Closed Alan-Jowett closed 7 months ago
Function prior to fuzzing:
0000000000000000 <bind_test_callee13>: ; bind_test_callee9(): ; E:\ebpf\tests\sample\tail_call_max_exceed.c:98 ; DEFINE_BIND_TAIL_FUNC(13) 0: bf 16 00 00 00 00 00 00 r6 = r1 1: b7 07 00 00 0a 00 00 00 r7 = 10 2: 6b 7a fc ff 00 00 00 00 *(u16 *)(r10 - 4) = r7 3: b7 01 00 00 20 25 64 5d r1 = 1566844192 4: 63 1a f8 ff 00 00 00 00 *(u32 *)(r10 - 8) = r1 5: 18 01 00 00 2c 20 5b 78 00 00 00 00 2b 31 20 3d r1 = 4404574498340937772 ll 7: 7b 1a f0 ff 00 00 00 00 *(u64 *)(r10 - 16) = r1 8: 18 01 00 00 5b 78 20 3d 00 00 00 00 20 25 64 5d r1 = 6729544563593082971 ll 10: 7b 1a e8 ff 00 00 00 00 *(u64 *)(r10 - 24) = r1 11: 18 01 00 00 6c 20 69 6e 00 00 00 00 64 65 78 20 r1 = 2339731488442490988 ll 13: 7b 1a e0 ff 00 00 00 00 *(u64 *)(r10 - 32) = r1 14: 18 01 00 00 74 61 69 6c 00 00 00 00 20 63 61 6c r1 = 7809632219746099572 ll 16: 7b 1a d8 ff 00 00 00 00 *(u64 *)(r10 - 40) = r1 17: 18 01 00 00 43 61 6c 6c 00 00 00 00 69 6e 67 20 r1 = 2334956330884555075 ll 19: 7b 1a d0 ff 00 00 00 00 *(u64 *)(r10 - 48) = r1 20: bf a1 00 00 00 00 00 00 r1 = r10 21: 07 01 00 00 d0 ff ff ff r1 += -48 ; E:\ebpf\tests\sample\tail_call_max_exceed.c:98 ; DEFINE_BIND_TAIL_FUNC(13) 22: b7 02 00 00 2e 00 00 00 r2 = 46 23: b7 03 00 00 0d 00 00 00 r3 = 13 24: b7 04 00 00 0e 00 00 00 r4 = 14 25: 85 00 00 00 0e 00 00 00 call 14 26: bf 61 00 00 00 00 00 00 r1 = r6 27: 18 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r2 = 0 ll 29: b7 03 00 00 0e 00 00 00 r3 = 14 30: 85 00 00 00 05 00 00 00 call 5 31: 65 00 11 00 ff ff ff ff if r0 s> -1 goto +17 <LBB13_2> 32: 6b 7a ec ff 00 00 00 00 *(u16 *)(r10 - 20) = r7 33: b7 01 00 00 78 20 25 64 r1 = 1680154744 34: 63 1a e8 ff 00 00 00 00 *(u32 *)(r10 - 24) = r1 35: 18 01 00 00 20 61 74 20 00 00 00 00 69 6e 64 65 r1 = 7306085893296906528 ll 37: 7b 1a e0 ff 00 00 00 00 *(u64 *)(r10 - 32) = r1 38: 18 01 00 00 6c 20 66 61 00 00 00 00 69 6c 65 64 r1 = 7234307576302018668 ll 40: 7b 1a d8 ff 00 00 00 00 *(u64 *)(r10 - 40) = r1 41: 18 01 00 00 54 61 69 6c 00 00 00 00 20 63 61 6c r1 = 7809632219746099540 ll 43: 7b 1a d0 ff 00 00 00 00 *(u64 *)(r10 - 48) = r1 44: bf a1 00 00 00 00 00 00 r1 = r10 45: 07 01 00 00 d0 ff ff ff r1 += -48 46: b7 02 00 00 1e 00 00 00 r2 = 30 47: b7 03 00 00 0e 00 00 00 r3 = 14 48: 85 00 00 00 0d 00 00 00 call 13 0000000000000188 <LBB13_2>: 49: b7 00 00 00 01 00 00 00 r0 = 1 50: 95 00 00 00 00 00 00 00 exit
Function after fuzzing:
0000000000000000 <bind_test_callee13>: ; bind_test_callee9(): ; E:\ebpf\tests\sample\tail_call_max_exceed.c:98 ; DEFINE_BIND_TAIL_FUNC(13) 0: bf 16 00 00 00 00 00 00 r6 = r1 1: b7 07 00 00 0a 00 00 00 r7 = 10 2: 6b 7a fc ff 00 00 00 00 *(u16 *)(r10 - 4) = r7 3: b7 01 00 00 20 25 64 5d r1 = 1566844192 4: 63 1a f8 ff 00 00 00 00 *(u32 *)(r10 - 8) = r1 5: 18 01 00 00 2c 20 5b 78 00 00 00 00 2b 31 20 3d r1 = 4404574498340937772 ll 7: 7b 1a f0 ff 00 00 00 00 *(u64 *)(r10 - 16) = r1 8: 18 01 00 00 5b 78 20 3d 00 00 00 00 20 25 64 5d r1 = 6729544563593082971 ll 10: 7b 1a e8 ff 00 00 00 00 *(u64 *)(r10 - 24) = r1 11: 18 01 00 00 6c 20 69 6e 00 00 00 00 64 65 78 20 r1 = 2339731488442490988 ll 13: 7b 1a e0 ff 00 00 00 00 *(u64 *)(r10 - 32) = r1 14: 18 01 00 00 74 61 69 6c 00 00 00 00 20 63 61 6c r1 = 7809632219746099572 ll 16: 7b 1a d8 ff 00 00 00 00 *(u64 *)(r10 - 40) = r1 17: 18 01 00 00 43 61 6c 6c 00 00 00 00 69 6e 67 20 r1 = 2334956330884555075 ll 19: 7b 1a d0 ff 00 00 00 00 *(u64 *)(r10 - 48) = r1 20: bf a1 00 00 00 00 00 00 r1 = r10 21: 07 01 00 00 d0 ff ff ff r1 += -48 ; E:\ebpf\tests\sample\tail_call_max_exceed.c:98 ; DEFINE_BIND_TAIL_FUNC(13) 22: b7 02 00 00 d9 ff ff ff r2 = -39 23: b7 03 00 00 0d 00 00 00 r3 = 13 24: b7 04 00 00 0e 00 00 00 r4 = 14 25: 85 00 00 00 0e 00 00 00 call 14 26: bf 61 00 00 00 00 00 00 r1 = r6 27: 18 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r2 = 0 ll 29: b7 03 00 00 0e 00 00 00 r3 = 14 30: 85 00 00 00 05 00 00 00 call 5 31: 65 00 11 00 ff ff ff ff if r0 s> -1 goto +17 <LBB13_2> 32: 6b 7a ec ff 00 00 00 00 *(u16 *)(r10 - 20) = r7 33: b7 01 00 00 78 20 25 64 r1 = 1680154744 34: 63 1a e8 ff 00 00 00 00 *(u32 *)(r10 - 24) = r1 35: 18 01 00 00 20 61 74 20 00 00 00 00 69 6e 64 65 r1 = 7306085893296906528 ll 37: 7b 1a e0 ff 00 00 00 00 *(u64 *)(r10 - 32) = r1 38: 18 01 00 00 6c 20 66 61 00 00 00 00 69 6c 65 64 r1 = 7234307576302018668 ll 40: 7b 1a d8 ff 00 00 00 00 *(u64 *)(r10 - 40) = r1 41: 18 01 00 00 54 61 69 6c 00 00 00 00 20 63 61 6c r1 = 7809632219746099540 ll 43: 7b 1a d0 ff 00 00 00 00 *(u64 *)(r10 - 48) = r1 44: bf a1 00 00 00 00 00 00 r1 = r10 45: 07 01 00 00 d0 ff ff ff r1 += -48 46: b7 02 00 00 1e 00 00 00 r2 = 30 47: b7 03 00 00 0e 00 00 00 r3 = 14 48: 85 00 00 00 0d 00 00 00 call 13 0000000000000188 <LBB13_2>: 49: b7 00 00 00 01 00 00 00 r0 = 1 50: 95 00 00 00 00 00 00 00 exit
Assert:
0:000> k100 # Child-SP RetAddr Call Site 00 00000045`bdfe95e0 00007ffd`57483153 ucrtbased!_threadid+0x65 01 00000045`bdfe9630 00007ffd`5749ae2d ucrtbased!_threadid+0x203 02 00000045`bdfe9690 00007ffd`574a1345 ucrtbased!abort+0x1d 03 00000045`bdfe96d0 00007ffd`574a0bd7 ucrtbased!get_wide_winmain_command_line+0x2895 04 00000045`bdfe9bb0 00007ffd`5749ebc8 ucrtbased!get_wide_winmain_command_line+0x2127 05 00000045`bdfe9c10 00007ffd`574a18af ucrtbased!get_wide_winmain_command_line+0x118 06 00000045`bdfe9c50 00007ffd`56951e47 ucrtbased!wassert+0x2f 07 00000045`bdfe9c80 00007ffd`56951dac EbpfApi!bitset_domain_t::all_num+0x37 [E:\ebpf\external\ebpf-verifier\src\crab\bitset_domain.hpp @ 103] 08 00000045`bdfe9cc0 00007ffd`5696e864 EbpfApi!crab::domains::array_domain_t::all_num+0x28c [E:\ebpf\external\ebpf-verifier\src\crab\array_domain.cpp @ 496] 09 00000045`bdfe9ef0 00007ffd`5696773b EbpfApi!`crab::ebpf_domain_t::operator()'::`2'::<lambda_1>::operator()+0x734 [E:\ebpf\external\ebpf-verifier\src\crab\ebpf_domain.cpp @ 1791] 0a 00000045`bdfeb1f0 00007ffd`5697974f EbpfApi!std::invoke<`crab::ebpf_domain_t::operator()'::`2'::<lambda_1> &,crab::domains::AddBottom &,enum type_encoding_t>+0x2b [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.39.33519\include\type_traits @ 1754] 0b 00000045`bdfeb220 00007ffd`5697229d EbpfApi!std::_Func_impl_no_alloc<`crab::ebpf_domain_t::operator()'::`2'::<lambda_1>,void,crab::domains::AddBottom &,enum type_encoding_t>::_Do_call+0x2f [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.39.33519\include\functional @ 909] 0c 00000045`bdfeb250 00007ffd`56996a80 EbpfApi!std::_Func_class<void,crab::domains::AddBottom &,enum type_encoding_t>::operator()+0x5d [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.39.33519\include\functional @ 952] 0d 00000045`bdfeb290 00007ffd`56976f2c EbpfApi!crab::ebpf_domain_t::TypeDomain::join_over_types+0x4b0 [E:\ebpf\external\ebpf-verifier\src\crab\ebpf_domain.cpp @ 1275] 0e 00000045`bdfeba80 00007ffd`56967c8e EbpfApi!crab::ebpf_domain_t::operator()+0x12c [E:\ebpf\external\ebpf-verifier\src\crab\ebpf_domain.cpp @ 1769] 0f 00000045`bdfebdd0 00007ffd`5695eb9e EbpfApi!std::invoke<crab::ebpf_domain_t &,asm_syntax::ValidAccess const &>+0x1e [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.39.33519\include\type_traits @ 1754] 10 00000045`bdfebe00 00007ffd`56960a47 EbpfApi!std::_Variant_dispatcher<std::integer_sequence<unsigned __int64,4> >::_Dispatch2<void,crab::ebpf_domain_t &,std::variant<asm_syntax::Comparable,asm_syntax::Addable,asm_syntax::ValidDivisor,asm_syntax::ValidAccess,asm_syntax::ValidStore,asm_syntax::ValidSize,asm_syntax::ValidMapKeyValue,asm_syntax::TypeConstraint,asm_syntax::FuncConstraint,asm_syntax::ZeroCtxOffset> const &,0>+0x2e [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.39.33519\include\variant @ 1441] 11 00000045`bdfebe30 00007ffd`56960de5 EbpfApi!std::_Visit_strategy<2>::_Visit2<void,std::_Meta_list<std::integer_sequence<unsigned __int64,0>,std::integer_sequence<unsigned __int64,1>,std::integer_sequence<unsigned __int64,2>,std::integer_sequence<unsigned __int64,3>,std::integer_sequence<unsigned __int64,4>,std::integer_sequence<unsigned __int64,5>,std::integer_sequence<unsigned __int64,6>,std::integer_sequence<unsigned __int64,7>,std::integer_sequence<unsigned __int64,8>,std::integer_sequence<unsigned __int64,9>,std::integer_sequence<unsigned __int64,10> >,crab::ebpf_domain_t &,std::variant<asm_syntax::Comparable,asm_syntax::Addable,asm_syntax::ValidDivisor,asm_syntax::ValidAccess,asm_syntax::ValidStore,asm_syntax::ValidSize,asm_syntax::ValidMapKeyValue,asm_syntax::TypeConstraint,asm_syntax::FuncConstraint,asm_syntax::ZeroCtxOffset> const &>+0xa7 [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.39.33519\include\variant @ 1517] 12 00000045`bdfebe70 00007ffd`56968f87 EbpfApi!std::_Visit_impl<11,void,std::_Meta_list<std::integer_sequence<unsigned __int64,0>,std::integer_sequence<unsigned __int64,1>,std::integer_sequence<unsigned __int64,2>,std::integer_sequence<unsigned __int64,3>,std::integer_sequence<unsigned __int64,4>,std::integer_sequence<unsigned __int64,5>,std::integer_sequence<unsigned __int64,6>,std::integer_sequence<unsigned __int64,7>,std::integer_sequence<unsigned __int64,8>,std::integer_sequence<unsigned __int64,9>,std::integer_sequence<unsigned __int64,10> >,crab::ebpf_domain_t &,std::variant<asm_syntax::Comparable,asm_syntax::Addable,asm_syntax::ValidDivisor,asm_syntax::ValidAccess,asm_syntax::ValidStore,asm_syntax::ValidSize,asm_syntax::ValidMapKeyValue,asm_syntax::TypeConstraint,asm_syntax::FuncConstraint,asm_syntax::ZeroCtxOffset> const &>+0x35 [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.39.33519\include\variant @ 1565] 13 00000045`bdfebeb0 00007ffd`569725fd EbpfApi!std::visit<crab::ebpf_domain_t &,std::variant<asm_syntax::Comparable,asm_syntax::Addable,asm_syntax::ValidDivisor,asm_syntax::ValidAccess,asm_syntax::ValidStore,asm_syntax::ValidSize,asm_syntax::ValidMapKeyValue,asm_syntax::TypeConstraint,asm_syntax::FuncConstraint,asm_syntax::ZeroCtxOffset> const &,void>+0x27 [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.39.33519\include\variant @ 1609] 14 00000045`bdfebef0 00007ffd`5696795e EbpfApi!crab::ebpf_domain_t::operator()+0xcd [E:\ebpf\external\ebpf-verifier\src\crab\ebpf_domain.cpp @ 1858] 15 00000045`bdfebf60 00007ffd`5695f07e EbpfApi!std::invoke<crab::ebpf_domain_t &,asm_syntax::Assert const &>+0x1e [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.39.33519\include\type_traits @ 1754] 16 00000045`bdfebf90 00007ffd`56960c4c EbpfApi!std::_Variant_dispatcher<std::integer_sequence<unsigned __int64,13> >::_Dispatch2<void,crab::ebpf_domain_t &,std::variant<asm_syntax::Undefined,asm_syntax::Bin,asm_syntax::Un,asm_syntax::LoadMapFd,asm_syntax::Call,asm_syntax::Callx,asm_syntax::Exit,asm_syntax::Jmp,asm_syntax::Mem,asm_syntax::Packet,asm_syntax::Atomic,asm_syntax::Assume,asm_syntax::Assert,asm_syntax::IncrementLoopCounter> const &,0>+0x2e [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.39.33519\include\variant @ 1441] 17 00000045`bdfebfc0 00007ffd`56960e25 EbpfApi!std::_Visit_strategy<2>::_Visit2<void,std::_Meta_list<std::integer_sequence<unsigned __int64,0>,std::integer_sequence<unsigned __int64,1>,std::integer_sequence<unsigned __int64,2>,std::integer_sequence<unsigned __int64,3>,std::integer_sequence<unsigned __int64,4>,std::integer_sequence<unsigned __int64,5>,std::integer_sequence<unsigned __int64,6>,std::integer_sequence<unsigned __int64,7>,std::integer_sequence<unsigned __int64,8>,std::integer_sequence<unsigned __int64,9>,std::integer_sequence<unsigned __int64,10>,std::integer_sequence<unsigned __int64,11>,std::integer_sequence<unsigned __int64,12>,std::integer_sequence<unsigned __int64,13>,std::integer_sequence<unsigned __int64,14> >,crab::ebpf_domain_t &,std::variant<asm_syntax::Undefined,asm_syntax::Bin,asm_syntax::Un,asm_syntax::LoadMapFd,asm_syntax::Call,asm_syntax::Callx,asm_syntax::Exit,asm_syntax::Jmp,asm_syntax::Mem,asm_syntax::Packet,asm_syntax::Atomic,asm_syntax::Assume,asm_syntax::Assert,asm_syntax::IncrementLoopCounter> const &>+0x14c [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.39.33519\include\variant @ 1517] 18 00000045`bdfec000 00007ffd`56968fb7 EbpfApi!std::_Visit_impl<15,void,std::_Meta_list<std::integer_sequence<unsigned __int64,0>,std::integer_sequence<unsigned __int64,1>,std::integer_sequence<unsigned __int64,2>,std::integer_sequence<unsigned __int64,3>,std::integer_sequence<unsigned __int64,4>,std::integer_sequence<unsigned __int64,5>,std::integer_sequence<unsigned __int64,6>,std::integer_sequence<unsigned __int64,7>,std::integer_sequence<unsigned __int64,8>,std::integer_sequence<unsigned __int64,9>,std::integer_sequence<unsigned __int64,10>,std::integer_sequence<unsigned __int64,11>,std::integer_sequence<unsigned __int64,12>,std::integer_sequence<unsigned __int64,13>,std::integer_sequence<unsigned __int64,14> >,crab::ebpf_domain_t &,std::variant<asm_syntax::Undefined,asm_syntax::Bin,asm_syntax::Un,asm_syntax::LoadMapFd,asm_syntax::Call,asm_syntax::Callx,asm_syntax::Exit,asm_syntax::Jmp,asm_syntax::Mem,asm_syntax::Packet,asm_syntax::Atomic,asm_syntax::Assume,asm_syntax::Assert,asm_syntax::IncrementLoopCounter> const &>+0x35 [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.39.33519\include\variant @ 1565] 19 00000045`bdfec040 00007ffd`56977e91 EbpfApi!std::visit<crab::ebpf_domain_t &,std::variant<asm_syntax::Undefined,asm_syntax::Bin,asm_syntax::Un,asm_syntax::LoadMapFd,asm_syntax::Call,asm_syntax::Callx,asm_syntax::Exit,asm_syntax::Jmp,asm_syntax::Mem,asm_syntax::Packet,asm_syntax::Atomic,asm_syntax::Assume,asm_syntax::Assert,asm_syntax::IncrementLoopCounter> const &,void>+0x27 [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.39.33519\include\variant @ 1609] 1a 00000045`bdfec080 00007ffd`568dcd6a EbpfApi!crab::ebpf_domain_t::operator()+0xa1 [E:\ebpf\external\ebpf-verifier\src\crab\ebpf_domain.cpp @ 1377] 1b 00000045`bdfec120 00007ffd`568dd015 EbpfApi!generate_report+0x1ca [E:\ebpf\external\ebpf-verifier\src\crab_verifier.cpp @ 90] 1c 00000045`bdfec830 00007ffd`568dd3d4 EbpfApi!get_analysis_report+0x65 [E:\ebpf\external\ebpf-verifier\src\crab_verifier.cpp @ 134] 1d 00000045`bdfec960 00007ffd`568dc7f5 EbpfApi!get_ebpf_report+0x1d4 [E:\ebpf\external\ebpf-verifier\src\crab_verifier.cpp @ 156] 1e 00000045`bdfecf90 00007ffd`5677909f EbpfApi!ebpf_verify_program+0x105 [E:\ebpf\external\ebpf-verifier\src\crab_verifier.cpp @ 220] 1f 00000045`bdfed140 00007ffd`5677b07e EbpfApi!_ebpf_api_elf_verify_section_from_stream+0x43f [E:\ebpf\libs\api\Verifier.cpp @ 718] 20 00000045`bdfed8b0 00007ffd`5678a0cf EbpfApi!_verify_section_from_string+0x27e [E:\ebpf\libs\api\Verifier.cpp @ 801] 21 00000045`bdfedb20 00007ff6`6f0092c6 EbpfApi!ebpf_api_elf_verify_section_from_memory+0x8f [E:\ebpf\libs\api\Verifier.cpp @ 833] 22 00000045`bdfedba0 00007ff6`6f11f089 bpf2c!main+0x1526 [E:\ebpf\tools\bpf2c\bpf2c.cpp @ 303] 23 00000045`bdfef860 00007ff6`6f11ef6e bpf2c!invoke_main+0x39 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 79] 24 00000045`bdfef8b0 00007ff6`6f11ee2e bpf2c!__scrt_common_main_seh+0x12e [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 25 00000045`bdfef920 00007ff6`6f11f11e bpf2c!__scrt_common_main+0xe [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 331] 26 00000045`bdfef950 00007ffe`3036257d bpf2c!mainCRTStartup+0xe [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp @ 17] 27 00000045`bdfef980 00007ffe`31e2aa48 KERNEL32!BaseThreadInitThunk+0x1d 28 00000045`bdfef9b0 00000000`00000000 ntdll!RtlUserThreadStart+0x28
Function prior to fuzzing:
Function after fuzzing:
Assert: