ubpf Segmentation fault caused by call instruction

We have produced an ELF file with a .text section and a maps section containing the following eBPF program:

mov64 r0, 0x0
stxw [r10-0x4], r0
mov64 r2, r10
add64 r2, 0xfffffffc
lddw r1, 0xfffffffc
call 0x1
mov64 r0, 0x1
exit

We use ./ebpf-verifier/check data.o to verify the ELF file/eBPF program and ./ubpf/vm/test -j data.o to execute. Through fuzzing we have generated different maps sections, where PREVAIL usually catches the errors produced. Here is an example of a data.o file that PREVAIL verifies as being correct but causes a segmentation fault in uBPF:

7f45 4c46 0201 0100 0000 0000 0000 0000
0100 f700 0100 0000 0000 0000 0000 0000
0000 0000 0000 0000 9001 0000 0000 0000
0000 0000 4000 3800 0000 4000 0700 0100

0200 0000 0400 0000 0020 0000 0100 0000
0000 0000 

          b700 0000 0000 0000 630a fcff
0000 0000 bfa2 0000 0000 0000 0702 0000
fcff ffff 1801 0000 fcff ffff 0000 0000
0000 0000 8500 0000 0100 0000 b700 0000
0100 0000 9500 0000 0000 0000 

                              002e 7374
7274 6162 002e 7379 6d74 6162 006f 626a
2d66 696c 6573 2f64 6174 612e 6f00 6d61
7073 002e 7465 7874 002e 7265 6c61 2e74
6578 7400 2e6e 6f74 652e 474e 552d 7374
6163 6b00 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
1100 0000 0400 f1ff 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0300 0300
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0300 0400 0000 0000 0000 0000
0000 0000 0000 0000 2200 0000 0300 0300
0000 0000 0000 0000 1400 0000 0000 0000
2700 0000 0300 0400 0000 0000 0000 0000
4800 0000 0000 0000 2000 0000 0000 0000
0100 0000 0200 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0100 0000 0300 0000 0000 0000 0000 0000
0000 0000 0000 0000 9c00 0000 0000 0000
4800 0000 0000 0000 0000 0000 0000 0000
0100 0000 0000 0000 0000 0000 0000 0000
0900 0000 0200 0000 0000 0000 0000 0000
0000 0000 0000 0000 e800 0000 0000 0000
9000 0000 0000 0000 0100 0000 0600 0000
0800 0000 0000 0000 1800 0000 0000 0000
2200 0000 0100 0000 0300 0000 0000 0000
0000 0000 0000 0000 4000 0000 0000 0000
1400 0000 0000 0000 0000 0000 0000 0000
0800 0000 0000 0000 0000 0000 0000 0000
2700 0000 0100 0000 0600 0000 0000 0000
0000 0000 0000 0000 5400 0000 0000 0000
4800 0000 0000 0000 0000 0000 0000 0000
1000 0000 0000 0000 0000 0000 0000 0000
2d00 0000 0400 0000 4000 0000 0000 0000
0000 0000 0000 0000 7801 0000 0000 0000
1800 0000 0000 0000 0200 0000 0400 0000
0800 0000 0000 0000 1800 0000 0000 0000
3800 0000 0100 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0100 0000 0000 0000 0000 0000 0000 0000

May 04 '23 11:05 tobashi

Note: uBPF doesn't have the same set of helper functions as the Linux kernel, so the verification by Prevail doesn't hold.

Helper #1 in uBPF is: https://github.com/iovisor/ubpf/blob/2071abbed9b396949ceed66c5ebbbac10c5c8e7d/vm/test.c#L323

Whereas helper #1 in Linux is: https://github.com/vbpf/ebpf-verifier/blob/c0918694026bc11583e0098c956f08578ddbac02/src/linux/gpl/spec_prototypes.cpp#L164

May 08 '23 18:05 Alan-Jowett

Does helper function #6 in your implementation of maps in uBPF (#170) correspond to helper function #1 in the Linux kernel? https://github.com/Alan-Jowett/ubpf/blob/0a1860d91781c17bd2f9d82d395ac6166d120c56/vm/test.c#L461

May 09 '23 06:05 tobashi

Here is the gdb output for additional detail regarding the segfault

Program received signal SIGSEGV, Segmentation fault.
bpf_map_lookup_elem_impl (map=0xfffffffc, key=0x7fffffffdd8c) at test.c:398
397        map_entry_t* map_entry = (map_entry_t*)map;
398        if (map_entry->map_definition.type == BPF_MAP_TYPE_ARRAY) {

May 19 '23 10:05 tobashi

ubpf ubpf copied to clipboard

Segmentation fault caused by call instruction

ubpf
ubpf copied to clipboard