lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 17 Jan 2018 08:39:17 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Eric Biggers <ebiggers3@...il.com>
Cc:     Oliver Hartkopp <socketcan@...tkopp.net>,
        Marc Kleine-Budde <mkl@...gutronix.de>,
        syzbot <syzbot+4386709c0c1284dca827@...kaller.appspotmail.com>,
        David Miller <davem@...emloft.net>, linux-can@...r.kernel.org,
        LKML <linux-kernel@...r.kernel.org>,
        netdev <netdev@...r.kernel.org>, syzkaller-bugs@...glegroups.com
Subject: Re: WARNING in can_rcv

On Wed, Jan 17, 2018 at 8:12 AM, Eric Biggers <ebiggers3@...il.com> wrote:
> On Wed, Jan 17, 2018 at 07:39:24AM +0100, Oliver Hartkopp wrote:
>>
>>
>> On 01/16/2018 07:11 PM, Dmitry Vyukov wrote:
>> > On Tue, Jan 16, 2018 at 7:07 PM, Marc Kleine-Budde <mkl@...gutronix.de> wrote:
>> > > On 01/16/2018 06:58 PM, syzbot wrote:
>> > > > Hello,
>> > > >
>> > > > syzkaller hit the following crash on
>> > > > a8750ddca918032d6349adbf9a4b6555e7db20da
>> > > > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
>> > > > compiler: gcc (GCC) 7.1.1 20170620
>> > > > .config is attached
>> > > > Raw console output is attached.
>> > > > C reproducer is attached
>> > > > syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> > > > for information about syzkaller reproducers
>> > > >
>> > > >
>> > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> > > > Reported-by: syzbot+4386709c0c1284dca827@...kaller.appspotmail.com
>> > > > It will help syzbot understand when the bug is fixed. See footer for
>> > > > details.
>> > > > If you forward the report, please keep this part and the footer.
>> > > >
>> > > > device eql entered promiscuous mode
>> > > > ------------[ cut here ]------------
>> > > > PF_CAN: dropped non conform CAN skbuf: dev type 65534, len 42, datalen 0
>> > > > WARNING: CPU: 0 PID: 3650 at net/can/af_can.c:729 can_rcv+0x1c5/0x200
>> > > > net/can/af_can.c:724
>> > > > Kernel panic - not syncing: panic_on_warn set ...
>> > >
>> > > Invalid packages generate a warning (WARN_ONCE()), and you have
>> > > panic_on_warn active. Should we better silently drop these CAN packages?
>> >
>> > Hi,
>> >
>> > pr_warn_once() will be more appropriate. It prints a single line.
>> >
>>
>> The idea behind this WARN() is to detect really bad things that might have
>> happen on network driver level:
>>
>> The CAN subsystem registers with dev_add_pack() for ETH_P_CAN and
>> ETH_P_CANFD only. These ETH_P_ types are only allowed to be created by CAN
>> network devices (like vcan, vxcan, and real CAN drivers).
>>
>> I don't have any strong opinion on using WARN() or pr_warn_once().
>> Is this detected violation worth using WARN(), as something already must
>> have gone really wrong to trigger this issue?
>>
>
> WARN() indicates a kernel bug.  If it's instead "userspace did something
> stupid", or "someone sent some unexpected network packet", it needs to be
> pr_warn_once(), pr_warn_ratelimited(), or removed entirely.


The packet comes from tun device. We could change tun to filter out
such packages earlier. However, in the context of "syzkaller support
for AF_CAN" discussion, it would actually be useful for fuzzer to be
able emit can packets for testing purposes. For example, for tcp it
can not just emit random packets, it can build complex user<->network
interactions, for example, open a listening socket, connect to it
"from outside", accept the connection, and then exchange some data
over the active connection. It could do the same for can.
Is it possible to allow can packets via tun? Then we could leave this
WARNING in place. tun/vcan are contained within a net namespace, so
this should not be a security problem, right?
Or is there a way to do the same with vcan? If yes, then fuzzer could
use vcan. But then we need some fix for this WARNING: either change it
to pr_warn or change tun (I don't have strong preference which one).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ