lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Ys+h09nnUY+ql98N@xsang-OptiPlex-9020>
Date:   Thu, 14 Jul 2022 12:55:47 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     sewookseo <sewookseo@...gle.com>
Cc:     0day robot <lkp@...el.com>,
        Maciej Żenczykowski <maze@...gle.com>,
        Eric Dumazet <edumazet@...gle.com>,
        Steffen Klassert <steffen.klassert@...unet.com>,
        Sehee Lee <seheele@...gle.com>,
        LKML <linux-kernel@...r.kernel.org>, netdev@...r.kernel.org,
        lkp@...ts.01.org
Subject: [net]  92a3727452: BUG:KASAN:slab-out-of-bounds_in_tcp_v4_send_reset



Greeting,

FYI, we noticed the following commit (built with gcc-11):

commit: 92a3727452306125178366a58d87e886e194ae64 ("net: Find dst with sk's xfrm policy not ctl_sk")
url: https://github.com/intel-lab-lkp/linux/commits/UPDATE-20220706-143527/Sewook-Seo/net-tcp-Find-dst-with-sk-s-xfrm-policy-not-ctl_sk/20220622-042459

in testcase: hwsim
version: hwsim-x86_64-717e5d7-1_20220525
with following parameters:

	test: group-07
	ucode: 0x21



on test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz with 16G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[ 132.868237][ C0] BUG: KASAN: slab-out-of-bounds in tcp_v4_send_reset (net/ipv4/tcp_ipv4.c:823) 
[  132.868244][    C0] Read of size 8 at addr ffff888129341308 by task python3/5525
[  132.868246][    C0]
[  132.868248][    C0] CPU: 0 PID: 5525 Comm: python3 Tainted: G S                5.19.0-rc2-00127-g92a372745230 #1
[  132.868251][    C0] Hardware name:  /DZ77BH-55K, BIOS BHZ7710H.86A.0097.2012.1228.1346 12/28/2012
[  132.868253][    C0] Call Trace:
[  132.868255][    C0]  <IRQ>
[ 132.868256][ C0] ? tcp_v4_send_reset (net/ipv4/tcp_ipv4.c:823) 
[ 132.868259][ C0] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) 
[ 132.868263][ C0] print_address_description+0x1f/0x200 
[ 132.868268][ C0] ? tcp_v4_send_reset (net/ipv4/tcp_ipv4.c:823) 
[ 132.868270][ C0] print_report.cold (mm/kasan/report.c:430) 
[ 132.868274][ C0] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
[ 132.868277][ C0] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) 
[ 132.868281][ C0] ? tcp_v4_send_reset (net/ipv4/tcp_ipv4.c:823) 
[ 132.868283][ C0] tcp_v4_send_reset (net/ipv4/tcp_ipv4.c:823) 
[ 132.868286][ C0] ? tcp_req_err (net/ipv4/tcp_ipv4.c:669) 
[ 132.868288][ C0] ? tcp_check_req (net/ipv4/tcp_minisocks.c:87) 
[ 132.868291][ C0] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
[ 132.868293][ C0] ? memmove (mm/kasan/shadow.c:54 (discriminator 1)) 
[ 132.868297][ C0] ? tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2157) 
[ 132.868299][ C0] tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2157) 
[ 132.868302][ C0] ? tcp_v4_early_demux (net/ipv4/tcp_ipv4.c:1916) 
[ 132.868304][ C0] ? kernel_text_address (kernel/extable.c:97 kernel/extable.c:94) 
[ 132.868308][ C0] ? __kernel_text_address (kernel/extable.c:79) 
[ 132.868311][ C0] ? unwind_get_return_address (arch/x86/kernel/unwind_orc.c:318 arch/x86/kernel/unwind_orc.c:313) 
[ 132.868315][ C0] ? create_prof_cpu_mask (kernel/stacktrace.c:83) 
[ 132.868319][ C0] ? arch_stack_walk (arch/x86/kernel/stacktrace.c:26) 
[ 132.868323][ C0] ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) 
[ 132.868327][ C0] ip_local_deliver_finish (arch/x86/include/asm/preempt.h:85 include/linux/rcupdate.h:73 include/linux/rcupdate.h:727 net/ipv4/ip_input.c:234) 
[ 132.868329][ C0] ? stack_trace_save (kernel/stacktrace.c:123) 
[ 132.868332][ C0] ip_local_deliver (net/ipv4/ip_input.c:243) 
[ 132.868334][ C0] ? ip_local_deliver_finish (net/ipv4/ip_input.c:243) 
[ 132.868337][ C0] ? net_rx_action (net/core/dev.c:6634 net/core/dev.c:6657) 
[ 132.868340][ C0] ? memset (mm/kasan/shadow.c:44) 
[ 132.868343][ C0] ? ip_rcv_core (net/ipv4/ip_input.c:524) 
[ 132.868346][ C0] ip_rcv (include/net/dst.h:461 net/ipv4/ip_input.c:437 include/linux/netfilter.h:307 include/linux/netfilter.h:301 net/ipv4/ip_input.c:557) 
[ 132.868348][ C0] ? ip_rcv_finish (net/ipv4/ip_input.c:550) 
[ 132.868350][ C0] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
[ 132.868353][ C0] ? _raw_write_lock_irq (kernel/locking/spinlock.c:153) 
[ 132.868355][ C0] ? ip_rcv_finish (net/ipv4/ip_input.c:550) 
[ 132.868357][ C0] __netif_receive_skb_one_core (net/core/dev.c:5480 (discriminator 4)) 
[ 132.868360][ C0] ? __netif_receive_skb_list_core (net/core/dev.c:5473) 
[ 132.868363][ C0] ? _raw_spin_lock_irq (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:120 kernel/locking/spinlock.c:170) 
[ 132.868365][ C0] ? cpumask_next_and (lib/cpumask.c:42) 
[ 132.868369][ C0] process_backlog (include/linux/netdevice.h:3151 net/core/dev.c:5924) 
[ 132.868371][ C0] ? timerqueue_add (lib/timerqueue.c:40) 
[ 132.868374][ C0] __napi_poll (net/core/dev.c:6488) 
[ 132.868377][ C0] net_rx_action (net/core/dev.c:6557 net/core/dev.c:6666) 
[ 132.868380][ C0] ? napi_threaded_poll (net/core/dev.c:6642) 
[ 132.868382][ C0] ? var_wake_function (kernel/sched/clock.c:364) 
[ 132.868385][ C0] ? sched_clock_cpu (kernel/sched/clock.c:364) 
[ 132.868387][ C0] ? __sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:484) 
[ 132.868392][ C0] ? clockevents_program_event (kernel/time/clockevents.c:336 (discriminator 3)) 
[ 132.868396][ C0] __do_softirq (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 include/trace/events/irq.h:142 kernel/softirq.c:572) 
[ 132.868399][ C0] do_softirq (kernel/softirq.c:472 kernel/softirq.c:459) 
[  132.868402][    C0]  </IRQ>
[  132.868403][    C0]  <TASK>
[ 132.868404][ C0] __local_bh_enable_ip (kernel/softirq.c:396) 
[ 132.868406][ C0] ip_finish_output2 (net/ipv4/ip_output.c:195) 
[ 132.868409][ C0] ? __kernel_text_address (kernel/extable.c:79) 
[ 132.868412][ C0] ? unwind_get_return_address (arch/x86/kernel/unwind_orc.c:318 arch/x86/kernel/unwind_orc.c:313) 
[ 132.868415][ C0] ? create_prof_cpu_mask (kernel/stacktrace.c:83) 
[ 132.868417][ C0] ? arch_stack_walk (arch/x86/kernel/stacktrace.c:26) 
[ 132.868420][ C0] ? ip_setup_cork (net/ipv4/ip_output.c:195) 
[ 132.868423][ C0] ? __ip_finish_output (include/linux/skbuff.h:1739 include/linux/skbuff.h:4977 net/ipv4/ip_output.c:300 net/ipv4/ip_output.c:288) 
[ 132.868425][ C0] ip_output (net/ipv4/ip_output.c:422) 
[ 132.868428][ C0] ? ip_finish_output (net/ipv4/ip_output.c:422) 
[ 132.868431][ C0] __ip_queue_xmit (arch/x86/include/asm/preempt.h:85 include/linux/rcupdate.h:73 include/linux/rcupdate.h:727 net/ipv4/ip_output.c:533) 
[ 132.868434][ C0] ? __tcp_select_window (arch/x86/include/asm/atomic.h:29 include/linux/atomic/atomic-instrumented.h:28 include/net/tcp.h:1434 net/ipv4/tcp_output.c:2957) 
[ 132.868437][ C0] ? __skb_clone (arch/x86/include/asm/atomic.h:95 (discriminator 4) include/linux/atomic/atomic-instrumented.h:191 (discriminator 4) net/core/skbuff.c:1082 (discriminator 4)) 
[ 132.868441][ C0] __tcp_transmit_skb (net/ipv4/tcp_output.c:1405 (discriminator 4)) 
[ 132.868444][ C0] ? __tcp_select_window (net/ipv4/tcp_output.c:1242) 
[ 132.868447][ C0] ? _copy_from_iter (lib/iov_iter.c:767 (discriminator 8)) 
[ 132.868451][ C0] tcp_write_xmit (net/ipv4/tcp_output.c:2693) 
[ 132.868455][ C0] ? skb_do_copy_data_nocache (include/linux/uio.h:171 include/linux/uio.h:177 include/net/sock.h:2204) 
[ 132.868459][ C0] ? tcp_alloc_md5sig_pool (include/net/sock.h:2195) 
[ 132.868462][ C0] ? skb_page_frag_refill (arch/x86/include/asm/atomic.h:29 include/linux/atomic/atomic-instrumented.h:28 include/linux/page_ref.h:67 net/core/sock.c:2773) 
[ 132.868465][ C0] __tcp_push_pending_frames (net/ipv4/tcp_output.c:2877) 
[ 132.868469][ C0] tcp_sendmsg_locked (net/ipv4/tcp.c:1420) 
[ 132.868472][ C0] ? _raw_spin_lock (kernel/locking/spinlock.c:177) 
[ 132.868474][ C0] ? tcp_sendpage (net/ipv4/tcp.c:1192) 
[ 132.868476][ C0] ? _raw_spin_lock_bh (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:127 kernel/locking/spinlock.c:178) 
[ 132.868478][ C0] ? _raw_spin_lock (kernel/locking/spinlock.c:177) 
[ 132.868480][ C0] ? __cond_resched (kernel/sched/core.c:8217) 
[ 132.868483][ C0] ? inet_send_prepare (net/ipv4/af_inet.c:813) 
[ 132.868486][ C0] tcp_sendmsg (net/ipv4/tcp.c:1449) 
[ 132.868489][ C0] sock_sendmsg (net/socket.c:714 net/socket.c:734) 
[ 132.868491][ C0] __sys_sendto (net/socket.c:2119) 
[ 132.868494][ C0] ? __ia32_sys_getpeername (net/socket.c:2090) 
[ 132.868498][ C0] ? nsec_to_clock_t (kernel/time/time.c:767) 
[ 132.868501][ C0] ? __sys_getsockopt (net/socket.c:2299) 
[ 132.868504][ C0] ? __x64_sys_poll (fs/select.c:1082 fs/select.c:1068 fs/select.c:1068) 
[ 132.868507][ C0] ? __ia32_sys_poll (fs/select.c:1068) 
[ 132.868510][ C0] __x64_sys_sendto (net/socket.c:2127) 
[ 132.868512][ C0] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 132.868516][ C0] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115) 
[  132.868519][    C0] RIP: 0033:0x7f706977044c
[ 132.868523][ C0] Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 19 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 64 c3 0f 1f 00 55 48 83 ec 20 48 89 54 24 10
All code
========
   0:	89 02                	mov    %eax,(%rdx)
   2:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
   9:	eb b5                	jmp    0xffffffffffffffc0
   b:	0f 1f 00             	nopl   (%rax)
   e:	41 89 ca             	mov    %ecx,%r10d
  11:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  18:	00 
  19:	85 c0                	test   %eax,%eax
  1b:	75 19                	jne    0x36
  1d:	45 31 c9             	xor    %r9d,%r9d
  20:	45 31 c0             	xor    %r8d,%r8d
  23:	b8 2c 00 00 00       	mov    $0x2c,%eax
  28:	0f 05                	syscall 
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 64                	ja     0x96
  32:	c3                   	retq   
  33:	0f 1f 00             	nopl   (%rax)
  36:	55                   	push   %rbp
  37:	48 83 ec 20          	sub    $0x20,%rsp
  3b:	48 89 54 24 10       	mov    %rdx,0x10(%rsp)

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 64                	ja     0x6c
   8:	c3                   	retq   
   9:	0f 1f 00             	nopl   (%rax)
   c:	55                   	push   %rbp
   d:	48 83 ec 20          	sub    $0x20,%rsp
  11:	48 89 54 24 10       	mov    %rdx,0x10(%rsp)


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



-- 
0-DAY CI Kernel Test Service
https://01.org/lkp



View attachment "config-5.19.0-rc2-00127-g92a372745230" of type "text/plain" (167550 bytes)

View attachment "job-script" of type "text/plain" (5975 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (77956 bytes)

View attachment "hwsim" of type "text/plain" (63043 bytes)

View attachment "job.yaml" of type "text/plain" (4651 bytes)

View attachment "reproduce" of type "text/plain" (3511 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ