Received: by 10.223.176.5 with SMTP id f5csp2569212wra; Thu, 1 Feb 2018 02:32:14 -0800 (PST) X-Google-Smtp-Source: AH8x22616i7hKJRm5MelVeXZZN/FLjTQxLtDNCVzyP/fIzhv1pGo+bpEf6YLIN0ampbwokJ7+fc/ X-Received: by 10.98.16.79 with SMTP id y76mr36542681pfi.111.1517481134675; Thu, 01 Feb 2018 02:32:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517481134; cv=none; d=google.com; s=arc-20160816; b=h4vo7VlfSI4uZpQctorLJJ/kS8wGqSqMod14pZ1nd6FQ+K9ghFGPwfjYV0iHSs17ee fcG+7XEwSf1ryv0iiSj0Hp4GAM6Iw/hdKHjPmwwmF58TuEs3fGm5paxSYPC/gyAJPZtN Tl0RTwa+qYnXZeLMvdZQrV5eo99ikZ7zCA1nQwaZjl90NZmfdhfl5bgqyIqOjjdtfMba ddQPTMvd/y+8cV9cq/u6F4Q1b6mXc20A+1gyoRMb4ArENTHiT6Cw9J9W5NmeToh3oC+D Wja2vHQZPfmqUykkexlNmosgmpns4d/VE9DQw5fKP15yk7snd8hV9W5aMUa69fmcjYmh EbhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=rn7whawz5J/ciZ3Yu53cFE4qg/d7XuK+6ghbVWHLQyQ=; b=trvpjPiJwmDdSDR2Nn8905InD/KdLuV4r8ATgH2WSoq4Qcp1bErRzOOYPz4fdUm4jh XqejPox0Bs+1LxOX3viGHkNKdshyysPpOIFVR5+0A7+0Sd4F9h8mkQuUE/0zjcQKW2Zw CpPVXdiM2SUkuodJYpXKDgTSoEpNeUnf6AeJCQYdmpx792s0u4mL8XRgPk2PbpNAVI4P EnW+X8NsZjn20HWr4V+ydFgT/P3veYN08h3+Mj0chTG0SjXyToNU2RPTdZ4doaPamk8O FyAAlqNSortaH6J/1NrGrst9X1xi1NHfZMYiBrhaNB02F1ezl02V0+/jDMhQNpYi60H9 Tn+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=YxW/lAig; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l11-v6si554829plt.622.2018.02.01.02.31.59; Thu, 01 Feb 2018 02:32:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=YxW/lAig; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752122AbeBAKaZ (ORCPT + 99 others); Thu, 1 Feb 2018 05:30:25 -0500 Received: from mail-pf0-f169.google.com ([209.85.192.169]:39204 "EHLO mail-pf0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751748AbeBAKaV (ORCPT ); Thu, 1 Feb 2018 05:30:21 -0500 Received: by mail-pf0-f169.google.com with SMTP id e11so15182821pff.6 for ; Thu, 01 Feb 2018 02:30:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rn7whawz5J/ciZ3Yu53cFE4qg/d7XuK+6ghbVWHLQyQ=; b=YxW/lAigpeOKNcyqfxQvtVmivMEnUPNUE13XdIYkbcds+89mbqE3MB/p8phCuh43ST ow0KKVRvSeFcPsBA3lV+aKe0/7f+DbQAlz/t6DMSKR2mK+sVWzEq7XQCN5dVmQz6ssoG RdYu12H0aiy8A7ka0+yMxKMHC3NOvHfNh6mRVZk/EGKI57/d79YCtS7OWWkG1pQFpp+K UsNZm1HvIohx5jCpMDylxV8EP4Pj7WWVWFHXXzI2GRi1kVJ+4jupIbFFXFz2vN1k5kua bx7daJ9pm1oxVmUZH50poxS1vPk5HDAMQoOnbXq6Y6zX1wOjAICSjHPx113gQcRifCO0 UkoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rn7whawz5J/ciZ3Yu53cFE4qg/d7XuK+6ghbVWHLQyQ=; b=jvORpJADaNbjPJBIo+kKATuE6wwvfaXs0CV3HXIpuQiQ906qgRW4OZHA+Iej0lECcH lAyhTsO4LwvECFCxCfLN8LTOCmwe9jBow2tiFp3mlCcnGuWhKYGTkTD3tVZIW0Lx4ztJ tI5sm2w7Akoxfx/fdvm1KP/3XikyPQt5KA3YC8+7vP2YfUjv8cYCFZChdY3yZUT/fS6N /o1fwSa7LUBoQ0L7L8kqWSLoWsAT3FbM6SrMkm3oV67O8knvj/xwXGSkmq2mMF43COU3 UBYajY64sQo/swIHfZ60HVhWL0CrnQWlSUdbRXTcjgaODpUUy1FYsc9gi1Tzcb3mnVKT UYcA== X-Gm-Message-State: AKwxytfkETbShV2/mUwpqzYBn5EUaRwZ79caDAW6Ucw1fGwk4qc80Dol SR0KFSDskB5wN2ElvusSOf6YeESMf6sx5qEADTcktw== X-Received: by 10.98.107.71 with SMTP id g68mr35946529pfc.96.1517481020604; Thu, 01 Feb 2018 02:30:20 -0800 (PST) MIME-Version: 1.0 Received: by 10.236.140.151 with HTTP; Thu, 1 Feb 2018 02:30:00 -0800 (PST) In-Reply-To: <20180201083418.rfarzrodccdy54xx@gauss3.secunet.de> References: <001a1148251a36716f0564148ba9@google.com> <20180201083418.rfarzrodccdy54xx@gauss3.secunet.de> From: Dmitry Vyukov Date: Thu, 1 Feb 2018 11:30:00 +0100 Message-ID: Subject: Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (4) To: Steffen Klassert Cc: syzbot , David Miller , Herbert Xu , LKML , netdev , syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 1, 2018 at 9:34 AM, Steffen Klassert wrote: > On Wed, Jan 31, 2018 at 07:58:01AM -0800, syzbot wrote: >> Hello, >> >> syzbot hit the following crash on upstream commit >> 72906f38934a49faf4d2d38ea9ae32adcf7d5d0c (Tue Jan 30 21:04:50 2018 +0000) >> Merge branch 'x86-hyperv-for-linus' of >> git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip >> >> So far this crash happened 4 times on net-next, upstream. >> C reproducer is attached. >> syzkaller reproducer is attached. >> Raw console output is attached. >> compiler: gcc (GCC) 7.1.1 20170620 >> .config is attached. >> user-space arch: i386 > > Looks like we forgot to refuse to insert socket policies > when userspace is 32 bit and kernel is 64 bit. We do this > already for policies inserted with netlink because we don't > have a compat layer for xfrm. This means that userspace > and kernel structues don't match, leading to broken > configurations. > > I don't have 32 bit userspace on 64 bit machines, so I > can't test this myself. Can you please test this patch: Hi Steffen, Please see the email footer: > If you want to test a patch for this bug, please reply with: > #syz test: git://repo/address.git branch > and provide the patch inline or as an attachment. > Subject: [PATCH RFC] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems > > We don't have compat layer for xfrm, so userspace and kernel > structures have different sizes in this case. This results in > a broken confuguration, so refuse to configure socket policies > when trying to insert from 32 bit userspace as we do it already > with policies inserted via netlink. > > Signed-off-by: Steffen Klassert > --- > net/xfrm/xfrm_state.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c > index a3785f538018..25861a4ef872 100644 > --- a/net/xfrm/xfrm_state.c > +++ b/net/xfrm/xfrm_state.c > @@ -2056,6 +2056,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen > struct xfrm_mgr *km; > struct xfrm_policy *pol = NULL; > > +#ifdef CONFIG_COMPAT > + if (in_compat_syscall()) > + return -EOPNOTSUPP; > +#endif > + > if (optlen <= 0 || optlen > PAGE_SIZE) > return -EMSGSIZE; > > -- > 2.14.1 > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20180201083418.rfarzrodccdy54xx%40gauss3.secunet.de. > For more options, visit https://groups.google.com/d/optout.