bpf_map_lookup_elem: BUG: unable to handle kernel paging request
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Seth Forshee |
Bug Description
SRU Justification
Impact: Some unfortunate timing between the fix for CVE-2017-17862 being backported and some updates from upstream stable resulted in us not having some hunks from the CVE patch. This is causing oopses (see below).
Fix: Add in the missing hunks from the CVE patch.
Test case: See test results in comment #4.
Regression potential: This just updates the code to match the upstream patch, which has been upstream for months, so regression potential should be low.
---
Hey,
we are currently debugging an issue with Scope [1] where the initialization of the used tcptracer-bpf [2] leads to a kernel oops at the first call of `bpf_map_
Example:
```
[ 58.763045] BUG: unable to handle kernel paging request at 000000003c0c41a8
[ 58.846450] IP: [<ffffffff8117c
[ 58.909436] PGD 800000003be04067 PUD 3bea1067 PMD 0
[ 58.914876] Oops: 0000 [#1] SMP
[ 58.915581] Modules linked in: ipt_MASQUERADE nf_nat_
[ 59.678145] CPU: 1 PID: 1810 Comm: scope Not tainted 4.4.0-119-generic #143-Ubuntu
[ 59.790501] Hardware name: innotek GmbH VirtualBox/
[ 59.846405] task: ffff88003ae23800 ti: ffff880022c84000 task.ti: ffff880022c84000
[ 60.000524] RIP: 0010:[<
[ 60.178029] RSP: 0018:ffff880022
[ 60.257957] RAX: ffffffff8117cd70 RBX: ffffc9000022f090 RCX: 0000000000000000
[ 60.350704] RDX: 0000000000000000 RSI: ffff880022c87ba8 RDI: 000000003c0c4180
[ 60.449182] RBP: ffff880022c87be8 R08: 0000000000000000 R09: 0000000000000800
[ 60.547638] R10: ffff88003ae23800 R11: ffff88003ca12e10 R12: 0000000000000000
[ 60.570757] R13: ffff88003c601200 R14: ffff88003fd10020 R15: ffff880022c87d10
[ 60.678811] FS: 00007f95ba37270
[ 60.778636] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 60.866380] CR2: 000000003c0c41a8 CR3: 000000003aeae000 CR4: 0000000000060670
[ 60.963736] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 61.069195] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 61.187006] Stack:
[ 61.189256] ffff880022c87be8 ffffffff81177411 0000000000000000 0000000000000001
[ 61.253133] 000000003c0c4180 ffff880022c87ba8 0000000000000000 0000000000000000
[ 61.345334] 0000000000000000 ffff880022c87d10 0000000000000000 0000000000000001
[ 61.459069] Call Trace:
[ 61.505273] [<ffffffff81177
[ 61.625511] [<ffffffff810b7
[ 61.741423] [<ffffffff810b7
[ 61.837892] [<ffffffff8184b
[ 61.941349] [<ffffffff8184b
[ 62.073874] [<ffffffff8184b
[ 62.185260] [<ffffffff8184b
[ 62.186239] [<ffffffff8184b
[ 62.305193] [<ffffffff8184b
[ 62.399854] [<ffffffff8184b
[ 62.406219] [<ffffffff8184b
[ 62.407994] [<ffffffff8184b
[ 62.410491] [<ffffffff8184b
[ 62.431220] [<ffffffff8184b
[ 62.497078] [<ffffffff8184b
[ 62.559245] [<ffffffff8184b
[ 62.661493] [<ffffffff8184b
[ 62.712927] [<ffffffff8184b
[ 62.799216] [<ffffffff8116c
[ 62.881570] [<ffffffff8116c
[ 62.977365] [<ffffffff810ac
[ 62.981405] [<ffffffff810cd
[ 63.092978] [<ffffffff8116e
[ 63.184696] [<ffffffff81792
[ 63.260350] [<ffffffff81061
[ 63.275694] [<ffffffff81792
[ 63.278202] [<ffffffff81145
[ 63.289826] [<ffffffffc0005
[ 63.291573] [<ffffffff81792
[ 63.299743] [<ffffffff81792
[ 63.301658] [<ffffffff81792
[ 63.340651] [<ffffffff817bb
[ 63.440655] [<ffffffff81792
[ 63.549368] [<ffffffff817bb
[ 63.655199] [<ffffffff817ec
[ 63.657005] [<ffffffff81723
[ 63.658693] [<ffffffff81723
[ 63.660735] [<ffffffff81216
[ 63.662210] [<ffffffff81216
[ 63.664371] [<ffffffff810a1
[ 63.667217] [<ffffffff81003
[ 63.669889] [<ffffffff81003
[ 63.673627] [<ffffffff8184f
[ 63.704763] Code: 41 be 01 00 00 00 e8 fa bd ff ff 49 89 c5 eb 94 e8 f0 14 0a 00 4c 89 eb e9 e2 fe ff ff e8 a3 60 f0 ff 0f 1f 00 0f 1f 44 00 00 55 <48> 8b 47 28 48 89 e5 48 8b 40 18 e8 8a 83 6d 00 5d c3 0f 1f 84
[ 63.900088] RIP [<ffffffff8117c
[ 63.903014] RSP <ffff880022c87960>
[ 63.905151] CR2: 000000003c0c41a8
[ 63.906757] ---[ end trace dc24e8c214caa65b ]---
```
git bisect points to commit
68dd63b26223
We tested with a simple kprobe that counts read syscalls and can reproduce the bug.
```
struct bpf_map_def SEC("maps/count") count = {
.type = BPF_MAP_TYPE_HASH,
.key_size = sizeof(__u32),
.value_size = sizeof(__u64),
.map_flags = 0,
};
SEC("kprobe/
int kprobe(struct pt_regs *ctx)
{
u64 *count_ptr = NULL;
u64 zero = 0, one = 1, current_count = 1;
count_ptr = bpf_map_
if (count_ptr != NULL) {
} else {
}
return 0;
}
```
You can find our test program here: https:/
```
while true; do echo hello; sleep 1; done & # make sure there are read syscalls done
./oops
```
[1] https:/
[2] https:/
CVE References
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Xenial): | |
status: | New → Incomplete |
importance: | Undecided → Medium |
status: | Incomplete → Triaged |
Changed in linux (Ubuntu): | |
status: | Incomplete → Triaged |
Changed in linux (Ubuntu Xenial): | |
assignee: | nobody → Seth Forshee (sforshee) |
Changed in linux (Ubuntu Xenial): | |
importance: | Medium → High |
Changed in linux (Ubuntu): | |
status: | Triaged → Invalid |
Changed in linux (Ubuntu Xenial): | |
status: | Triaged → Fix Committed |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1763454
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.