lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200714093718.GQ20687@gauss3.secunet.de>
Date:   Tue, 14 Jul 2020 11:37:19 +0200
From:   Steffen Klassert <steffen.klassert@...unet.com>
To:     syzbot <syzbot+ea9832f8ae588deb0205@...kaller.appspotmail.com>,
        Xin Long <lucien.xin@...il.com>
CC:     <davem@...emloft.net>, <herbert@...dor.apana.org.au>,
        <kuba@...nel.org>, <kuznet@....inr.ac.ru>,
        <linux-kernel@...r.kernel.org>, <netdev@...r.kernel.org>,
        <syzkaller-bugs@...glegroups.com>, <yoshfuji@...ux-ipv6.org>
Subject: Re: KASAN: slab-out-of-bounds Read in __xfrm6_tunnel_spi_lookup

Xin,

this looks a bit like it was introduced with one of your recent
patches. Can you please look into that?

Thanks!

On Mon, Jul 13, 2020 at 03:04:16PM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    be978f8f Add linux-next specific files for 20200713
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1225f8c7100000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=3fe4fccb94cbc1a6
> dashboard link: https://syzkaller.appspot.com/bug?extid=ea9832f8ae588deb0205
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17270713100000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=126c0ffb100000
> 
> Bisection is inconclusive: the first bad commit could be any of:
> 
> 08622869 ip6_vti: support IP6IP6 tunnel processing with .cb_handler
> e6ce6457 ip_vti: support IPIP6 tunnel processing
> 2ab110cb ip6_vti: support IP6IP tunnel processing
> 87e66b96 ip_vti: support IPIP tunnel processing with .cb_handler
> 86afc703 tunnel6: add tunnel6_input_afinfo for ipip and ipv6 tunnels
> d5a7a505 ipcomp: assign if_id to child tunnel from parent tunnel
> 6df2db5d tunnel4: add cb_handler to struct xfrm_tunnel
> d7b360c2 xfrm: interface: support IP6IP6 and IP6IP tunnels processing with .cb_handler
> 1475ee0a xfrm: add is_ipip to struct xfrm_input_afinfo
> da9bbf05 xfrm: interface: support IPIP and IPIP6 tunnels processing with .cb_handler
> 2d4c7986 Merge remote-tracking branch 'origin/testing'
> 428d2459 xfrm: introduce oseq-may-wrap flag
> bdf0acad Merge remote-tracking branch 'ipsec-next/master'
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=137de95d100000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+ea9832f8ae588deb0205@...kaller.appspotmail.com
> 
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in __xfrm6_tunnel_spi_lookup+0x3a9/0x3b0 net/ipv6/xfrm6_tunnel.c:79
> Read of size 8 at addr ffff88809a0d6b80 by task syz-executor016/7061
> CPU: 1 PID: 7061 Comm: syz-executor016 Not tainted 5.8.0-rc4-next-20200713-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  <IRQ>
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x18f/0x20d lib/dump_stack.c:118
>  print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
>  __kasan_report mm/kasan/report.c:513 [inline]
>  kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
>  __xfrm6_tunnel_spi_lookup+0x3a9/0x3b0 net/ipv6/xfrm6_tunnel.c:79
>  xfrm6_tunnel_spi_lookup+0x8a/0x1d0 net/ipv6/xfrm6_tunnel.c:95
>  xfrmi6_rcv_tunnel+0xb9/0x100 net/xfrm/xfrm_interface.c:810
>  tunnel46_rcv+0xef/0x2b0 net/ipv6/tunnel6.c:193
>  ip6_protocol_deliver_rcu+0x2e8/0x1670 net/ipv6/ip6_input.c:433
>  ip6_input_finish+0x7f/0x160 net/ipv6/ip6_input.c:474
>  NF_HOOK include/linux/netfilter.h:307 [inline]
>  NF_HOOK include/linux/netfilter.h:301 [inline]
>  ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:483
>  ip6_mc_input+0x411/0xea0 net/ipv6/ip6_input.c:577
>  dst_input include/net/dst.h:449 [inline]
>  ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
>  NF_HOOK include/linux/netfilter.h:307 [inline]
>  NF_HOOK include/linux/netfilter.h:301 [inline]
>  ipv6_rcv+0x28e/0x3c0 net/ipv6/ip6_input.c:307
>  __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5287
>  __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5401
>  process_backlog+0x28d/0x7f0 net/core/dev.c:6245
>  napi_poll net/core/dev.c:6690 [inline]
>  net_rx_action+0x4a1/0xe80 net/core/dev.c:6760
>  __do_softirq+0x34c/0xa60 kernel/softirq.c:292
>  asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
>  </IRQ>
>  __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
>  run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
>  do_softirq_own_stack+0x111/0x170 arch/x86/kernel/irq_64.c:77
>  do_softirq kernel/softirq.c:337 [inline]
>  do_softirq+0x16b/0x1e0 kernel/softirq.c:324
>  netif_rx_ni+0x3c5/0x650 net/core/dev.c:4836
>  dev_loopback_xmit+0x204/0x590 net/core/dev.c:3852
>  NF_HOOK include/linux/netfilter.h:307 [inline]
>  NF_HOOK include/linux/netfilter.h:301 [inline]
>  ip6_finish_output2+0x108f/0x17b0 net/ipv6/ip6_output.c:81
>  ip6_fragment+0xbdb/0x2490 net/ipv6/ip6_output.c:920
>  __ip6_finish_output net/ipv6/ip6_output.c:141 [inline]
>  __ip6_finish_output+0x578/0xab0 net/ipv6/ip6_output.c:128
>  ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153
>  NF_HOOK_COND include/linux/netfilter.h:296 [inline]
>  ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:176
>  dst_output include/net/dst.h:443 [inline]
>  ip6_local_out+0xaf/0x1a0 net/ipv6/output_core.c:179
>  ip6_send_skb+0xb7/0x340 net/ipv6/ip6_output.c:1865
>  ip6_push_pending_frames+0xbd/0xe0 net/ipv6/ip6_output.c:1885
>  rawv6_push_pending_frames net/ipv6/raw.c:613 [inline]
>  rawv6_sendmsg+0x2add/0x38f0 net/ipv6/raw.c:956
>  inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:817
>  sock_sendmsg_nosec net/socket.c:652 [inline]
>  sock_sendmsg+0xcf/0x120 net/socket.c:672
>  sock_no_sendpage+0xee/0x130 net/core/sock.c:2873
>  kernel_sendpage net/socket.c:3653 [inline]
>  sock_sendpage+0xe5/0x140 net/socket.c:945
>  pipe_to_sendpage+0x2ad/0x380 fs/splice.c:365
>  splice_from_pipe_feed fs/splice.c:419 [inline]
>  __splice_from_pipe+0x3dc/0x830 fs/splice.c:543
>  splice_from_pipe fs/splice.c:578 [inline]
>  generic_splice_sendpage+0xd4/0x140 fs/splice.c:724
>  do_splice_from fs/splice.c:736 [inline]
>  do_splice+0xbb8/0x17a0 fs/splice.c:1043
>  __do_sys_splice fs/splice.c:1318 [inline]
>  __se_sys_splice fs/splice.c:1300 [inline]
>  __x64_sys_splice+0x198/0x250 fs/splice.c:1300
>  do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
>  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x448bc9
> Code: Bad RIP value.
> RSP: 002b:00007f17b19a4da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
> RAX: ffffffffffffffda RBX: 00000000006dec58 RCX: 0000000000448bc9
> RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
> RBP: 00000000006dec50 R08: 000000000804ffe2 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dec5c
> R13: 00007ffe929ff2df R14: 00007f17b19a59c0 R15: 00000000006dec5c
> Allocated by task 6840:
>  kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
>  kasan_set_track mm/kasan/common.c:56 [inline]
>  __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
>  __do_kmalloc mm/slab.c:3655 [inline]
>  __kmalloc+0x1a8/0x320 mm/slab.c:3664
>  kmalloc include/linux/slab.h:559 [inline]
>  kzalloc include/linux/slab.h:666 [inline]
>  ops_init+0xfb/0x470 net/core/net_namespace.c:141
>  setup_net+0x2d8/0x850 net/core/net_namespace.c:341
>  copy_net_ns+0x2cf/0x5e0 net/core/net_namespace.c:482
>  create_new_namespaces+0x3f6/0xb10 kernel/nsproxy.c:110
>  unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:231
>  ksys_unshare+0x445/0x8e0 kernel/fork.c:2927
>  __do_sys_unshare kernel/fork.c:2995 [inline]
>  __se_sys_unshare kernel/fork.c:2993 [inline]
>  __x64_sys_unshare+0x2d/0x40 kernel/fork.c:2993
>  do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
>  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> The buggy address belongs to the object at ffff88809a0d6800
>  which belongs to the cache kmalloc-512 of size 512
> The buggy address is located 384 bytes to the right of
>  512-byte region [ffff88809a0d6800, ffff88809a0d6a00)
> The buggy address belongs to the page:
> page:000000008c78ee7f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9a0d6
> flags: 0xfffe0000000200(slab)
> raw: 00fffe0000000200 ffffea0002783b08 ffffea00026054c8 ffff8880aa000600
> raw: 0000000000000000 ffff88809a0d6000 0000000100000004 0000000000000000
> page dumped because: kasan: bad access detected
> Memory state around the buggy address:
>  ffff88809a0d6a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  ffff88809a0d6b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >ffff88809a0d6b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>                    ^
>  ffff88809a0d6c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ffff88809a0d6c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ==================================================================
> 
> 
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
> 
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ