[bpf-next,v1,0/2] bpf: Fix array bounds error with may_goto and add selftest

Message ID	20250212135251.85487-1-mrpre@163.com (mailing list archive)
Headers	show Received: from m16.mail.163.com (m16.mail.163.com [117.135.210.5]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BF72420E315 for <bpf@vger.kernel.org>; Wed, 12 Feb 2025 13:54:09 +0000 (UTC) From: Jiayuan Chen <mrpre@163.com> To: bpf@vger.kernel.org, ast@kernel.org Cc: daniel@iogearbox.net, john.fastabend@gmail.com, andrii@kernel.org, martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev, kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com, jolsa@kernel.org, mykolal@fb.com, shuah@kernel.org, Jiayuan Chen <mrpre@163.com> Subject: [PATCH bpf-next v1 0/2] bpf: Fix array bounds error with may_goto and add selftest Date: Wed, 12 Feb 2025 21:52:49 +0800 Message-ID: <20250212135251.85487-1-mrpre@163.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	bpf: Fix array bounds error with may_goto and add selftest \| expand [bpf-next,v1,0/2] bpf: Fix array bounds error with may_goto and add selftest [bpf-next,v1,1/2] bpf: Fix array bounds error with may_goto [bpf-next,v1,2/2] bpf/selftest: add selftest for may_goto

Message ID

20250212135251.85487-1-mrpre@163.com (mailing list archive)

Headers

From: Jiayuan Chen <mrpre@163.com>
To: bpf@vger.kernel.org,
	ast@kernel.org
Cc: daniel@iogearbox.net,
	john.fastabend@gmail.com,
	andrii@kernel.org,
	martin.lau@linux.dev,
	eddyz87@gmail.com,
	song@kernel.org,
	yonghong.song@linux.dev,
	kpsingh@kernel.org,
	sdf@fomichev.me,
	haoluo@google.com,
	jolsa@kernel.org,
	mykolal@fb.com,
	shuah@kernel.org,
	Jiayuan Chen <mrpre@163.com>
Subject: [PATCH bpf-next v1 0/2] bpf: Fix array bounds error with may_goto and
 add selftest
Date: Wed, 12 Feb 2025 21:52:49 +0800
Message-ID: <20250212135251.85487-1-mrpre@163.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

bpf: Fix array bounds error with may_goto and add selftest | expand

Message

Jiayuan Chen Feb. 12, 2025, 1:52 p.m. UTC

Syzbot caught an array out-of-bounds bug [1]. It turns out that when the
BPF program runs through do_misc_fixups(), it allocates an extra 8 bytes
on the call stack, which eventually causes stack_depth to exceed 512.

I was able to reproduce this issue probabilistically by enabling
CONFIG_UBSAN=y and disabling CONFIG_BPF_JIT_ALWAYS_ON with the selfttest
I provide in second patch(although it doesn't happen every time - I didn't
dig deeper into why UBSAN behaves this way).

To fix this, I came up with three possible solutions:
1. Run check_max_stack_depth() again after do_misc_fixups(), but I don't
think it's fair to make users pay for the extra stack overhead caused by
our optimization. Especially when users write assembly code that directly
allocates 512 bytes (like my selftest), it's gonna fail and leave them
confused.

2. Force JIT when using may_goto, but that's not ideal if we want may_goto
to work with both interpreters and JIT.

3. Simply extend interpreters, which seems like the most reasonable
approach to me. And if I had to choose a second best, it would be option 1.


[1] https://syzkaller.appspot.com/bug?extid=d2a2c639d03ac200a4f1
---
Jiayuan Chen (2):
  bpf: Fix array bounds error with may_goto
  bpf/selftest: add selftest for may_goto

 kernel/bpf/core.c                             | 11 +++++--
 .../selftests/bpf/progs/verifier_stack_ptr.c  | 33 +++++++++++++++++++
 2 files changed, 41 insertions(+), 3 deletions(-)