[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACT4Y+YZVgJiRkQdmw-Oc407u9xg2nzeYstv0QVe40xrDimtUQ@mail.gmail.com>
Date: Tue, 15 Jun 2021 07:51:25 +0200
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Herbert Xu <herbert@...dor.apana.org.au>
Cc: syzbot <syzbot+e4c1dd36fc6b98c50859@...kaller.appspotmail.com>,
David Miller <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
LKML <linux-kernel@...r.kernel.org>,
netdev <netdev@...r.kernel.org>,
Steffen Klassert <steffen.klassert@...unet.com>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: [syzbot] UBSAN: shift-out-of-bounds in xfrm_selector_match
On Tue, Jun 15, 2021 at 7:32 AM Herbert Xu <herbert@...dor.apana.org.au> wrote:
>
> On Thu, Jun 10, 2021 at 12:19:26PM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 13c62f53 net/sched: act_ct: handle DNAT tuple collision
> > git tree: net
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16635470300000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=770708ea7cfd4916
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e4c1dd36fc6b98c50859
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+e4c1dd36fc6b98c50859@...kaller.appspotmail.com
> >
> > UBSAN: shift-out-of-bounds in ./include/net/xfrm.h:838:23
> > shift exponent -64 is negative
> > CPU: 0 PID: 12625 Comm: syz-executor.1 Not tainted 5.13.0-rc3-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:79 [inline]
> > dump_stack+0x141/0x1d7 lib/dump_stack.c:120
> > ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
> > __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
> > addr4_match include/net/xfrm.h:838 [inline]
> > __xfrm4_selector_match net/xfrm/xfrm_policy.c:201 [inline]
> > xfrm_selector_match.cold+0x35/0x3a net/xfrm/xfrm_policy.c:227
> > xfrm_state_look_at+0x16d/0x440 net/xfrm/xfrm_state.c:1022
>
> This appears to be an xfrm_state object with an IPv4 selector
> that somehow has a prefixlen (d or s) of 96.
>
> AFAICS this is not possible through xfrm_user. OTOH it is not
> obvious that af_key is entirely consistent in how it verifies
> the prefix length, in particular, it seems to be possible for
> two addresses with conflicting families to be provided as src/dst.
>
> Can you confirm that this is indeed using af_key (a quick read
> of the syzbot log seems to indicate that this is the case)?
Hi Herbert,
This was triggered by this program and, yes, it creates an AF_KEY socket:
18:01:48 executing program 1:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
socket$key(0xf, 0x3, 0x2)
bind$inet(r0, &(0x7f00000001c0)={0x2, 0x0, @local}, 0x10)
socketpair$tipc(0x1e, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff,
<r1=>0xffffffffffffffff})
ioctl$TUNSETLINK(r1, 0x8912, 0x400308)
connect$inet(r0, &(0x7f0000000480)={0x2, 0x0, @multicast2}, 0x10)
setsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11,
&(0x7f0000000080)={{{@...=@...4={'\x00', '\xff\xff', @dev},
@in6=@...vate0, 0x0, 0xfffc, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0,
0xee01}, {0x2}, {}, 0x0, 0x0, 0x1}, {{@in, 0x0, 0x32}, 0x0,
@in6=@...pback, 0x0, 0x0, 0x0, 0xb7}}, 0xe8)
socket$key(0xf, 0x3, 0x2)
sendmmsg(r0, &(0x7f0000007fc0), 0x800001d, 0x0)
Powered by blists - more mailing lists