lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACT4Y+a=R1G=iN2vuv1hkf9JAw3jSjp6fXd6DHrR8tPn4KFgYQ@mail.gmail.com>
Date:   Fri, 18 May 2018 11:14:07 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Hangbin Liu <liuhangbin@...il.com>
Cc:     syzkaller <syzkaller@...glegroups.com>,
        Paolo Abeni <pabeni@...hat.com>,
        Marcelo Ricardo Leitner <mleitner@...hat.com>,
        netdev <netdev@...r.kernel.org>
Subject: Re: general protection fault in qdisc_hash_add

On Fri, May 18, 2018 at 10:38 AM, Hangbin Liu <liuhangbin@...il.com> wrote:
> Hi Dmitry,
>
> I got a kasan GPF error when run netlink sched test. The syzkaller log file
> and call trace attached.
>
> What interested me is the TCA_RED_PARMS. Here is the log
>
> r0 = socket$nl_route(0x10, 0x3, 0x0)
> ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000740)={'lo\x00', <r1=>0x0})
> sendmsg$nl_route_sched(r0, &(0x7f00000000c0)={&(0x7f0000000000)={0x10}, 0xc, &(0x7f0000000180)={&(0x7f00000002c0)=@...qdisc={0x148, 0x24, 0x421, 0x0, 0x0, {0x0, r1, {}, {0x0, 0xffff}}, [@qdisc_kind_options=@...ed={{0x8, 0x1, 'red\x00'}, {0x11c, 0x2, [@TCA_RED_PARMS={0x14, 0x1, {0x0, 0x0, 0x0, 0x1f}}, @TCA_RED_STAB={0x104, 0x2, "18ac558f2dba9315851070f6e8d2533e755bb93a10146fbf3450d1c5096ce5e8e25674655d985acf1dde6c6283858c71ba0c8c2ba63e82d8168ddaccb0e656849ad10cc603fdac12346de63f934064095e194ee7a3d129ccc57b3c15056f2c5b04584fa0986e2e284a1b4d74577f7b61c20772219d7c01a8f2164d27a074a37f6af6ea6415d6d80c578ff5e656f5bedf074b2d38a8b5b119ba1ef5e206952614d9951ef4027a8bc397208890380c6d6a1ec9994cfceef8675ab30395cc0115a850a4a327a00195903f1d6272567b734776754842f7c4d87da1b4cea9a7330329e290b1d7a7bb77f4e87640340c6c6d704655bd351f47a09af6e2f37583ea5b7e"}]}}]}, 0x148}, 0x1}, 0x0)
>
>
> From the log it sendmsg with TCA_RED_PARMS={0x14, 0x1, {0x0, 0x0, 0x0, 0x1f}}.
> But we defined tc_red_qopt like
> tc_red_qopt {
>         limit           int32
>         qth_min         int32
>         qth_max         int32
>         Wlog            int8[0:32]
>         Plog            int8[0:32]
>         Scell_log       int8[0:32]
>         flag            int8[0:8]
> }
>
> The items in the structer seems missmatch. Would you help explain how
> syzkaller fuzz the structer?

TCA_RED_PARMS union option is defined as:

q_red_options [
     TCA_RED_PARMS nlattr[TCA_RED_PARMS, tc_red_qopt]
     ...
] [varlen]

and nlattr is defined as:

type nlattr[TYPE, PAYLOAD] nlattr_t[const[TYPE, int16], PAYLOAD]

type nlattr_t[TYPE, PAYLOAD] {
    nla_len len[parent, int16]
    nla_type TYPE
    payload PAYLOAD
} [packed, align_4]

So here:

@TCA_RED_PARMS={0x14, 0x1, {0x0, 0x0, 0x0, 0x1f}}

first 2 numbers are nlattr len and type, and then the inner struct is
tc_red_qopt with truncated trailing zero values.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ