lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAAeHK+wfDdc_FybfsZUS0F4n9qkdCd-6V_VEEA0EgJ_vZjzRmg@mail.gmail.com>
Date:   Tue, 14 Feb 2017 13:59:35 +0100
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     Eric Dumazet <edumazet@...gle.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Kostya Serebryany <kcc@...gle.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: net: BUG in __skb_gso_segment

On Mon, Feb 13, 2017 at 10:56 PM, Eric Dumazet <edumazet@...gle.com> wrote:
> On Mon, Feb 13, 2017 at 11:54 AM, Andrey Konovalov
> <andreyknvl@...gle.com> wrote:
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> A reproducer and .config are attached.
>>
>> On commit 926af6273fc683cd98cd0ce7bf0d04a02eed6742.
>>
>> kernel BUG at ./include/linux/skbuff.h:1942!
>> invalid opcode: 0000 [#1] SMP KASAN
>> Dumping ftrace buffer:
>>    (ftrace buffer empty)
>> Modules linked in:
>> CPU: 1 PID: 5922 Comm: syz-executor5 Not tainted 4.10.0-rc7+ #127
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> task: ffff88003ba72dc0 task.stack: ffff880033ed0000
>> RIP: 0010:__skb_pull include/linux/skbuff.h:1942 [inline]
>> RIP: 0010:skb_mac_gso_segment+0x5ae/0x690 net/core/dev.c:2634
>> RSP: 0018:ffff880033ed6c48 EFLAGS: 00010216
>> RAX: 0000000000010000 RBX: 000000000000113e RCX: ffffc90003f74000
>> RDX: 0000000000000223 RSI: ffffffff833cfbfe RDI: ffff88003e305244
>> RBP: ffff880033ed6d98 R08: 0000000000000000 R09: 0000000000000000
>> R10: c66e14bf8d4328e9 R11: 0000000000000000 R12: 000000000000000e
>> R13: ffff88003e3051c0 R14: ffff880033ed6d70 R15: 0000000000000000
>> FS:  00007faa035db700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00000000203dd000 CR3: 000000003c165000 CR4: 00000000000006e0
>> Call Trace:
>>  __skb_gso_segment+0x3d2/0x780 net/core/dev.c:2710
>>  skb_gso_segment include/linux/netdevice.h:3914 [inline]
>>  validate_xmit_skb+0x5c9/0xc20 net/core/dev.c:2944
>>  __dev_queue_xmit+0x102e/0x2860 net/core/dev.c:3364
>>  dev_queue_xmit+0x17/0x20 net/core/dev.c:3405
>>  packet_snd net/packet/af_packet.c:2872 [inline]
>>  packet_sendmsg+0x40bc/0x58b0 net/packet/af_packet.c:2897
>>  sock_sendmsg_nosec net/socket.c:635 [inline]
>>  sock_sendmsg+0xca/0x110 net/socket.c:645
>>  ___sys_sendmsg+0x4a3/0xae0 net/socket.c:1985
>>  __sys_sendmmsg+0x25c/0x750 net/socket.c:2075
>>  SYSC_sendmmsg net/socket.c:2106 [inline]
>>  SyS_sendmmsg+0x35/0x60 net/socket.c:2101
>>  entry_SYSCALL_64_fastpath+0x1f/0xc2
>> RIP: 0033:0x4458b9
>> RSP: 002b:00007faa035dab58 EFLAGS: 00000292 ORIG_RAX: 0000000000000133
>> RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 00000000004458b9
>> RDX: 0000000000000001 RSI: 0000000020bc7fc8 RDI: 0000000000000016
>> RBP: 00000000006e1ad0 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000708000
>> R13: 0000000020fcc000 R14: 0000000000001000 R15: 0000000000000003
>> Code: 00 00 48 c7 c7 00 4b 23 85 c6 05 b6 6f b2 02 01 e8 58 7a 04 fe
>> e9 ae fc ff ff 48 c7 c3 ea ff ff ff e9 dc fe ff ff e8 82 f0 1d fe <0f>
>> 0b 48 8b bd e0 fe ff ff e8 a4 30 48 fe e9 ef fd ff ff e8 9a
>> RIP: __skb_pull include/linux/skbuff.h:1942 [inline] RSP: ffff880033ed6c48
>> RIP: skb_mac_gso_segment+0x5ae/0x690 net/core/dev.c:2634 RSP: ffff880033ed6c48
>> ---[ end trace 2214c8475331c97c ]---
>> Kernel panic - not syncing: Fatal exception in interrupt
>> Dumping ftrace buffer:
>>    (ftrace buffer empty)
>> Kernel Offset: disabled
>> Rebooting in 86400 seconds..
>
> Hi Andrey.

Hi Eric,

>
> 926af6273fc683cd98cd0ce7bf0d04a02eed6 is quite old ;)

Updated to 4.10-rc8 :)

>
> Probably already fixed ?

Yes, it is.

Thanks!

>
> commit 57031eb794906eea4e1c7b31dc1e2429c0af0c66
> Author: Willem de Bruijn <willemb@...gle.com>
> Date:   Tue Feb 7 15:57:21 2017 -0500
>
>     packet: round up linear to header len
>
>     Link layer protocols may unconditionally pull headers, as Ethernet
>     does in eth_type_trans. Ensure that the entire link layer header
>     always lies in the skb linear segment. tpacket_snd has such a check.
>     Extend this to packet_snd.
>
>     Variable length link layer headers complicate the computation
>     somewhat. Here skb->len may be smaller than dev->hard_header_len.
>
>     Round up the linear length to be at least as long as the smallest of
>     the two.
>
>     Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
>     Signed-off-by: Willem de Bruijn <willemb@...gle.com>
>     Acked-by: Eric Dumazet <edumazet@...gle.com>
>     Signed-off-by: David S. Miller <davem@...emloft.net>
>
> commit 217e6fa24ce28ec87fca8da93c9016cb78028612
> Author: Willem de Bruijn <willemb@...gle.com>
> Date:   Tue Feb 7 15:57:20 2017 -0500
>
>     net: introduce device min_header_len
>
>     The stack must not pass packets to device drivers that are shorter
>     than the minimum link layer header length.
>
>     Previously, packet sockets would drop packets smaller than or equal
>     to dev->hard_header_len, but this has false positives. Zero length
>     payload is used over Ethernet. Other link layer protocols support
>     variable length headers. Support for validation of these protocols
>     removed the min length check for all protocols.
>
>     Introduce an explicit dev->min_header_len parameter and drop all
>     packets below this value. Initially, set it to non-zero only for
>     Ethernet and loopback. Other protocols can follow in a patch to
>     net-next.
>
>     Fixes: 9ed988cd5915 ("packet: validate variable length ll headers")
>     Reported-by: Sowmini Varadhan <sowmini.varadhan@...cle.com>
>     Signed-off-by: Willem de Bruijn <willemb@...gle.com>
>     Acked-by: Eric Dumazet <edumazet@...gle.com>
>     Acked-by: Sowmini Varadhan <sowmini.varadhan@...cle.com>
>     Signed-off-by: David S. Miller <davem@...emloft.net>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ