Hello,
syzbot found the following issue on:
HEAD commit: 13c62f53 net/sched: act_ct: handle DNAT tuple collision
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=16635470300000
kernel config: https://syzkaller.appspot.com/x/.config?x=770708ea7cfd4916
dashboard link: https://syzkaller.appspot.com/bug?extid=e4c1dd36fc6b98c50859
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
UBSAN: shift-out-of-bounds in ./include/net/xfrm.h:838:23
shift exponent -64 is negative
CPU: 0 PID: 12625 Comm: syz-executor.1 Not tainted 5.13.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
__ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
addr4_match include/net/xfrm.h:838 [inline]
__xfrm4_selector_match net/xfrm/xfrm_policy.c:201 [inline]
xfrm_selector_match.cold+0x35/0x3a net/xfrm/xfrm_policy.c:227
xfrm_state_look_at+0x16d/0x440 net/xfrm/xfrm_state.c:1022
xfrm_state_find+0x16c0/0x4d10 net/xfrm/xfrm_state.c:1096
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2394 [inline]
xfrm_tmpl_resolve+0x2f3/0xd40 net/xfrm/xfrm_policy.c:2439
xfrm_resolve_and_create_bundle+0x123/0x2590 net/xfrm/xfrm_policy.c:2729
xfrm_lookup_with_ifid+0x227/0x20e0 net/xfrm/xfrm_policy.c:3063
xfrm_lookup net/xfrm/xfrm_policy.c:3187 [inline]
xfrm_lookup_route+0x36/0x1e0 net/xfrm/xfrm_policy.c:3198
ip_route_output_flow+0x114/0x150 net/ipv4/route.c:2733
udp_sendmsg+0x1a2f/0x2730 net/ipv4/udp.c:1206
inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821
sock_sendmsg_nosec net/socket.c:654 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:674
____sys_sendmsg+0x331/0x810 net/socket.c:2350
___sys_sendmsg+0xf3/0x170 net/socket.c:2404
__sys_sendmmsg+0x195/0x470 net/socket.c:2490
__do_sys_sendmmsg net/socket.c:2519 [inline]
__se_sys_sendmmsg net/socket.c:2516 [inline]
__x64_sys_sendmmsg+0x99/0x100 net/socket.c:2516
do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb1023dd188 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 000000000800001d RSI: 0000000020007fc0 RDI: 0000000000000003
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffc4542d68f R14: 00007fb1023dd300 R15: 0000000000022000
================================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
On Thu, Jun 10, 2021 at 12:19:26PM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 13c62f53 net/sched: act_ct: handle DNAT tuple collision
> git tree: net
> console output: https://syzkaller.appspot.com/x/log.txt?x=16635470300000
> kernel config: https://syzkaller.appspot.com/x/.config?x=770708ea7cfd4916
> dashboard link: https://syzkaller.appspot.com/bug?extid=e4c1dd36fc6b98c50859
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> UBSAN: shift-out-of-bounds in ./include/net/xfrm.h:838:23
> shift exponent -64 is negative
> CPU: 0 PID: 12625 Comm: syz-executor.1 Not tainted 5.13.0-rc3-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:79 [inline]
> dump_stack+0x141/0x1d7 lib/dump_stack.c:120
> ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
> __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
> addr4_match include/net/xfrm.h:838 [inline]
> __xfrm4_selector_match net/xfrm/xfrm_policy.c:201 [inline]
> xfrm_selector_match.cold+0x35/0x3a net/xfrm/xfrm_policy.c:227
> xfrm_state_look_at+0x16d/0x440 net/xfrm/xfrm_state.c:1022
This appears to be an xfrm_state object with an IPv4 selector
that somehow has a prefixlen (d or s) of 96.
AFAICS this is not possible through xfrm_user. OTOH it is not
obvious that af_key is entirely consistent in how it verifies
the prefix length, in particular, it seems to be possible for
two addresses with conflicting families to be provided as src/dst.
Can you confirm that this is indeed using af_key (a quick read
of the syzbot log seems to indicate that this is the case)?
Thanks,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Tue, Jun 15, 2021 at 7:32 AM Herbert Xu <[email protected]> wrote:
>
> On Thu, Jun 10, 2021 at 12:19:26PM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 13c62f53 net/sched: act_ct: handle DNAT tuple collision
> > git tree: net
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16635470300000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=770708ea7cfd4916
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e4c1dd36fc6b98c50859
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: [email protected]
> >
> > UBSAN: shift-out-of-bounds in ./include/net/xfrm.h:838:23
> > shift exponent -64 is negative
> > CPU: 0 PID: 12625 Comm: syz-executor.1 Not tainted 5.13.0-rc3-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:79 [inline]
> > dump_stack+0x141/0x1d7 lib/dump_stack.c:120
> > ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
> > __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
> > addr4_match include/net/xfrm.h:838 [inline]
> > __xfrm4_selector_match net/xfrm/xfrm_policy.c:201 [inline]
> > xfrm_selector_match.cold+0x35/0x3a net/xfrm/xfrm_policy.c:227
> > xfrm_state_look_at+0x16d/0x440 net/xfrm/xfrm_state.c:1022
>
> This appears to be an xfrm_state object with an IPv4 selector
> that somehow has a prefixlen (d or s) of 96.
>
> AFAICS this is not possible through xfrm_user. OTOH it is not
> obvious that af_key is entirely consistent in how it verifies
> the prefix length, in particular, it seems to be possible for
> two addresses with conflicting families to be provided as src/dst.
>
> Can you confirm that this is indeed using af_key (a quick read
> of the syzbot log seems to indicate that this is the case)?
Hi Herbert,
This was triggered by this program and, yes, it creates an AF_KEY socket:
18:01:48 executing program 1:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
socket$key(0xf, 0x3, 0x2)
bind$inet(r0, &(0x7f00000001c0)={0x2, 0x0, @local}, 0x10)
socketpair$tipc(0x1e, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff,
<r1=>0xffffffffffffffff})
ioctl$TUNSETLINK(r1, 0x8912, 0x400308)
connect$inet(r0, &(0x7f0000000480)={0x2, 0x0, @multicast2}, 0x10)
setsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11,
&(0x7f0000000080)={{{@in6=@ipv4={'\x00', '\xff\xff', @dev},
@in6=@private0, 0x0, 0xfffc, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0,
0xee01}, {0x2}, {}, 0x0, 0x0, 0x1}, {{@in, 0x0, 0x32}, 0x0,
@in6=@loopback, 0x0, 0x0, 0x0, 0xb7}}, 0xe8)
socket$key(0xf, 0x3, 0x2)
sendmmsg(r0, &(0x7f0000007fc0), 0x800001d, 0x0)