Received: by 10.223.176.5 with SMTP id f5csp733212wra;
        Tue, 30 Jan 2018 18:42:11 -0800 (PST)
X-Google-Smtp-Source: AH8x225R8eaxQuFIuZo4bQYAx+ubivFikYCKQ6vnTQUq6SpOJc42bM4pzB1bYrwkh8OvJHhgDGGI
X-Received: by 10.101.64.67 with SMTP id h3mr25459576pgp.168.1517366531498;
        Tue, 30 Jan 2018 18:42:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517366531; cv=none;
        d=google.com; s=arc-20160816;
        b=GcFs+7erklO/BGUvq/gExtPFkK/CDxRngvD00oh8hCTWE9O8i6RZyQTAoBqRgTvRQu
         gi5UNEyRqHsDeC8+Lpgk/gkImOsZ+CNKtpN+237xaqtFwGeGj60XZulBdJcvHw1RHHbH
         bippy/YkzbtYpaRVQ3/XUGClJMDB/fcICg8fOL48SX0iwAvPY2Bp3M90ppo8nT/Wc167
         Ae5LXft+jg2z1TLio9+ndOoibhr2uJpGec6wvWw5Pokwmo7tJHgAuX8ByIwttY7Ie69Y
         /Th+252qA4e3y7HreEnIbA7+Yhl/4VPnsxdl2zNsrLhvkROu2OBoLh9/XbHVdok3HZjV
         rhVQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature
         :arc-authentication-results;
        bh=2jwpaZW3iegWkJNCCBI9WKKGBgVVWzuiRYq4Ke0Pe58=;
        b=WyNNuC9zKzrXwvkK+fEyxgdfm07EYTJmxUuK1Pr3SF6+VmCL6n3tXkGJ7hlEtJlWpG
         g2PlfwlPpI4PlGHjP9sEbMCdKJfCiRxQkh0PtPjTyjM9verIK/yj6zqJXK3tP5QuhrKe
         th/bZG73Cgwy6X2lmAgxP3vQuXrGJHpbQdfLdAOYVKnRvwk5P4WB1iZG6FdmmiCyogJl
         fl+jEzCYn2LRbze4R2ZrSn8QLiL0opaDdLf9QmhGcBHhvvDP4Q3IAgoDm5kYDsjApulz
         osMwlZZR8Ab8NqA2akYVwq+U84TXR4NkPYZkDMNdEyVsj2xF+3KnwB8x3PSpqQOdvIeF
         IJ9A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PDFUSFs+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h24si427459pgn.41.2018.01.30.18.41.56;
        Tue, 30 Jan 2018 18:42:11 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PDFUSFs+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752412AbeAaCQn (ORCPT <rfc822;sujaykul91@gmail.com>
        + 99 others); Tue, 30 Jan 2018 21:16:43 -0500
Received: from mail-it0-f51.google.com ([209.85.214.51]:32985 "EHLO
        mail-it0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751635AbeAaCQl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 30 Jan 2018 21:16:41 -0500
Received: by mail-it0-f51.google.com with SMTP id u12so4444596ite.0;
        Tue, 30 Jan 2018 18:16:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:content-transfer-encoding:in-reply-to
         :user-agent;
        bh=2jwpaZW3iegWkJNCCBI9WKKGBgVVWzuiRYq4Ke0Pe58=;
        b=PDFUSFs+LKZCZoJlCk01NJJXwmAjGfWHz2XXYNHEv4M3DXxVDnPH3mEluTWAgAkN7P
         DGvAgsBQMOyntvHB6mq/WYmWA7OljH1I9DZ63lvavcVdZ4OS0Kzd6JC/y2Tyt9613+D0
         qau9cdq6vf1GNfkOBFp5l81r8qJrWqbkSZAyAKRhg9F4U0Ph4m+205JPLensxaOLVArO
         2l6VMTuEnr5VOw1b0DzKGg8ezchYxI/S3Cbf35axHZzJZU24Ciw/KdH2TRaWRo2apTBH
         qZLXJRRCXhwxQWo/BfFfKEKeMbnz7ubI3nZgMRsMB0HG/f/vz49yRQd5mkH0RKBql/Oj
         tb8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:content-transfer-encoding
         :in-reply-to:user-agent;
        bh=2jwpaZW3iegWkJNCCBI9WKKGBgVVWzuiRYq4Ke0Pe58=;
        b=Mci2oFI68YzrCX6ZWOv6VBhDyLL1jQ/ivD2OfQiBpgU5xMwiLLHSGD6UrbFkq+dzq0
         afEJrJo/8BHcpjbwfisySZOZhylZc6rQ+2Zr9Ju2UDoGtfrrNQwmQbVJK+FPP4Y3Wqgr
         MWrahBSTB4ETU8QO05XRbmxuuwQP023qdRo95kvs2Bs/wzvZ0VGrXYr82t+8aLNnKaoy
         TPb+d6kW4sFX9uGA795yIB1VfQPW6SCT4FvKFQ0kDs3wGUIsWywH+xkh6iIXCqo8YcGO
         Y3mATCePT20SbfXQG6SUeqa3hQgfgUzRnEhiJ7mRCcnboLxHb+Thq/7vaiCWzTVtxie4
         LZUQ==
X-Gm-Message-State: AKwxyteCTk2ixM3EvHnCUI+5eADFo3WryABlGXzbTiVKVXo4TUVJ5Yjb
        ed4Gl4dQ1AFIFlWZcdSr4a8=
X-Received: by 10.36.67.77 with SMTP id s74mr15687666itb.149.1517365001000;
        Tue, 30 Jan 2018 18:16:41 -0800 (PST)
Received: from gmail.com ([2620:15c:17:3:dc28:5c82:b905:e8a8])
        by smtp.gmail.com with ESMTPSA id q2sm8436128ite.17.2018.01.30.18.16.40
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 30 Jan 2018 18:16:40 -0800 (PST)
Date:   Tue, 30 Jan 2018 18:16:38 -0800
From:   Eric Biggers <ebiggers3@gmail.com>
To:     Santosh Shilimkar <santosh.shilimkar@oracle.com>
Cc:     syzkaller-bugs@googlegroups.com,
        Avinash Repaka <avinash.repaka@oracle.com>,
        syzbot 
        <bot+9461c9b9d340854a404b46c42cbfc91ded1232d8@syzkaller.appspotmail.com>,
        davem@davemloft.net, linux-kernel@vger.kernel.org,
        linux-rdma@vger.kernel.org, netdev@vger.kernel.org,
        rds-devel@oss.oracle.com
Subject: Re: KASAN: stack-out-of-bounds Read in rds_sendmsg
Message-ID: <20180131021638.6h5fukvzzakzu5g2@gmail.com>
References: <089e08263e589121d90560d610a5@google.com>
 <9deaf3c4-227f-f6f0-9ccb-3ad05fc32a0c@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <9deaf3c4-227f-f6f0-9ccb-3ad05fc32a0c@oracle.com>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Dec 21, 2017 at 08:44:32AM -0800, Santosh Shilimkar wrote:
> +Avinash
> 
> On 12/21/2017 1:10 AM, syzbot wrote:
> > syzkaller has found reproducer for the following crash on
> 
> [..]
> 
> > 
> > audit: type=1400 audit(1513847224.110:7): avc:? denied? { map } for
> > pid=3157 comm="syzkaller455006" path="/root/syzkaller455006870"
> > dev="sda1" ino=16481
> > scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> > ==================================================================
> > BUG: KASAN: stack-out-of-bounds in rds_rdma_bytes net/rds/send.c:1013
> > [inline]
> 
> Could you please post the discussed fix if you are ready with it ?
> This new report is same as last one and cmesg length check should
> address it.
> 
> Regards,
> Santosh
> 

This crash seems to have stopped occurring.  I assume it was fixed by commit
14e138a86f63 (thanks Avinash!), so let's tell syzbot so that it can start
reporting crashes in the same place again:

#syz fix: RDS: Check cmsg_len before dereferencing CMSG_DATA

- Eric