Received: by 10.223.176.5 with SMTP id f5csp2458674wra;
        Thu, 1 Feb 2018 00:36:58 -0800 (PST)
X-Google-Smtp-Source: AH8x2268Ru5powpkJXxWgUbjOK27X/gEhTGGjmRb6MQwu79LLqDDyNc1l8YCSedCpWsz907YnPFI
X-Received: by 10.98.144.213 with SMTP id q82mr36281873pfk.59.1517474218432;
        Thu, 01 Feb 2018 00:36:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517474218; cv=none;
        d=google.com; s=arc-20160816;
        b=wHkT2EwMRc7TaInXR3FkEU0JSTraJKOWNuL9//A2VUDUQUO3Wp67BINg8G+nJtcvHt
         9EgZcqquE/BU6I4sexSeIXyvbpqtiKcoSqdn9qQNzrMelrOBigudrfap/Td6rMQhexcX
         drG5IAJ8KS+KD3lALgy00jWkv46/K8WoK38glu31tZ41zmWxLxwnibsn6os2RS9IqIU/
         s7XFnQm4pkakXmte2Mbh/uZP8nF/Q6TGDPJPNC1BNlm5aU2drH8aymTpcIHLZBVamko1
         NycjZ4Pv0X2kkoMinYtDyLmJKSCPs99WAE50hrnvT2zOxUw86S04dpWi/b5BPFu5fkVU
         AWSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=uG6h3JsdRpqPi+h2sKiIFaS9RMTqMkpk9lPleWMrN38=;
        b=x+wW27N/cbKDRXEph7bbV3/OWUgo6NioczjC3RU9zWMeI6xsUvY5nAZNlCIvZBtI4k
         IbaJsmrOKGmFf4u5FVdW2424xl8SS0jQelqUh6kcEeAnv/tWOlY3K1rxDYfiCFuBShWm
         gX78yBNVww0lUKE0I7Bfx8+z90+gl9Vo9Y7X3URutR73ZDPNOv/vewzs+Qx0jREmqR1v
         yNMnnJsxY6QYBKCCtfCupJoYYuv5mU+lBd5vg0spM3QX/J2KmohX2gvtXBzcG5sSElPb
         1U90TqYcsKH3PI/Y6NshhmwubNDvBeiQENMNiGzW/gbDv3wrGhdN5SdWX8/K1C8OjFBn
         o8vQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l184si981246pge.224.2018.02.01.00.36.43;
        Thu, 01 Feb 2018 00:36:58 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751949AbeBAIeZ (ORCPT <rfc822;zzmahb@gmail.com> + 99 others);
        Thu, 1 Feb 2018 03:34:25 -0500
Received: from a.mx.secunet.com ([62.96.220.36]:37718 "EHLO a.mx.secunet.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751542AbeBAIeV (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 1 Feb 2018 03:34:21 -0500
Received: from localhost (localhost [127.0.0.1])
        by a.mx.secunet.com (Postfix) with ESMTP id DCEE4201DD;
        Thu,  1 Feb 2018 09:34:19 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1])
        by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id 9SqAZ1GOlsbA; Thu,  1 Feb 2018 09:34:19 +0100 (CET)
Received: from mail-essen-01.secunet.de (mail-essen-01.secunet.de [10.53.40.204])
        (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by a.mx.secunet.com (Postfix) with ESMTPS id 494662017F;
        Thu,  1 Feb 2018 09:34:19 +0100 (CET)
Received: from gauss2.secunet.de (10.182.7.193) by mail-essen-01.secunet.de
 (10.53.40.204) with Microsoft SMTP Server id 14.3.361.1; Thu, 1 Feb 2018
 09:33:16 +0100
Received: by gauss2.secunet.de (Postfix, from userid 1000)      id C0F8D318030F;
 Thu,  1 Feb 2018 09:34:18 +0100 (CET)
Date:   Thu, 1 Feb 2018 09:34:18 +0100
From:   Steffen Klassert <steffen.klassert@secunet.com>
To:     syzbot <syzbot+e1a1577ca8bcb47b769a@syzkaller.appspotmail.com>
CC:     <davem@davemloft.net>, <herbert@gondor.apana.org.au>,
        <linux-kernel@vger.kernel.org>, <netdev@vger.kernel.org>,
        <syzkaller-bugs@googlegroups.com>
Subject: Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (4)
Message-ID: <20180201083418.rfarzrodccdy54xx@gauss3.secunet.de>
References: <001a1148251a36716f0564148ba9@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <001a1148251a36716f0564148ba9@google.com>
User-Agent: NeoMutt/20170609 (1.8.3)
X-G-Data-MailSecurity-for-Exchange-State: 0
X-G-Data-MailSecurity-for-Exchange-Error: 0
X-G-Data-MailSecurity-for-Exchange-Sender: 23
X-G-Data-MailSecurity-for-Exchange-Server: d65e63f7-5c15-413f-8f63-c0d707471c93
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
X-G-Data-MailSecurity-for-Exchange-Guid: 2BB93A50-9C1A-41AB-9C7C-554B61C614EF
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jan 31, 2018 at 07:58:01AM -0800, syzbot wrote:
> Hello,
> 
> syzbot hit the following crash on upstream commit
> 72906f38934a49faf4d2d38ea9ae32adcf7d5d0c (Tue Jan 30 21:04:50 2018 +0000)
> Merge branch 'x86-hyperv-for-linus' of
> git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
> 
> So far this crash happened 4 times on net-next, upstream.
> C reproducer is attached.
> syzkaller reproducer is attached.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
> user-space arch: i386

Looks like we forgot to refuse to insert socket policies
when userspace is 32 bit and kernel is 64 bit. We do this
already for policies inserted with netlink because we don't
have a compat layer for xfrm. This means that userspace
and kernel structues don't match, leading to broken
configurations.

I don't have 32 bit userspace on 64 bit machines, so I
can't test this myself. Can you please test this patch:

Subject: [PATCH RFC] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems

We don't have compat layer for xfrm, so userspace and kernel
structures have different sizes in this case. This results in
a broken confuguration, so refuse to configure socket policies
when trying to insert from 32 bit userspace as we do it already
with policies inserted via netlink.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_state.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index a3785f538018..25861a4ef872 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2056,6 +2056,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen
 	struct xfrm_mgr *km;
 	struct xfrm_policy *pol = NULL;
 
+#ifdef CONFIG_COMPAT
+	if (in_compat_syscall())
+		return -EOPNOTSUPP;
+#endif
+
 	if (optlen <= 0 || optlen > PAGE_SIZE)
 		return -EMSGSIZE;
 
-- 
2.14.1