2018-01-04 15:58:04

by syzbot

[permalink] [raw]
Subject: kernel BUG at ./include/linux/skbuff.h:LINE!

Hello,

syzkaller hit the following crash on
ead68f216110170ec729e2c4dec0aad6d38259d7
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers


IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.

------------[ cut here ]------------
kernel BUG at ./include/linux/skbuff.h:2068!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3145 Comm: syzkaller456978 Not tainted 4.15.0-rc4+ #234
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__skb_pull include/linux/skbuff.h:2068 [inline]
RIP: 0010:skb_pull_inline include/linux/skbuff.h:2074 [inline]
RIP: 0010:skb_pull+0xd5/0xf0 net/core/skbuff.c:1731
RSP: 0018:ffff8801c921f270 EFLAGS: 00010293
RAX: ffff8801ca472480 RBX: ffff8801c81123c0 RCX: ffffffff841bb0b5
RDX: 0000000000000000 RSI: 0000000000000028 RDI: ffff8801c811243c
RBP: ffff8801c921f288 R08: 1ffff10039243db7 R09: 0000000000000002
R10: ffff8801c921f278 R11: 0000000000000000 R12: 0000000000000028
R13: 0000000000000010 R14: dffffc0000000000 R15: 0000000000000000
FS: 0000000001ca4880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002084c000 CR3: 00000001ca73c003 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
esp6_gro_receive+0xb4/0xbe0 net/ipv6/esp6_offload.c:63
call_gro_receive include/linux/netdevice.h:2200 [inline]
ipv6_gro_receive+0x83e/0x13c0 net/ipv6/ip6_offload.c:253
dev_gro_receive+0xd2c/0x2120 net/core/dev.c:4857
napi_gro_frags+0x377/0xad0 net/core/dev.c:5113
tun_get_user+0x25f5/0x36d0 drivers/net/tun.c:1757
tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1800
call_write_iter include/linux/fs.h:1772 [inline]
do_iter_readv_writev+0x525/0x7f0 fs/read_write.c:653
do_iter_write+0x154/0x540 fs/read_write.c:932
vfs_writev+0x18a/0x340 fs/read_write.c:977
do_writev+0xfc/0x2a0 fs/read_write.c:1012
SYSC_writev fs/read_write.c:1085 [inline]
SyS_writev+0x27/0x30 fs/read_write.c:1082
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x444e50
RSP: 002b:00007fff5a4f08d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000444e50
RDX: 0000000000000002 RSI: 00007fff5a4f08e0 RDI: 0000000000000003
RBP: 00000000006d0018 R08: 000000002084c046 R09: 0000000000000046
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000402390
R13: 0000000000402420 R14: 0000000000000000 R15: 0000000000000000
Code: a3 d0 00 00 00 e8 fc 38 54 fd 4c 89 e0 5b 41 5c 41 5d 5d c3 45 31 e4
e8 ea 38 54 fd 4c 89 e0 5b 41 5c 41 5d 5d c3 e8 db 38 54 fd <0f> 0b e8 d4
af 8a fd eb 9a e8 cd af 8a fd e9 51 ff ff ff e8 e3
RIP: __skb_pull include/linux/skbuff.h:2068 [inline] RSP: ffff8801c921f270
RIP: skb_pull_inline include/linux/skbuff.h:2074 [inline] RSP:
ffff8801c921f270
RIP: skb_pull+0xd5/0xf0 net/core/skbuff.c:1731 RSP: ffff8801c921f270
---[ end trace c8c7c2ebe84a87dd ]---


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to [email protected].

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.


Attachments:
config.txt (123.42 kB)
raw.log (6.15 kB)
repro.txt (925.00 B)
repro.c (10.76 kB)
Download all attachments

2018-01-05 08:02:03

by Steffen Klassert

[permalink] [raw]
Subject: Re: kernel BUG at ./include/linux/skbuff.h:LINE!

On Thu, Jan 04, 2018 at 07:58:01AM -0800, syzbot wrote:
> Hello,
>
> syzkaller hit the following crash on
> ead68f216110170ec729e2c4dec0aad6d38259d7
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: [email protected]
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> ------------[ cut here ]------------
> kernel BUG at ./include/linux/skbuff.h:2068!

The reproducer does not trigger here, but I'm pretty sure
it is this:

Subject: [PATCH RFC ipsec] esp: Fix GRO when the headers not fully on the linear part of
the skb.

The GRO layer does not necessarily pull the complete headers
into the linear part of the skb, a part may remain on the
first page fragment. This can lead to a crash if we try to
pull the headers, so make sure we have them on the linear
part before pulling.

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
Reported-by: [email protected]
Signed-off-by: Steffen Klassert <[email protected]>
---
net/ipv4/esp4_offload.c | 3 ++-
net/ipv6/esp6_offload.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
index f8b918c766b0..dfc1e049aad5 100644
--- a/net/ipv4/esp4_offload.c
+++ b/net/ipv4/esp4_offload.c
@@ -38,7 +38,8 @@ static struct sk_buff **esp4_gro_receive(struct sk_buff **head,
__be32 spi;
int err;

- skb_pull(skb, offset);
+ if (!pskb_pull(skb, offset))
+ return NULL;

if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
goto out;
diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
index 333a478aa161..dd9627490c7c 100644
--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -60,7 +60,8 @@ static struct sk_buff **esp6_gro_receive(struct sk_buff **head,
int nhoff;
int err;

- skb_pull(skb, offset);
+ if (!pskb_pull(skb, offset))
+ return NULL;

if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
goto out;
--
2.14.1