] ? kasan_save_stack (mm/kasan/common.c:46) | |
[ 59.527254][ T938] ? kasan_set_track (mm/kasan/common.c:52) | |
[ 59.527506][ T938] ? try_charge_memcg (./arch/x86/include/asm/irqflags.h:137 mm/memcontrol.c:2240 mm/memcontrol.c:2642) | |
[ 59.527775][ T938] ? mem_cgroup_handle_over_high (mm/memcontrol.c:2629) | |
[ 59.528089][ T938] ? mod_objcg_state (./arch/x86/include/asm/irqflags.h:137 mm/memcontrol.c:3213) | |
[ 59.528346][ T938] ? find_mergeable_anon_vma (mm/mmap.c:1093 mm/mmap.c:1123 mm/mmap.c:1159) | |
[ 59.528639][ T938] ? cgroup_rstat_updated (kernel/cgroup/rstat.c:42) | |
[ 59.528919][ T938] ? __mod_memcg_lruvec_state (mm/memcontrol.c:613 mm/memcontrol.c:799) | |
[ 59.529214][ T938] ? check_stack_object (./include/linux/sched/task_stack.h:21 mm/usercopy.c:38) | |
[ 59.529475][ T938] ? inet_send_prepare (net/ipv4/af_inet.c:815) | |
[ 59.529737][ T938] ? inet_send_prepare (net/ipv4/af_inet.c:824) | |
[ 59.530003][ T938] ? sock_sendmsg (net/socket.c:716 net/socket.c:736) | |
[ 59.530242][ T938] sock_sendmsg (net/socket.c:716 net/socket.c:736) | |
[ 59.530495][ T938] __sys_sendto (net/socket.c:2117) | |
[ 59.530731][ T938] ? __x64_sys_getpeername (net/socket.c:2087) | |
[ 59.531006][ T938] ? copy_page_range (mm/memory.c:5028) | |
[ 59.531273][ T938] ? handle_mm_fault (mm/memory.c:5166 mm/memory.c:5255) | |
[ 59.531530][ T938] ? preempt_count_sub (kernel/sched/core.c:5731) | |
[ 59.531787][ T938] ? up_read (./arch/x86/include/asm/preempt.h:103 kernel/locking/rwsem.c:1356 kernel/locking/rwsem.c:1616) | |
[ 59.532000][ T938] ? __audit_syscall_entry (kernel/auditsc.c:2041) | |
[ 59.532284][ T938] __x64_sys_sendto (net/socket.c:2125) | |
[ 59.532528][ T938] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) | |
[ 59.532759][ T938] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) | |
[ 59.533148][ T938] RIP: 0033:0x7fb4091fa973 | |
[ 59.533488][ T938] Code: 8b 15 91 74 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 80 3d 71 fc 0c 00 00 41 89 ca 74 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 55 48 83 ec 30 44 89 4c 24 | |
All code | |
======== | |
0: 8b 15 91 74 0c 00 mov 0xc7491(%rip),%edx # 0xc7497 | |
6: f7 d8 neg %eax | |
8: 64 89 02 mov %eax,%fs:(%rdx) | |
b: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax | |
12: eb b8 jmp 0xffffffffffffffcc | |
14: 0f 1f 00 nopl (%rax) | |
17: 80 3d 71 fc 0c 00 00 cmpb $0x0,0xcfc71(%rip) # 0xcfc8f | |
1e: 41 89 ca mov %ecx,%r10d | |
21: 74 14 je 0x37 | |
23: b8 2c 00 00 00 mov $0x2c,%eax | |
28: 0f 05 syscall | |
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction | |
30: 77 75 ja 0xa7 | |
32: c3 ret | |
33: 0f 1f 40 00 nopl 0x0(%rax) | |
37: 55 push %rbp | |
38: 48 83 ec 30 sub $0x30,%rsp | |
3c: 44 rex.R | |
3d: 89 .byte 0x89 | |
3e: 4c rex.WR | |
3f: 24 .byte 0x24 | |
Code starting with the faulting instruction | |
=========================================== | |
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax | |
6: 77 75 ja 0x7d | |
8: c3 ret | |
9: 0f 1f 40 00 nopl 0x0(%rax) | |
d: 55 push %rbp | |
e: 48 83 ec 30 sub $0x30,%rsp | |
12: 44 rex.R | |
13: 89 .byte 0x89 | |
14: 4c rex.WR | |
15: 24 .byte 0x24 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment