lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 23 Oct 2022 19:49:44 -0700 From: Eric Dumazet <edumazet@...gle.com> To: syzbot <syzbot+1e9af9185d8850e2c2fa@...kaller.appspotmail.com> Cc: davem@...emloft.net, herbert@...dor.apana.org.au, kuba@...nel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, pabeni@...hat.com, steffen.klassert@...unet.com, syzkaller-bugs@...glegroups.com Subject: Re: [syzbot] kernel BUG in warn_crc32c_csum_combine On Sun, Oct 23, 2022 at 7:37 PM syzbot <syzbot+1e9af9185d8850e2c2fa@...kaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: 4d48f589d294 Add linux-next specific files for 20221021 > git tree: linux-next > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1224e236880000 > kernel config: https://syzkaller.appspot.com/x/.config?x=2c4b7d600a5739a6 > dashboard link: https://syzkaller.appspot.com/bug?extid=1e9af9185d8850e2c2fa > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16f390f2880000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171f9c8c880000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/0c86bd0b39a0/disk-4d48f589.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/074059d37f1f/vmlinux-4d48f589.xz > mounted in repro: https://storage.googleapis.com/syzbot-assets/4a30bce99f60/mount_1.gz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+1e9af9185d8850e2c2fa@...kaller.appspotmail.com > > ------------[ cut here ]------------ > kernel BUG at net/core/skbuff.c:120! > invalid opcode: 0000 [#1] PREEMPT SMP KASAN > CPU: 1 PID: 3637 Comm: syz-executor164 Not tainted 6.1.0-rc1-next-20221021-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 > RIP: 0010:skb_push.cold-0x2/0x24 > Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 80 69 d4 8a ff 74 24 10 ff 74 24 20 e8 b2 77 c1 ff <0f> 0b e8 d4 d0 f1 f7 4c 8b 64 24 18 e8 ba 52 3e f8 48 c7 c1 e0 76 > RSP: 0018:ffffc90003e7ee70 EFLAGS: 00010286 > RAX: 0000000000000086 RBX: ffff888079c00280 RCX: 0000000000000000 > RDX: ffff888020a3ba80 RSI: ffffffff81621a58 RDI: fffff520007cfdc0 > RBP: ffffffff8ad47720 R08: 0000000000000086 R09: 0000000000000000 > R10: 0000000080000000 R11: 0000000075626b73 R12: ffffffff883cc6c6 > R13: 0000000000000048 R14: ffffffff8ad46940 R15: 00000000000000c0 > FS: 00007f2b0a939700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f9f0b184060 CR3: 00000000755db000 CR4: 00000000003506e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > <TASK> > skb_over_panic net/core/skbuff.c:125 [inline] > warn_crc32c_csum_combine.cold+0x0/0x1d net/core/skbuff.c:2152 > dump_esp_combs net/key/af_key.c:3009 [inline] > pfkey_send_acquire+0x1856/0x2520 net/key/af_key.c:3230 > km_query+0xac/0x220 net/xfrm/xfrm_state.c:2248 > xfrm_state_find+0x2bfe/0x4f10 net/xfrm/xfrm_state.c:1165 > xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2392 [inline] > xfrm_tmpl_resolve+0x2f3/0xd40 net/xfrm/xfrm_policy.c:2437 > xfrm_resolve_and_create_bundle+0x123/0x2580 net/xfrm/xfrm_policy.c:2730 > xfrm_lookup_with_ifid+0x229/0x20f0 net/xfrm/xfrm_policy.c:3064 > xfrm_lookup net/xfrm/xfrm_policy.c:3193 [inline] > xfrm_lookup_route+0x36/0x1e0 net/xfrm/xfrm_policy.c:3204 > ip_route_output_flow+0x114/0x150 net/ipv4/route.c:2880 > udp_sendmsg+0x1963/0x2740 net/ipv4/udp.c:1224 > inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:825 > sock_sendmsg_nosec net/socket.c:714 [inline] > sock_sendmsg+0xcf/0x120 net/socket.c:734 > ____sys_sendmsg+0x334/0x8c0 net/socket.c:2482 > ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 > __sys_sendmmsg+0x18b/0x460 net/socket.c:2622 > __do_sys_sendmmsg net/socket.c:2651 [inline] > __se_sys_sendmmsg net/socket.c:2648 [inline] > __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2648 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > RIP: 0033:0x7f2b0a9adf89 > Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f2b0a9392f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 > RAX: ffffffffffffffda RBX: 00007f2b0aa334d0 RCX: 00007f2b0a9adf89 > RDX: 000000000800001d RSI: 0000000020007fc0 RDI: 0000000000000003 > RBP: 00007f2b0aa002b8 R08: 0000000000000000 R09: 0000000000000000 > R10: 000000a742250118 R11: 0000000000000246 R12: 00007f2b0aa000b8 > R13: 00007f2b0aa001b8 R14: 0100000000000000 R15: 00007f2b0aa334d8 > </TASK> > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:skb_push.cold-0x2/0x24 > Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 80 69 d4 8a ff 74 24 10 ff 74 24 20 e8 b2 77 c1 ff <0f> 0b e8 d4 d0 f1 f7 4c 8b 64 24 18 e8 ba 52 3e f8 48 c7 c1 e0 76 > RSP: 0018:ffffc90003e7ee70 EFLAGS: 00010286 > RAX: 0000000000000086 RBX: ffff888079c00280 RCX: 0000000000000000 > RDX: ffff888020a3ba80 RSI: ffffffff81621a58 RDI: fffff520007cfdc0 > RBP: ffffffff8ad47720 R08: 0000000000000086 R09: 0000000000000000 > R10: 0000000080000000 R11: 0000000075626b73 R12: ffffffff883cc6c6 > R13: 0000000000000048 R14: ffffffff8ad46940 R15: 00000000000000c0 > FS: 00007f2b0a939700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fcc1415d300 CR3: 00000000755db000 CR4: 00000000003506e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@...glegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this issue, for details see: > https://goo.gl/tpsmEJ#testing-patches pfkey_send_acquire() allocates and skb, and then later this skb seems to be too small to fit all dump info. Maybe ->available status flips during the duration of the call ? (So count_esp_combs() might return a value, but later dump_esp_combs() needs more space) Relevant patch suggests this could happen commit ba953a9d89a00c078b85f4b190bc1dde66fe16b5 Author: Herbert Xu <herbert@...dor.apana.org.au> Date: Thu Aug 4 18:03:46 2022 +0800 af_key: Do not call xfrm_probe_algs in parallel
Powered by blists - more mailing lists