| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <31f441a7-9bc8-b087-26ce-5e7c1910b388@gmail.com>
Date: Fri, 30 Nov 2018 08:59:09 -0700
From: David Ahern <dsahern@...il.com>
To: Eric Dumazet <edumazet@...gle.com>,
Ido Schimmel <idosch@...sch.org>
Cc: David Miller <davem@...emloft.net>,
netdev <netdev@...r.kernel.org>,
Eric Dumazet <eric.dumazet@...il.com>,
syzkaller@...glegroups.com, idosch@...lanox.com
Subject: Re: [PATCH net] rtnetlink: Refine sanity checks in rtnl_fdb_{add|del}
On 11/30/18 8:14 AM, Eric Dumazet wrote:
>
> // autogenerated by syzkaller (https://github.com/google/syzkaller)
>
> #define _GNU_SOURCE
>
> #include <arpa/inet.h>
> #include <endian.h>
> #include <errno.h>
> #include <fcntl.h>
> #include <net/if_arp.h>
> #include <sched.h>
> #include <stdarg.h>
> #include <stdbool.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/ioctl.h>
> #include <sys/mount.h>
> #include <sys/prctl.h>
> #include <sys/resource.h>
> #include <sys/stat.h>
> #include <sys/syscall.h>
> #include <sys/time.h>
> #include <sys/types.h>
> #include <sys/uio.h>
> #include <sys/wait.h>
> #include <unistd.h>
>
> #include <linux/if.h>
> #include <linux/if_ether.h>
> #include <linux/if_tun.h>
> #include <linux/ip.h>
> #include <linux/tcp.h>
>
> static void vsnprintf_check(char* str, size_t size, const char* format,
> va_list args)
> {
> int rv;
> rv = vsnprintf(str, size, format, args);
> if (rv < 0)
> exit(1);
> if ((size_t)rv >= size)
> exit(1);
> }
>
> #define COMMAND_MAX_LEN 128
> #define PATH_PREFIX \
> "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin "
> #define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1)
>
> static void execute_command(bool panic, const char* format, ...)
> {
> va_list args;
> char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN];
> int rv;
> va_start(args, format);
> memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN);
> vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args);
> va_end(args);
> rv = system(command);
> if (rv) {
> if (panic)
> exit(1);
> }
> }
>
> #define DEV_IPV4 "172.20.20.%d"
> #define DEV_IPV6 "fe80::%02hx"
> #define DEV_MAC "aa:aa:aa:aa:aa:%02hx"
>
> static void snprintf_check(char* str, size_t size, const char* format, ...)
> {
> va_list args;
> va_start(args, format);
> vsnprintf_check(str, size, format, args);
> va_end(args);
> }
> static void initialize_netdevices(void)
> {
> unsigned i;
> const char* devtypes[] = {"ip6gretap", "bridge", "vcan", "bond", "team"};
> const char* devnames[] = {"lo",
> "sit0",
> "bridge0",
> "vcan0",
> "tunl0",
> "gre0",
> "gretap0",
> "ip_vti0",
> "ip6_vti0",
> "ip6tnl0",
> "ip6gre0",
> "ip6gretap0",
> "erspan0",
> "bond0",
> "veth0",
> "veth1",
> "team0",
> "veth0_to_bridge",
> "veth1_to_bridge",
> "veth0_to_bond",
> "veth1_to_bond",
> "veth0_to_team",
> "veth1_to_team"};
> const char* devmasters[] = {"bridge", "bond", "team"};
> for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++)
> execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]);
> execute_command(0, "ip link add type veth");
> for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
> execute_command(
> 0, "ip link add name %s_slave_0 type veth peer name veth0_to_%s",
> devmasters[i], devmasters[i]);
> execute_command(
> 0, "ip link add name %s_slave_1 type veth peer name veth1_to_%s",
> devmasters[i], devmasters[i]);
> execute_command(0, "ip link set %s_slave_0 master %s0", devmasters[i],
> devmasters[i]);
> execute_command(0, "ip link set %s_slave_1 master %s0", devmasters[i],
> devmasters[i]);
> execute_command(0, "ip link set veth0_to_%s up", devmasters[i]);
> execute_command(0, "ip link set veth1_to_%s up", devmasters[i]);
> }
> execute_command(0, "ip link set bridge_slave_0 up");
> execute_command(0, "ip link set bridge_slave_1 up");
> for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) {
> char addr[32];
> snprintf_check(addr, sizeof(addr), DEV_IPV4, i + 10);
> execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]);
> snprintf_check(addr, sizeof(addr), DEV_IPV6, i + 10);
> execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]);
> snprintf_check(addr, sizeof(addr), DEV_MAC, i + 10);
> execute_command(0, "ip link set dev %s address %s", devnames[i], addr);
> execute_command(0, "ip link set dev %s up", devnames[i]);
> }
> }
>
> static void setup_common()
> {
> if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
> }
> }
>
> static void loop();
>
> static void sandbox_common()
> {
> prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
> setpgrp();
> setsid();
> struct rlimit rlim;
> rlim.rlim_cur = rlim.rlim_max = 200 << 20;
> setrlimit(RLIMIT_AS, &rlim);
> rlim.rlim_cur = rlim.rlim_max = 32 << 20;
> setrlimit(RLIMIT_MEMLOCK, &rlim);
> rlim.rlim_cur = rlim.rlim_max = 136 << 20;
> setrlimit(RLIMIT_FSIZE, &rlim);
> rlim.rlim_cur = rlim.rlim_max = 1 << 20;
> setrlimit(RLIMIT_STACK, &rlim);
> rlim.rlim_cur = rlim.rlim_max = 0;
> setrlimit(RLIMIT_CORE, &rlim);
> rlim.rlim_cur = rlim.rlim_max = 256;
> setrlimit(RLIMIT_NOFILE, &rlim);
> if (unshare(CLONE_NEWNS)) {
> }
> if (unshare(CLONE_NEWIPC)) {
> }
> if (unshare(0x02000000)) {
> }
> if (unshare(CLONE_NEWUTS)) {
> }
> if (unshare(CLONE_SYSVSEM)) {
> }
> }
>
> int wait_for_loop(int pid)
> {
> if (pid < 0)
> exit(1);
> int status = 0;
> while (waitpid(-1, &status, __WALL) != pid) {
> }
> return WEXITSTATUS(status);
> }
>
> static int do_sandbox_none(void)
> {
> if (unshare(CLONE_NEWPID)) {
> }
> int pid = fork();
> if (pid != 0)
> return wait_for_loop(pid);
> setup_common();
> sandbox_common();
> if (unshare(CLONE_NEWNET)) {
> }
> initialize_netdevices();
> loop();
> exit(1);
> }
>
> uint64_t r[1] = {0xffffffffffffffff};
>
> void loop(void)
> {
> long res = 0;
> res = syscall(__NR_socket, 0x10, 0x100000002, 0);
> if (res != -1)
> r[0] = res;
> *(uint64_t*)0x20000080 = 0;
> *(uint32_t*)0x20000088 = 0;
> *(uint64_t*)0x20000090 = 0x20000000;
> *(uint64_t*)0x20000000 = 0x200000c0;
> memcpy((void*)0x200000c0, "\x23\x00\x00\x00\x1e\x00\x81\xae\xe4\x05\x0c\x00"
> "\x00\x0f\x00\xfe\x07\x01\x01\x00\x00\x00\x00\x00"
> "\x63\xda\xc3\x7b\x74\x03\x24\x21\x89\xc6\x09",
> 35);
> *(uint64_t*)0x20000008 = 0x23;
> *(uint64_t*)0x20000098 = 1;
> *(uint64_t*)0x200000a0 = 0;
> *(uint64_t*)0x200000a8 = 0;
> *(uint32_t*)0x200000b0 = 0;
> syscall(__NR_sendmsg, r[0], 0x20000080, 0);
> *(uint64_t*)0x200005c0 = 0;
> *(uint32_t*)0x200005c8 = 0;
> *(uint64_t*)0x200005d0 = 0x20000040;
> *(uint64_t*)0x20000040 = 0x20000380;
> *(uint64_t*)0x20000048 = 0x69;
> *(uint64_t*)0x20000050 = 0;
> *(uint64_t*)0x20000058 = 0;
> *(uint64_t*)0x200005d8 = 2;
> *(uint64_t*)0x200005e0 = 0;
> *(uint64_t*)0x200005e8 = 0;
> *(uint32_t*)0x200005f0 = 0;
> syscall(__NR_recvmsg, r[0], 0x200005c0, 0x40);
> }
> int main(void)
> {
> syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
> do_sandbox_none();
> return 0;
> }
>
This does not repro for me:
# ./a.out
Invalid address length 6 - must be 4 bytes
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
Invalid address length 6 - must be 4 bytes
Invalid address length 6 - must be 4 bytes
Invalid address length 6 - must be 4 bytes
Invalid address length 6 - must be 16 bytes
Invalid address length 6 - must be 16 bytes
Invalid address length 6 - must be 16 bytes
config available>?
Powered by blists - more mailing lists