lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3905313.1695031861@warthog.procyon.org.uk>
Date: Mon, 18 Sep 2023 11:11:01 +0100
From: David Howells <dhowells@...hat.com>
To: syzbot+62cbf263225ae13ff153@...kaller.appspotmail.com
Cc: dhowells@...hat.com, Eric Dumazet <edumazet@...gle.com>,
    bpf@...r.kernel.org, davem@...emloft.net, dsahern@...nel.org,
    kuba@...nel.org, linux-kernel@...r.kernel.org,
    netdev@...r.kernel.org, pabeni@...hat.com,
    syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] WARNING in __ip6_append_data

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 65d6e954e378

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 0665e8b09968..7978335c1fc4 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1517,8 +1517,10 @@ static int __ip6_append_data(struct sock *sk,
 		     rt->rt6i_nfheader_len;
 
 	if (mtu <= fragheaderlen ||
-	    ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr))
+	    ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr)) {
+		printk("__%u__: EMSGSIZE\n", __LINE__);
 		goto emsgsize;
+	}
 
 	maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen -
 		     sizeof(struct frag_hdr);
@@ -1526,8 +1528,10 @@ static int __ip6_append_data(struct sock *sk,
 	/* as per RFC 7112 section 5, the entire IPv6 Header Chain must fit
 	 * the first fragment
 	 */
-	if (headersize + transhdrlen > mtu)
+	if (headersize + transhdrlen > mtu) {
+		printk("__%u__: EMSGSIZE\n", __LINE__);
 		goto emsgsize;
+	}
 
 	if (cork->length + length > mtu - headersize && ipc6->dontfrag &&
 	    (sk->sk_protocol == IPPROTO_UDP ||
@@ -1535,15 +1539,23 @@ static int __ip6_append_data(struct sock *sk,
 	     sk->sk_protocol == IPPROTO_RAW)) {
 		ipv6_local_rxpmtu(sk, fl6, mtu - headersize +
 				sizeof(struct ipv6hdr));
+		printk("__%u__: EMSGSIZE\n", __LINE__);
 		goto emsgsize;
 	}
 
-	if (ip6_sk_ignore_df(sk))
+	if (ip6_sk_ignore_df(sk)) {
 		maxnonfragsize = sizeof(struct ipv6hdr) + IPV6_MAXPLEN;
-	else
+		printk("MAXPLEN\n");
+	} else {
 		maxnonfragsize = mtu;
+		printk("mtu\n");
+	}
 
+	printk("check %d %zd %d %d, %d %d\n",
+	       cork->length, length, maxnonfragsize, headersize,
+	       transhdrlen, mtu);
 	if (cork->length + length > maxnonfragsize - headersize) {
+		printk("__%u__: EMSGSIZE\n", __LINE__);
 emsgsize:
 		pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
 		ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
@@ -1817,8 +1829,10 @@ static int __ip6_append_data(struct sock *sk,
 			if (!skb_can_coalesce(skb, i, pfrag->page,
 					      pfrag->offset)) {
 				err = -EMSGSIZE;
-				if (i == MAX_SKB_FRAGS)
+				if (i == MAX_SKB_FRAGS) {
+					printk("__%u__: EMSGSIZE\n", __LINE__);
 					goto error;
+				}
 
 				__skb_fill_page_desc(skb, i, pfrag->page,
 						     pfrag->offset, 0);
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index ed8ebb6f5909..daaaf60dce01 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -502,6 +502,8 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
 	int ulen;
 	int err;
 
+	printk("%s()\n", __func__);
+
 	/* Rough check on arithmetic overflow,
 	 * better check is made in ip6_append_data().
 	 */


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ