On Thu, Jun 15, 2023 at 4:56 PM Florent Revest revest@chromium.org wrote:
When building a kernel with LLVM=1, LLVM_IAS=0 and CONFIG_KASAN=y, LLVM leaves DWARF tags for the "asan.module_ctor" & co symbols.
To be fair I can't tell if this is an LLVM bug. It's sort of curious that with LLVM_IAS=1, these debugging symbols are not kept and they are with LLVM_IAS=0 but I don't know what the expected behavior should be and how BTF should deal with it. I'll let people with more context comment on this! :)
An easy reproducer is:
$ touch pwet.c
$ clang -g -fsanitize=kernel-address -c -o pwet.o pwet.c $ llvm-dwarfdump pwet.o | grep module_ctor
$ clang -fno-integrated-as -g -fsanitize=kernel-address -c -o pwet.o pwet.c $ llvm-dwarfdump pwet.o | grep module_ctor DW_AT_name ("asan.module_ctor")
In a dramatic turn of event, this BTF verification failure can cause the netfilter_bpf initialization to fail, causing netfilter_core to free the netfilter_helper hashmap and netfilter_ftp to trigger a use-after-free. The risk of u-a-f in netfilter will be addressed separately
To be precise, I meant "netfilter conntrack".
I sent the following patch as a more targeted mitigation for the uaf https://lore.kernel.org/netfilter-devel/20230615152918.3484699-1-revest@chro...