lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <10b89a9f-443c-98d1-ca01-add5f6dd3355@nvidia.com>
Date:   Fri, 3 Sep 2021 13:04:10 +0300
From:   Nikolay Aleksandrov <nikolay@...dia.com>
To:     syzbot <syzbot+24b98616278c31afc800@...kaller.appspotmail.com>,
        bridge@...ts.linux-foundation.org, davem@...emloft.net,
        kuba@...nel.org, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, roopa@...dia.com,
        syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] KASAN: slab-out-of-bounds Read in add_del_if

On 03/09/2021 12:03, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    3bdc70669eb2 Merge branch 'devlink-register'

That is an older commit, before my ioctl fixes. I think this issue has been
already fixed by my patch-set:
 commit d15040a33883
 Merge: 4167a960574f 9384eacd80f3
 Author: David S. Miller <davem@...emloft.net>
 Date:   Thu Aug 5 11:36:59 2021 +0100

    Merge branch 'bridge-ioctl-fixes'
    
    Nikolay Aleksandrov says:
    
    ====================
    net: bridge: fix recent ioctl changes
    
    These are three fixes for the recent bridge removal of ndo_do_ioctl
    done by commit ad2f99aedf8f ("net: bridge: move bridge ioctls out of
    .ndo_do_ioctl"). Patch 01 fixes a deadlock of the new bridge ioctl
    hook lock and rtnl by taking a netdev reference and always taking the
    bridge ioctl lock first then rtnl from within the bridge hook.
    Patch 02 fixes old_deviceless() bridge calls device name argument, and
    patch 03 checks in dev_ifsioc()'s SIOCBRADD/DELIF cases if the netdevice is
    actually a bridge before interpreting its private ptr as net_bridge.
    
    Patch 01 was tested by running old bridge-utils commands with lockdep
    enabled. Patch 02 was tested again by using bridge-utils and using the
    respective ioctl calls on a "up" bridge device. Patch 03 was tested by
    using the addif ioctl on a non-bridge device (e.g. loopback).


> git tree:       net-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=147a8072300000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=914a8107c0ffdc14
> dashboard link: https://syzkaller.appspot.com/bug?extid=24b98616278c31afc800
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13f4ccc9d00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15b054f4300000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+24b98616278c31afc800@...kaller.appspotmail.com
> 
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in add_del_if+0x13a/0x140 net/bridge/br_ioctl.c:85
> Read of size 8 at addr ffff888019118c88 by task syz-executor790/8443
> 
[snip]
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches
> 

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git d15040a33883

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ