lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c82e104ceb6344a38dd1b0514379ae88@huawei.com>
Date: Sat, 26 Aug 2023 10:05:27 +0000
From: mengkanglai <mengkanglai2@...wei.com>
To: Bagas Sanjaya <bagasdotme@...il.com>, Eric Dumazet <edumazet@...gle.com>,
	"David S. Miller" <davem@...emloft.net>, Alexey Kuznetsov
	<kuznet@....inr.ac.ru>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, "Jakub
 Kicinski" <kuba@...nel.org>, Linux Networking <netdev@...r.kernel.org>,
	"Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>, Noah Goldstein
	<goldstein.w.n@...il.com>, Dave Hansen <dave.hansen@...ux.intel.com>
CC: "Fengtao (fengtao, Euler)" <fengtao40@...wei.com>, "Yanan (Euler)"
	<yanan@...wei.com>
Subject: 答复: [BUGREPORT] slab-out-of-bounds in do_csum

The attachment is the fuzz reproduction program.
Have you encountered similar problems?

-----邮件原件-----
发件人: Bagas Sanjaya <bagasdotme@...il.com> 
发送时间: 2023年8月22日 16:46
收件人: mengkanglai <mengkanglai2@...wei.com>; Eric Dumazet <edumazet@...gle.com>; David S. Miller <davem@...emloft.net>; Alexey Kuznetsov <kuznet@....inr.ac.ru>; Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>; Jakub Kicinski <kuba@...nel.org>; Linux Networking <netdev@...r.kernel.org>; Linux Kernel Mailing List <linux-kernel@...r.kernel.org>; Noah Goldstein <goldstein.w.n@...il.com>; Dave Hansen <dave.hansen@...ux.intel.com>
抄送: Fengtao (fengtao, Euler) <fengtao40@...wei.com>; Yanan (Euler) <yanan@...wei.com>
主题: Re: [BUGREPORT] slab-out-of-bounds in do_csum

On Tue, Aug 22, 2023 at 01:57:53AM +0000, mengkanglai wrote:
> Hello:
>   I am doing some fuzz test for kernel, the following bug was triggered.
>   My kernel version is 5.10.0.Have you encountered similar problems?
>   If there is a fix, please let me know. 
>   Thank you very much.

What fuzz test?

> 
> ----------------------------------------------
> BUG: KASAN: slab-out-of-bounds in do_csum+0x3e9/0x400 
> usr/src/kernels/linux-5.10.0-136.12.0.86/arch/x86/lib/csum-partial_64.
> c:103 Read of size 4 at addr ffff88801f183aa0 by task 
> syz-executor.2/19784
> 
> CPU: 0 PID: 19784 Comm: syz-executor.2 Tainted: G        W  OE     5.10.0-136.12.0.86.x86_64 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
> 1.13.0-1ubuntu1.1 04/01/2014 Call Trace:
>  __dump_stack 
> usr/src/kernels/linux-5.10.0-136.12.0.86/lib/dump_stack.c:77 [inline]  
> dump_stack+0xbe/0xfd 
> usr/src/kernels/linux-5.10.0-136.12.0.86/lib/dump_stack.c:118
>  print_address_description.constprop.0+0x19/0x170 
> usr/src/kernels/linux-5.10.0-136.12.0.86/mm/kasan/report.c:382
>  __kasan_report.cold+0x6c/0x84 
> usr/src/kernels/linux-5.10.0-136.12.0.86/mm/kasan/report.c:542
>  kasan_report+0x3a/0x50 
> usr/src/kernels/linux-5.10.0-136.12.0.86/mm/kasan/report.c:559
>  do_csum+0x3e9/0x400 
> usr/src/kernels/linux-5.10.0-136.12.0.86/arch/x86/lib/csum-partial_64.
> c:103
>  csum_partial+0x21/0x30 
> usr/src/kernels/linux-5.10.0-136.12.0.86/arch/x86/lib/csum-partial_64.
> c:136  gso_make_checksum 
> usr/src/kernels/linux-5.10.0-136.12.0.86/./include/linux/skbuff.h:4527 
> [inline]
>  __skb_udp_tunnel_segment+0xcd9/0x1710 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv4/udp_offload.c:135
>  skb_udp_tunnel_segment+0x192/0x240 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv4/udp_offload.c:177
>  udp6_ufo_fragment+0x9a5/0xd20 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/udp_offload.c:37
>  ipv6_gso_segment+0x485/0xfc0 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_offload.c:115
>  skb_mac_gso_segment+0x22e/0x400 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/core/dev.c:3348
>  __skb_gso_segment+0x331/0x6f0 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/core/dev.c:3445
>  skb_gso_segment 
> usr/src/kernels/linux-5.10.0-136.12.0.86/./include/linux/netdevice.h:4
> 799 [inline]
>  ip6_finish_output_gso_slowpath_drop.constprop.0+0x3f/0x170 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_output.c:169
>  __ip6_finish_output.part.0+0x6a5/0x7c0 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_output.c:203
>  __ip6_finish_output 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_output.c:225 
> [inline]
>  ip6_finish_output+0x25c/0x310 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_output.c:220
>  NF_HOOK_COND 
> usr/src/kernels/linux-5.10.0-136.12.0.86/./include/linux/netfilter.h:2
> 93 [inline]
>  ip6_output+0x1f3/0x3f0 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_output.c:243
>  dst_output 
> usr/src/kernels/linux-5.10.0-136.12.0.86/./include/net/dst.h:453 
> [inline]
>  ip6_local_out+0x94/0xc0 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/output_core.c:161
>  ip6tunnel_xmit 
> usr/src/kernels/linux-5.10.0-136.12.0.86/./include/net/ip6_tunnel.h:16
> 0 [inline]
>  udp_tunnel6_xmit_skb+0x695/0xa90 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_udp_tunnel.c:109
>  geneve6_xmit_skb+0xaf8/0x1b50 
> usr/src/kernels/linux-5.10.0-136.12.0.86/drivers/net/geneve.c:1051
>  geneve_xmit+0x2f5/0x4f0 
> usr/src/kernels/linux-5.10.0-136.12.0.86/drivers/net/geneve.c:1080
>  __netdev_start_xmit 
> usr/src/kernels/linux-5.10.0-136.12.0.86/./include/linux/netdevice.h:4
> 849 [inline]  netdev_start_xmit 
> usr/src/kernels/linux-5.10.0-136.12.0.86/./include/linux/netdevice.h:4
> 863 [inline]
>  xmit_one.constprop.0+0x142/0x490 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/core/dev.c:3615
>  dev_hard_start_xmit+0x8e/0x1b0 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/core/dev.c:3631
>  __dev_queue_xmit+0x1935/0x2100 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/core/dev.c:4198
>  packet_snd+0x1992/0x2a40 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/packet/af_packet.c:3031
>  packet_sendmsg+0x9f/0xd0 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/packet/af_packet.c:3063
>  sock_sendmsg_nosec 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:658 [inline]  
> sock_sendmsg usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:678 
> [inline]
>  sock_sendmsg+0x165/0x1a0 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:673
>  __sys_sendto+0x21b/0x320 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:1993
>  __do_sys_sendto 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:2005 [inline]  
> __se_sys_sendto 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:2001 [inline]
>  __x64_sys_sendto+0xe2/0x1c0 
> usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:2001
>  do_syscall_64+0x33/0x40 
> usr/src/kernels/linux-5.10.0-136.12.0.86/arch/x86/entry/common.c:46
>  entry_SYSCALL_64_after_hwframe+0x61/0xc6
> RIP: 0033:0x7f6bf67ac74d
> Code: c3 e8 17 32 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 
> 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f6bf4d19bf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
> RAX: ffffffffffffffda RBX: 00007f6bf68e7f80 RCX: 00007f6bf67ac74d
> RDX: 0000000000002378 RSI: 0000000020000080 RDI: 0000000000000003
> RBP: 00007f6bf681ad95 R08: 0000000000000000 R09: 00000000000002ff
> R10: 0000000004000002 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007ffe99543bff R14: 00007ffe99543da0 R15: 00007f6bf4d19d80

Can you reproduce above on latest mainline (currently v6.5-rc7)? Also, it seems like you have external modules installed, hence your kernel is tainted. Please try vanilla (untainted) kernel instead, preferably by building kernel from kernel.org sources.

Thanks.

--
An old man doll... just what I always wanted! - Clara

View attachment "fuzz-test.txt" of type "text/plain" (2384131 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ