lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+Z6f4aOxMZW44WXdYEyDJbGBYLnjKsHBXfK800h+EkrxA@mail.gmail.com>
Date:   Mon, 27 Mar 2017 14:42:41 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     David Ahern <dsa@...ulusnetworks.com>
Cc:     Eric Dumazet <eric.dumazet@...il.com>,
        Mahesh Bandewar <maheshb@...gle.com>,
        Eric Dumazet <edumazet@...gle.com>,
        David Miller <davem@...emloft.net>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        James Morris <jmorris@...ei.org>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        Patrick McHardy <kaber@...sh.net>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Cong Wang <xiyou.wangcong@...il.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Wed, Mar 8, 2017 at 12:55 PM, Dmitry Vyukov <dvyukov@...gle.com> wrote:
> On Tue, Mar 7, 2017 at 9:00 PM, Dmitry Vyukov <dvyukov@...gle.com> wrote:
>> On Tue, Mar 7, 2017 at 8:30 PM, Dmitry Vyukov <dvyukov@...gle.com> wrote:
>>>>> On 3/7/17 11:13 AM, Dmitry Vyukov wrote:
>>>>>>> on this warning:
>>>>>>>
>>>>>>> /* dst.next really should not be set at this point */
>>>>>>> if (rt->dst.next && rt->dst.next->ops->family != AF_INET6) {
>>>>>>>         pr_warn("fib6_add: adding rt with bad next -- family %d dst
>>>>>>> flags %x\n",
>>>>>>>                 rt->dst.next->ops->family, rt->dst.next->flags);
>>>>>>>
>>>>>>>         WARN_ON(1);
>>>>>>> }
>>>>>>>
>>>>>>> You should have seen the pr_warn in the log preceding the WARN_ON dump.
>>>>>>
>>>>>> Right. They all have the same "IPv6: fib6_add: adding rt with bad next
>>>>>> -- family 2 dst flags 6"
>>>>>
>>>>> remove the previous changes and try the attached.
>>>>
>>>>
>>>> Doing this now.
>>>> FWIW I've also applied your last patch with missing "iter->dst.flags
>>>> &= ~DST_IN_FIB;" and restored the warning in rt6_rcu_free and it did
>>>> not fire (in a limited run). I only saw the "WARNING in fib6_add" that
>>>> I already reported.
>>>
>>>
>>> So far I've hit only:
>>> [ 1103.840031] BUG: KASAN: slab-out-of-bounds in fib6_age+0x3fd/0x480
>>> at addr ffff8800799d2254
>>> without any preceeding warnings.
>>> But note that since the kernel is heavily stressed I can reliably get
>>> any pr_err output if it happens right before BUG/WARNING. Anything
>>> that happens minutes before will be lots because there are tons of
>>> output.
>>
>>
>>
>> So far 6 "KASAN: slab-out-of-bounds Read in fib6_age" but no other warnings.
>
>
> I've got a bunch of the crashes that I was getting previously, but no
> new warnings.



A friendly ping. This still happens all the time for us.

I also see the following warning, not sure if it's related or not:

on 0dc82fa59b9d82469799c354d3307d48e13d5d5e:

#if RT6_DEBUG >= 2
        if (rt->dst.obsolete > 0) {
                WARN_ON(fn);
                return -ENOENT;
        }
#endif

------------[ cut here ]------------
WARNING: CPU: 1 PID: 23535 at net/ipv6/ip6_fib.c:1472
fib6_del+0x923/0x14d0 net/ipv6/ip6_fib.c:1472
CPU: 1 PID: 23535 Comm: syz-executor3 Not tainted 4.11.0-rc3+ #517
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x2ee/0x3ef lib/dump_stack.c:52
 panic+0x1fb/0x412 kernel/panic.c:180
 __warn+0x1c4/0x1e0 kernel/panic.c:541
 warn_slowpath_null+0x2c/0x40 kernel/panic.c:584
 fib6_del+0x923/0x14d0 net/ipv6/ip6_fib.c:1472
 __ip6_del_rt+0x100/0x160 net/ipv6/route.c:2153
 ip6_del_rt+0x140/0x1b0 net/ipv6/route.c:2166
 __ipv6_ifa_notify+0x269/0x780 net/ipv6/addrconf.c:5506
 ipv6_ifa_notify+0xdf/0x1d0 net/ipv6/addrconf.c:5518
 ipv6_del_addr+0x62b/0xa80 net/ipv6/addrconf.c:1175
 inet6_addr_del+0x348/0x5b0 net/ipv6/addrconf.c:2853
 addrconf_del_ifaddr+0x154/0x1e0 net/ipv6/addrconf.c:2898
 inet6_ioctl+0x86/0x1e0 net/ipv6/af_inet6.c:525
 sock_do_ioctl+0x65/0xb0 net/socket.c:906
 sock_ioctl+0x2c2/0x440 net/socket.c:1004
 vfs_ioctl fs/ioctl.c:45 [inline]
 do_vfs_ioctl+0x1bf/0x1790 fs/ioctl.c:685
 SYSC_ioctl fs/ioctl.c:700 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
 entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x44fb79
RSP: 002b:00007f4b299bfb58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000008936 RCX: 000000000044fb79
RDX: 0000000020000000 RSI: 0000000000008936 RDI: 000000000000001a
RBP: 000000000000001a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000708000
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ