| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Mar 2021 22:31:08 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: Dmitry Safonov <dima@...sta.com>,
syzbot <syzbot+834ffd1afc7212eb8147@...kaller.appspotmail.com>,
davem@...emloft.net, herbert@...dor.apana.org.au, kuba@...nel.org,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
steffen.klassert@...unet.com, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] WARNING in xfrm_alloc_compat (2)
On 3/29/21 9:57 PM, Dmitry Safonov wrote:
> Hi,
>
> On 3/29/21 8:04 PM, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: 6c996e19 net: change netdev_unregister_timeout_secs min va..
>> git tree: net-next
>> console output: https://syzkaller.appspot.com/x/log.txt?x=102e5926d00000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=c0ac79756537274e
>> dashboard link: https://syzkaller.appspot.com/bug?extid=834ffd1afc7212eb8147
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a7b1aad00000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17ae6b7cd00000
>>
>> The issue was bisected to:
>>
>> commit 5f3eea6b7e8f58cf5c8a9d4b9679dc19e9e67ba3
>> Author: Dmitry Safonov <dima@...sta.com>
>> Date: Mon Sep 21 14:36:53 2020 +0000
>>
>> xfrm/compat: Attach xfrm dumps to 64=>32 bit translator
>>
>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10694b3ad00000
>> final oops: https://syzkaller.appspot.com/x/report.txt?x=12694b3ad00000
>> console output: https://syzkaller.appspot.com/x/log.txt?x=14694b3ad00000
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+834ffd1afc7212eb8147@...kaller.appspotmail.com
>> Fixes: 5f3eea6b7e8f ("xfrm/compat: Attach xfrm dumps to 64=>32 bit translator")
>>
>> netlink: 208 bytes leftover after parsing attributes in process `syz-executor193'.
>> ------------[ cut here ]------------
>> unsupported nla_type 356
>
> This doesn't seem to be an issue.
> Userspace sent message with nla_type 356, which is > __XFRM_MSG_MAX, so
> this warning is expected. I've added it so when a new XFRM_MSG_* will be
> added, to make sure that there will be translations to such messages in
> xfrm_compat.ko (if the translation needed).
> This is WARN_ON_ONCE(), so it can't be used as DOS.
>
> Ping me if you'd expect something else than once-a-boot warning for
> this. Not sure how-to close syzkaller bug, docs have only `invalid' tag,
> which isn't `not-a-bug'/`expected' tag:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md
>
You should not use WARN_ON_ONCE() for this case (if user space can trigger it)
https://lwn.net/Articles/769365/
<quote>
Greg Kroah-Hartman raised the problem of core kernel API code that will use WARN_ON_ONCE() to complain about bad usage; that will not generate the desired result if WARN_ON_ONCE() is configured to crash the machine. He was told that the code should just call pr_warn() instead, and that the called function should return an error in such situations. It was generally agreed that any WARN_ON() or WARN_ON_ONCE() calls that can be triggered from user space need to be fixed.
</quote>
Powered by blists - more mailing lists