| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3905313.1695031861@warthog.procyon.org.uk>
Date: Mon, 18 Sep 2023 11:11:01 +0100
From: David Howells <dhowells@...hat.com>
To: syzbot+62cbf263225ae13ff153@...kaller.appspotmail.com
Cc: dhowells@...hat.com, Eric Dumazet <edumazet@...gle.com>,
bpf@...r.kernel.org, davem@...emloft.net, dsahern@...nel.org,
kuba@...nel.org, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, pabeni@...hat.com,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] WARNING in __ip6_append_data
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 65d6e954e378
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 0665e8b09968..7978335c1fc4 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1517,8 +1517,10 @@ static int __ip6_append_data(struct sock *sk,
rt->rt6i_nfheader_len;
if (mtu <= fragheaderlen ||
- ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr))
+ ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr)) {
+ printk("__%u__: EMSGSIZE\n", __LINE__);
goto emsgsize;
+ }
maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen -
sizeof(struct frag_hdr);
@@ -1526,8 +1528,10 @@ static int __ip6_append_data(struct sock *sk,
/* as per RFC 7112 section 5, the entire IPv6 Header Chain must fit
* the first fragment
*/
- if (headersize + transhdrlen > mtu)
+ if (headersize + transhdrlen > mtu) {
+ printk("__%u__: EMSGSIZE\n", __LINE__);
goto emsgsize;
+ }
if (cork->length + length > mtu - headersize && ipc6->dontfrag &&
(sk->sk_protocol == IPPROTO_UDP ||
@@ -1535,15 +1539,23 @@ static int __ip6_append_data(struct sock *sk,
sk->sk_protocol == IPPROTO_RAW)) {
ipv6_local_rxpmtu(sk, fl6, mtu - headersize +
sizeof(struct ipv6hdr));
+ printk("__%u__: EMSGSIZE\n", __LINE__);
goto emsgsize;
}
- if (ip6_sk_ignore_df(sk))
+ if (ip6_sk_ignore_df(sk)) {
maxnonfragsize = sizeof(struct ipv6hdr) + IPV6_MAXPLEN;
- else
+ printk("MAXPLEN\n");
+ } else {
maxnonfragsize = mtu;
+ printk("mtu\n");
+ }
+ printk("check %d %zd %d %d, %d %d\n",
+ cork->length, length, maxnonfragsize, headersize,
+ transhdrlen, mtu);
if (cork->length + length > maxnonfragsize - headersize) {
+ printk("__%u__: EMSGSIZE\n", __LINE__);
emsgsize:
pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
@@ -1817,8 +1829,10 @@ static int __ip6_append_data(struct sock *sk,
if (!skb_can_coalesce(skb, i, pfrag->page,
pfrag->offset)) {
err = -EMSGSIZE;
- if (i == MAX_SKB_FRAGS)
+ if (i == MAX_SKB_FRAGS) {
+ printk("__%u__: EMSGSIZE\n", __LINE__);
goto error;
+ }
__skb_fill_page_desc(skb, i, pfrag->page,
pfrag->offset, 0);
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index ed8ebb6f5909..daaaf60dce01 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -502,6 +502,8 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
int ulen;
int err;
+ printk("%s()\n", __func__);
+
/* Rough check on arithmetic overflow,
* better check is made in ip6_append_data().
*/
Powered by blists - more mailing lists