lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 15 Sep 2023 16:32:20 +0100
From:   David Howells <dhowells@...hat.com>
To:     Eric Dumazet <edumazet@...gle.com>
Cc:     dhowells@...hat.com,
        syzbot <syzbot+62cbf263225ae13ff153@...kaller.appspotmail.com>,
        bpf@...r.kernel.org, davem@...emloft.net, dsahern@...nel.org,
        kuba@...nel.org, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, pabeni@...hat.com,
        syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] WARNING in __ip6_append_data

Hi Eric,

> > WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800

That would appear to be this:

			if (WARN_ON_ONCE(copy > msg->msg_iter.count))
				goto error;

However, I have a problem that the repro program errors out at this point
before it gets that far:

	if (cork->length + length > maxnonfragsize - headersize) {
   emsgsize:
		pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
		ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
		return -EMSGSIZE;
	}

Are you able to reproduce the issue?

The values in and around that point are:

	cork->length		0
	length			65540
	maxnonfragsize		65575
	headersize		40
	transhdrlen		4
	mtu			65536
	ip6_sk_ignore_df(sk)	true

with maxnonfragsize coming from 'sizeof(struct ipv6hdr) + IPV6_MAXPLEN'.  Is
that even viable for the size of a packet?

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ