[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180201083418.rfarzrodccdy54xx@gauss3.secunet.de>
Date: Thu, 1 Feb 2018 09:34:18 +0100
From: Steffen Klassert <steffen.klassert@...unet.com>
To: syzbot <syzbot+e1a1577ca8bcb47b769a@...kaller.appspotmail.com>
CC: <davem@...emloft.net>, <herbert@...dor.apana.org.au>,
<linux-kernel@...r.kernel.org>, <netdev@...r.kernel.org>,
<syzkaller-bugs@...glegroups.com>
Subject: Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (4)
On Wed, Jan 31, 2018 at 07:58:01AM -0800, syzbot wrote:
> Hello,
>
> syzbot hit the following crash on upstream commit
> 72906f38934a49faf4d2d38ea9ae32adcf7d5d0c (Tue Jan 30 21:04:50 2018 +0000)
> Merge branch 'x86-hyperv-for-linus' of
> git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
>
> So far this crash happened 4 times on net-next, upstream.
> C reproducer is attached.
> syzkaller reproducer is attached.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
> user-space arch: i386
Looks like we forgot to refuse to insert socket policies
when userspace is 32 bit and kernel is 64 bit. We do this
already for policies inserted with netlink because we don't
have a compat layer for xfrm. This means that userspace
and kernel structues don't match, leading to broken
configurations.
I don't have 32 bit userspace on 64 bit machines, so I
can't test this myself. Can you please test this patch:
Subject: [PATCH RFC] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems
We don't have compat layer for xfrm, so userspace and kernel
structures have different sizes in this case. This results in
a broken confuguration, so refuse to configure socket policies
when trying to insert from 32 bit userspace as we do it already
with policies inserted via netlink.
Signed-off-by: Steffen Klassert <steffen.klassert@...unet.com>
---
net/xfrm/xfrm_state.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index a3785f538018..25861a4ef872 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2056,6 +2056,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen
struct xfrm_mgr *km;
struct xfrm_policy *pol = NULL;
+#ifdef CONFIG_COMPAT
+ if (in_compat_syscall())
+ return -EOPNOTSUPP;
+#endif
+
if (optlen <= 0 || optlen > PAGE_SIZE)
return -EMSGSIZE;
--
2.14.1
Powered by blists - more mailing lists