[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230525081558.38ee5cde@hermes.local>
Date: Thu, 25 May 2023 08:15:58 -0700
From: Stephen Hemminger <stephen@...workplumber.org>
To: netdev@...r.kernel.org
Cc: bugzilla-daemon@...nel.org
Subject: Re: [Bug 217486] New: 'doubel fault' in if_nlmsg_size func by
syz-executor fuzz
Not much info in this bug report.
Blaming if_nlmsg_size() is not right, something is passing bogus data.
On Thu, 25 May 2023 12:40:12 +0000
bugzilla-daemon@...nel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=217486
>
> Bug ID: 217486
> Summary: 'doubel fault' in if_nlmsg_size func by syz-executor
> fuzz
> Product: Networking
> Version: 2.5
> Hardware: All
> OS: Linux
> Status: NEW
> Severity: normal
> Priority: P3
> Component: IPV4
> Assignee: stephen@...workplumber.org
> Reporter: 13151562558@....com
> Regression: No
>
> in syz-executor fuzz test, system panic in "double fault" err.
> by the kernel log, only get one dump stack info, "if_nlmsg_size+0x4ea/0x7c0".
> I have vmcore, but don't know how to debug "double fault"? what't first fault ?
>
> if_nlmsg_size+0x4ea/0x7c0 code:
> ```
> static noinline size_t if_nlmsg_size(const struct net_device *dev,
> u32 ext_filter_mask)
> {
> return NLMSG_ALIGN(sizeof(struct ifinfomsg))
> + nla_total_size(IFNAMSIZ) /* IFLA_IFNAME */
> + nla_total_size(IFALIASZ) /* IFLA_IFALIAS */
>
> + nla_total_size(4) /* IFLA_MIN_MTU */
> + nla_total_size(4) /* IFLA_MAX_MTU */
> + rtnl_prop_list_size(dev) // this
> line;if_nlmsg_size+0x4ea/0x7c0
> + nla_total_size(MAX_ADDR_LEN) /* IFLA_PERM_ADDRESS */
> + 0;
> }
> ```
>
> dis the code of dump stack, like this:
> /include/linux/list.h:
> <if_nlmsg_size+1325>: mov %rbp,%rdx
> <if_nlmsg_size+1328>: shr $0x3,%rdx
> <if_nlmsg_size+1332>: cmpb $0x0,(%rdx,%rax,1)
> <if_nlmsg_size+1336>: jne 0xffffffff8a5b86a6 <if_nlmsg_size+1766>
> <if_nlmsg_size+1342>: mov 0x10(%r15),%rax
> <if_nlmsg_size+1346>: cmp %rax,%rbp
> <if_nlmsg_size+1349>: je 0xffffffff8a5b8659 <if_nlmsg_size+1689>
>
>
> kernel log:
> [ 3213.317259] CPU: 1 PID: 1830 Comm: syz-executor.6 Tainted: G D
> 5.10.0 #1
> [ 3213.317404] RIP: 0010:if_nlmsg_size+0x53e/0x7c0
> [ 3213.317415] Code: 00 0f 85 2e 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
> 7b 10 49 8d 6f 10 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 a8 01 00 00 <49> 8b 47
> 10 48 39 c5 0f 84 4e 01 00 00 e8 90 ff 1a f7 48 89 ea 48
> [ 3213.317420] RSP: 0018:ffff88809f4ca570 EFLAGS: 00010246
> [ 3213.317428] RAX: dffffc0000000000 RBX: ffff88803767c000 RCX:
> ffffc90006714000
> [ 3213.317433] RDX: 1ffff11008037c92 RSI: ffffffff8a5b84aa RDI:
> ffff88803767c010
> [ 3213.317439] RBP: ffff8880401be490 R08: 0000000000000cc0 R09:
> 0000000000000000
> [ 3213.317445] R10: ffffffff9287d2e7 R11: fffffbfff250fa5c R12:
> 0000000000000640
> [ 3213.317450] R13: 0000000000000950 R14: 0000000000000008 R15:
> ffff8880401be480
> [ 3213.317454] ? if_nlmsg_size+0x4ea/0x7c0
> [ 3213.317457] </#DF>
>
Powered by blists - more mailing lists