use spi_byaddr instead of spi_byspi
==================================================================
BUG: KASAN: slab-out-of-bounds in __xfrm6_tunnel_spi_check+0x316/0x330 net/ipv6/xfrm6_tunnel.c:108
Read of size 8 at addr ffff8880a93a5e08 by task syz-executor.1/8482
CPU: 0 PID: 8482 Comm: syz-executor.1 Not tainted 5.8.0-rc5-next-20200716-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
__xfrm6_tunnel_spi_check+0x316/0x330 net/ipv6/xfrm6_tunnel.c:108
__xfrm6_tunnel_alloc_spi net/ipv6/xfrm6_tunnel.c:131 [inline]
xfrm6_tunnel_alloc_spi+0x296/0x8a0 net/ipv6/xfrm6_tunnel.c:174
ipcomp6_tunnel_create net/ipv6/ipcomp6.c:84 [inline]
ipcomp6_tunnel_attach net/ipv6/ipcomp6.c:124 [inline]
ipcomp6_init_state net/ipv6/ipcomp6.c:159 [inline]
ipcomp6_init_state+0x2af/0x700 net/ipv6/ipcomp6.c:139
__xfrm_init_state+0x9a6/0x14b0 net/xfrm/xfrm_state.c:2498
xfrm_init_state+0x1a/0x70 net/xfrm/xfrm_state.c:2525
pfkey_msg2xfrm_state net/key/af_key.c:1291 [inline]
pfkey_add+0x1a10/0x2b70 net/key/af_key.c:1508
pfkey_process+0x66d/0x7a0 net/key/af_key.c:2834
pfkey_sendmsg+0x42d/0x800 net/key/af_key.c:3673
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:671
____sys_sendmsg+0x331/0x810 net/socket.c:2362
___sys_sendmsg+0xf3/0x170 net/socket.c:2416
__sys_sendmmsg+0x195/0x480 net/socket.c:2506
__do_sys_sendmmsg net/socket.c:2535 [inline]
__se_sys_sendmmsg net/socket.c:2532 [inline]
__x64_sys_sendmmsg+0x99/0x100 net/socket.c:2532
do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45c1d9
Code: Bad RIP value.
RSP: 002b:00007fe3fa739c78 EFLAGS: 00000246
ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000025a40 RCX: 000000000045c1d9
RDX: 0400000000000282 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 000000000078bf48 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bf0c
R13: 00007fffec91896f R14: 00007fe3fa73a9c0 R15: 000000000078bf0c
Allocated by task 1:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
kmem_cache_alloc_trace+0x16e/0x2c0 mm/slab.c:3550
kmalloc include/linux/slab.h:554 [inline]
kzalloc include/linux/slab.h:666 [inline]
device_private_init drivers/base/core.c:2763 [inline]
device_add+0x1008/0x1c40 drivers/base/core.c:2813
netdev_register_kobject+0x17d/0x3b0 net/core/net-sysfs.c:1888
register_netdevice+0xd29/0x1540 net/core/dev.c:9523
register_netdev+0x2d/0x50 net/core/dev.c:9654
ip6gre_init_net+0x3c4/0x5e0 net/ipv6/ip6_gre.c:1587
ops_init+0xaf/0x470 net/core/net_namespace.c:151
__register_pernet_operations net/core/net_namespace.c:1140 [inline]
register_pernet_operations+0x35a/0x850 net/core/net_namespace.c:1217
register_pernet_device+0x26/0x70 net/core/net_namespace.c:1304
ip6gre_init+0x1f/0x132 net/ipv6/ip6_gre.c:2327
do_one_initcall+0x10a/0x7b0 init/main.c:1201
do_initcall_level init/main.c:1274 [inline]
do_initcalls init/main.c:1290 [inline]
do_basic_setup init/main.c:1310 [inline]
kernel_init_freeable+0x4f4/0x5a3 init/main.c:1507
kernel_init+0xd/0x1c0 init/main.c:1401
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
The buggy address belongs to the object at ffff8880a93a5c00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes to the right of
512-byte region [ffff8880a93a5c00, ffff8880a93a5e00)
The buggy address belongs to the page:
page:0000000064ff38cf refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa93a5
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00028deec8 ffffea00027a5388 ffff8880aa000600
raw: 0000000000000000 ffff8880a93a5000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a93a5d00: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a93a5d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a93a5e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a93a5e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a93a5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Reported-by: [email protected]
Signed-off-by: B K Karthik <[email protected]>
---
net/ipv6/xfrm6_tunnel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 25b7ebda2fab..cab7693ccfe3 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -103,10 +103,10 @@ static int __xfrm6_tunnel_spi_check(struct net *net, u32 spi)
{
struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
struct xfrm6_tunnel_spi *x6spi;
- int index = xfrm6_tunnel_spi_hash_byspi(spi);
+ int index = xfrm6_tunnel_spi_hash_byaddr(spi);
hlist_for_each_entry(x6spi,
- &xfrm6_tn->spi_byspi[index],
+ &xfrm6_tn->spi_byaddr[index],
list_byspi) {
if (x6spi->spi == spi)
return -1;
--
2.20.1
Hi K,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on ipsec/master]
[also build test WARNING on ipsec-next/master net-next/master net/master v5.8-rc6 next-20200724]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/B-K-Karthik/net-ipv6-fix-slab-out-of-bounds-Read-in-__xfrm6_tunnel_spi_check/20200725-213142
base: https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git master
config: parisc-allyesconfig (attached as .config)
compiler: hppa-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=parisc
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
All warnings (new ones prefixed by >>):
net/ipv6/xfrm6_tunnel.c: In function '__xfrm6_tunnel_spi_check':
>> net/ipv6/xfrm6_tunnel.c:106:43: warning: passing argument 1 of 'xfrm6_tunnel_spi_hash_byaddr' makes pointer from integer without a cast [-Wint-conversion]
106 | int index = xfrm6_tunnel_spi_hash_byaddr(spi);
| ^~~
| |
| u32 {aka unsigned int}
net/ipv6/xfrm6_tunnel.c:57:79: note: expected 'const xfrm_address_t *' {aka 'const union <anonymous> *'} but argument is of type 'u32' {aka 'unsigned int'}
57 | static inline unsigned int xfrm6_tunnel_spi_hash_byaddr(const xfrm_address_t *addr)
| ~~~~~~~~~~~~~~~~~~~~~~^~~~
vim +/xfrm6_tunnel_spi_hash_byaddr +106 net/ipv6/xfrm6_tunnel.c
101
102 static int __xfrm6_tunnel_spi_check(struct net *net, u32 spi)
103 {
104 struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
105 struct xfrm6_tunnel_spi *x6spi;
> 106 int index = xfrm6_tunnel_spi_hash_byaddr(spi);
107
108 hlist_for_each_entry(x6spi,
109 &xfrm6_tn->spi_byaddr[index],
110 list_byspi) {
111 if (x6spi->spi == spi)
112 return -1;
113 }
114 return index;
115 }
116
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]
Hi K,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on ipsec/master]
[also build test WARNING on ipsec-next/master net-next/master net/master v5.8-rc6 next-20200724]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/B-K-Karthik/net-ipv6-fix-slab-out-of-bounds-Read-in-__xfrm6_tunnel_spi_check/20200725-213142
base: https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git master
config: x86_64-randconfig-r032-20200726 (attached as .config)
compiler: clang version 12.0.0 (https://github.com/llvm/llvm-project 8bf4c1f4fb257774f66c8cda07adc6c5e8668326)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install x86_64 cross compiling tool for clang build
# apt-get install binutils-x86-64-linux-gnu
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
All warnings (new ones prefixed by >>):
>> net/ipv6/xfrm6_tunnel.c:106:43: warning: incompatible integer to pointer conversion passing 'u32' (aka 'unsigned int') to parameter of type 'const xfrm_address_t *' [-Wint-conversion]
int index = xfrm6_tunnel_spi_hash_byaddr(spi);
^~~
net/ipv6/xfrm6_tunnel.c:57:79: note: passing argument to parameter 'addr' here
static inline unsigned int xfrm6_tunnel_spi_hash_byaddr(const xfrm_address_t *addr)
^
net/ipv6/xfrm6_tunnel.c:69:28: warning: unused function 'xfrm6_tunnel_spi_hash_byspi' [-Wunused-function]
static inline unsigned int xfrm6_tunnel_spi_hash_byspi(u32 spi)
^
2 warnings generated.
vim +106 net/ipv6/xfrm6_tunnel.c
101
102 static int __xfrm6_tunnel_spi_check(struct net *net, u32 spi)
103 {
104 struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
105 struct xfrm6_tunnel_spi *x6spi;
> 106 int index = xfrm6_tunnel_spi_hash_byaddr(spi);
107
108 hlist_for_each_entry(x6spi,
109 &xfrm6_tn->spi_byaddr[index],
110 list_byspi) {
111 if (x6spi->spi == spi)
112 return -1;
113 }
114 return index;
115 }
116
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]
From: B K Karthik <[email protected]>
Date: Sat, 25 Jul 2020 19:00:31 +0530
> use spi_byaddr instead of spi_byspi
...
> diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
> index 25b7ebda2fab..cab7693ccfe3 100644
> --- a/net/ipv6/xfrm6_tunnel.c
> +++ b/net/ipv6/xfrm6_tunnel.c
> @@ -103,10 +103,10 @@ static int __xfrm6_tunnel_spi_check(struct net *net, u32 spi)
> {
> struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
> struct xfrm6_tunnel_spi *x6spi;
> - int index = xfrm6_tunnel_spi_hash_byspi(spi);
> + int index = xfrm6_tunnel_spi_hash_byaddr(spi);
You are passing a u32 integer into a function that expects a pointer as an
argument.
This change isn't even compile tested properly, let alone run tested.
Please stop making such careless submissions, this takes up valuable
developer patch review resources.
Thank you.