lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0dea99d9-3334-3fd3-3776-074ecace0259@arm.com>
Date:   Tue, 5 Sep 2023 16:02:19 +0100
From:   Robin Murphy <robin.murphy@....com>
To:     Will Deacon <will@...nel.org>,
        syzbot <syzbot+4a9f9820bd8d302e22f7@...kaller.appspotmail.com>
Cc:     catalin.marinas@....com, fw@...len.de, kadlec@...filter.org,
        linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
        pablo@...filter.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [arm?] [netfilter?] KASAN: slab-out-of-bounds Read in
 do_csum

On 05/09/2023 3:37 pm, Will Deacon wrote:
> [+Robin as he's had fun with the checksum code in the past]
> 
> On Mon, Aug 28, 2023 at 03:04:44AM -0700, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    908f31f2a05b Merge branch 'for-next/core', remote-tracking..
>> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
>> console output: https://syzkaller.appspot.com/x/log.txt?x=155e0463280000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=c1058fe68f4b7b2c
>> dashboard link: https://syzkaller.appspot.com/bug?extid=4a9f9820bd8d302e22f7
>> compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
>> userspace arch: arm64
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16bc548d280000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=135bba3b280000
>>
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/87d095820229/disk-908f31f2.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/a1bf67af9675/vmlinux-908f31f2.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/7784a88b37e8/Image-908f31f2.gz.xz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+4a9f9820bd8d302e22f7@...kaller.appspotmail.com
>>
>> netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
>> netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
>> ==================================================================
>> BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39
>> Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975

Yup, that looks suspiciously "-368"-shaped...

> Judging by the UBSAN errors:
> 
> | shift exponent 3008 is too large for 64-bit type 'u64' (aka 'unsigned long long')
> 
> We're probably being passed a negative 'len' argument. It looks like the
> generic version in lib/checksum.c rejects that early, so maybe we should
> do the same in the arch code?

Hmm, indeed I can offer no explanation as to why I put "if (len == 0)" 
there rather than "if (len <= 0)" like literally every other C 
implementation* :/

Cheers,
Robin.


*apart from Loongarch who didn't exist at the time, but appear to have 
dutifully copy-pasted the same bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ