Received: by 10.223.176.5 with SMTP id f5csp452702wra;
        Tue, 30 Jan 2018 14:16:31 -0800 (PST)
X-Google-Smtp-Source: AH8x227elKXV4OxKqJK6FgPtDGPdqZTWetVIgwPaiXDX1DViLvlofOA1ytNNA76KGGLXu2F1/T8v
X-Received: by 2002:a17:902:820c:: with SMTP id x12-v6mr27273324pln.103.1517350591266;
        Tue, 30 Jan 2018 14:16:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517350591; cv=none;
        d=google.com; s=arc-20160816;
        b=F+4W7FB4bkezbggpLyD/lRaLR2+BEd46vin4Sk37HzdVbqqG8nonB90XdYDAWwNdGg
         Zzx0I3liAEBWcp0ZBmbMSrllQLjz8MgejElYLKBbLyb+D6HSCOFVgSCeT2g7F0U3refL
         Xo1iSmz85bx48tqqy3463T4rq1D8A2lS3bkDP0p8RbhxYv9peNWsSqtfKK05ijNF+rs1
         PenWodihmw89QIkRjV8GZyZdQYtffQAQ5BZXJDZQo4PO9qtz7Me2cg7zO/zEnGS14shd
         iXEAdYbdb7BFlbUAUMS48nUBuknrwG9wllZgpAWUGWw21VFU1NzgxlEt4iH6im5FiMhp
         EjaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=r5lN0Kj28/0RmKZT8R9eY8anTBABWtVKgePgnxlKQTU=;
        b=Q5vVja8PTazu4iwFJpIiJhzeCi4vfS6HwE55y3eRUTzNAgKU4OgM1PkJOqbKyzeTzw
         omXs4innsNtkdbFUieyTZCu8Tqnr2Si4MPdqDf58gQ0rNpLFWf6dytksMRSJapJxXd+j
         k0p0PcazmEihke+IlDsV8HYj7otPEh7CLALU0vw1vpOjC/25qkiETDYKKPjg37KrtYmI
         UJ6/gmKeO5T2YlL74pV92xzyPd0qPDdXFC7Y9lcHJUeWMvXQtKR8cpKyPWmF4MZxvroo
         qIfcNQz/JRUlHyA4fp3CjgKiIkKX+0QflO26wkSgY3hg1IESGDwvNyYJ0fzetf7qS20M
         t52g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=E4t/ss11;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 1-v6si471708plc.205.2018.01.30.14.16.16;
        Tue, 30 Jan 2018 14:16:31 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=E4t/ss11;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752115AbeA3V2O (ORCPT <rfc822;sujaykul91@gmail.com>
        + 99 others); Tue, 30 Jan 2018 16:28:14 -0500
Received: from mail-io0-f193.google.com ([209.85.223.193]:43208 "EHLO
        mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751653AbeA3V2M (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 30 Jan 2018 16:28:12 -0500
Received: by mail-io0-f193.google.com with SMTP id 72so13024162iom.10;
        Tue, 30 Jan 2018 13:28:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=r5lN0Kj28/0RmKZT8R9eY8anTBABWtVKgePgnxlKQTU=;
        b=E4t/ss110HoongPtPaTZGkHAKN7KLgOjNU0FHHXgmu+0Asm/K7xcf+9Z9rFuJtqbGs
         5tgA8152Z+dZMwlCuMCpczDUTOH0v8WVmY8f1ltz+9MxdJGyvdwR12/wxMQdjhx/jyja
         iTQgTRN7jVsOox/GYB4HCsLOu5W/sK6qz+kDkEyHTswa3v4si52dNDA2ldHx0X2TX/BC
         FeERaxbCh+/SrQP6DBiLK0I2UqmeOyA/IhMob9EwUI6fjUAfVYpRbK5H4vzeazZjrAEw
         JzA41N89qBmEb1+fhUNZfldPXC+ezRE7tBbtWJxwhm185OvoGO5EMatnn3uVDT63hQSZ
         YldQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=r5lN0Kj28/0RmKZT8R9eY8anTBABWtVKgePgnxlKQTU=;
        b=sdWiVM7drv+2FmqrLLS3Mf4k2bQA/iBJxdxw0db3wFU4l30GXyUm4TmECCrnasfq7L
         mg3o8LCRR+JWXTzfXODnDinkk0Y+way8SZBiCeOLvSIYAWIKzSnxC0nMYvFs9gsHY7n8
         MZdDK0FqHgpIEvQN+ywc/q44YLlguVpquCgoUW6TMUIaQag8fxbVCQAvf6fUdoZePGZc
         ctSwq6NFzMiRej9m53Fu8KHwqOVxv6YmZkv+/JHc7/yqB8ijwuEJjTh+Pz1gcz+4rW1g
         vVo+M+sci7qAwdcP4880lWslzM65PuhRB4drSLgYzwYQzpmaUSugGx0ec+o61CQWgcAu
         zJAg==
X-Gm-Message-State: AKwxytfnsFTHb8Yp1saAaJmmNc//9OIL9oukQEyyFdI3AWy87ir4MsYA
        4hQWSA8x/X3f1KdG+HsbCXg=
X-Received: by 10.107.132.158 with SMTP id o30mr17609376ioi.70.1517347691779;
        Tue, 30 Jan 2018 13:28:11 -0800 (PST)
Received: from gmail.com ([2620:15c:17:3:dc28:5c82:b905:e8a8])
        by smtp.gmail.com with ESMTPSA id d1sm6429306iti.18.2018.01.30.13.28.10
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 30 Jan 2018 13:28:11 -0800 (PST)
Date:   Tue, 30 Jan 2018 13:28:09 -0800
From:   Eric Biggers <ebiggers3@gmail.com>
To:     Steffen Klassert <steffen.klassert@secunet.com>
Cc:     syzbot 
        <bot+68bf59b49142965d6454163d7341e617a90139dc@syzkaller.appspotmail.com>,
        davem@davemloft.net, herbert@gondor.apana.org.au,
        linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (3)
Message-ID: <20180130212809.36egyijbeamelmtv@gmail.com>
References: <089e082d0cb803507c055e6d5318@google.com>
 <001a11445ed4514b28055e947b48@google.com>
 <20171201072743.47ztbmrql7ub327u@gauss3.secunet.de>
 <20171212210031.GC185376@gmail.com>
 <20171213051805.7z74wh7sglaflo4j@gauss3.secunet.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20171213051805.7z74wh7sglaflo4j@gauss3.secunet.de>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Dec 13, 2017 at 06:18:05AM +0100, Steffen Klassert wrote:
> On Tue, Dec 12, 2017 at 01:00:31PM -0800, Eric Biggers wrote:
> > Hi Steffen,
> > 
> > On Fri, Dec 01, 2017 at 08:27:43AM +0100, Steffen Klassert wrote:
> > > On Wed, Nov 22, 2017 at 08:05:00AM -0800, syzbot wrote:
> > > > syzkaller has found reproducer for the following crash on
> > > > 0c86a6bd85ff0629cd2c5141027fc1c8bb6cde9c
> > > > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
> > > > compiler: gcc (GCC) 7.1.1 20170620
> > > > .config is attached
> > > > Raw console output is attached.
> > > > C reproducer is attached
> > > > syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> > > > for information about syzkaller reproducers
> > > > 
> > > > 
> > > > BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30fc/0x3230
> > > > net/xfrm/xfrm_state.c:1051
> > > > Read of size 4 at addr ffff8801ccaa7af8 by task syzkaller231684/3045
> > > 
> > > The patch below should fix this. I plan to apply it to the ipsec tree
> > > after some advanced testing.
> > > 
> > > Subject: [PATCH RFC] xfrm: Fix stack-out-of-bounds with misconfigured transport
> > >  mode policies.
> > > 
> > 
> > Are you still planning to apply this?  syzbot is still hitting this bug.
> 
> It is already applied to the ipsec tree, will go upstream by the end of
> this week.
>

Marking this fixed for syzbot:

#syz fix: xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies.