Received: by 10.223.176.5 with SMTP id f5csp413162wra;
        Thu, 1 Feb 2018 23:23:40 -0800 (PST)
X-Google-Smtp-Source: AH8x227910WfvrB3Ql/9kv+XGqSNHh0tSLRakggVIywlC75uynbF0HDmrxmpa33/K4eLFX6GigRp
X-Received: by 2002:a17:902:7c98:: with SMTP id y24-v6mr1833122pll.305.1517556220305;
        Thu, 01 Feb 2018 23:23:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517556220; cv=none;
        d=google.com; s=arc-20160816;
        b=O1PHVlI2gDB8VEpSz3gt6G3S06k53chxB6PojP29giTRloBPe+RiLNHUbpvQ8mNKex
         mARRCDjqOwXpAuxewEU/ZUjE2amw2thoQCY8ZhnuEUtoeiHuuIltLiqhYweeR5MXIU8G
         IdpsNOxdauCAJf2MR7Ro5LUaVsWXLX7IUQVb+Z1OwYR9dfCrkHyUu+Pzsbwc92ld6sC5
         UcN22ihUmO5h+8P2rYf5v2j25p52nAc/qJEJ/w3mfzi8OLbShmz5rq4SgVjHG051pfFX
         nZvjTFMjZqbhzBYO9dpume4tRehV9WBMaRSAYD75P09pgNUX+o7CnXROIyL6m84kgau2
         UsrQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=xwd25GWHvWJoEA9FGhPhZ0HmRr7La93hyzgKTNenJNM=;
        b=Xi35ysqQiwtpTFar3R54s6jSY14zBE0hPDe+RHo8o1V7qZmuTckrClbMdNtHcDk2dd
         /18XAG7mSFywoZF0ppHP6G47dL9/KXVwkHBb2odz5utrUH3a73hkDVUze2j0GUGSlmJb
         u42K1TNVmjrwO5Z7q3QknnUqHSPErNbCS86lTt8BnI+hiXLqOSVIG7VrUwNFIiJp+mic
         aT+so31qWkYH+7VQz4xU5T8qkR9GUxTO+SNaOWD2An76LuqXyIinXOAv/LhbpuNXt081
         9DL6TothizrlA6/MBj8SEmi3NeMH4Mar2w/94JOkkjNzgBf4yjaj4nzq8Sk3hFMUTxY5
         rvtw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y21-v6si1176723pll.795.2018.02.01.23.23.25;
        Thu, 01 Feb 2018 23:23:40 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751711AbeBBHWm (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Fri, 2 Feb 2018 02:22:42 -0500
Received: from a.mx.secunet.com ([62.96.220.36]:44400 "EHLO a.mx.secunet.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751579AbeBBHWh (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Feb 2018 02:22:37 -0500
Received: from localhost (localhost [127.0.0.1])
        by a.mx.secunet.com (Postfix) with ESMTP id AFF9B201C3;
        Fri,  2 Feb 2018 08:22:35 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1])
        by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id UtoWFIw7Hyn9; Fri,  2 Feb 2018 08:22:34 +0100 (CET)
Received: from mail-essen-01.secunet.de (mail-essen-01.secunet.de [10.53.40.204])
        (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by a.mx.secunet.com (Postfix) with ESMTPS id EB20020084;
        Fri,  2 Feb 2018 08:22:34 +0100 (CET)
Received: from gauss2.secunet.de (10.182.7.193) by mail-essen-01.secunet.de
 (10.53.40.204) with Microsoft SMTP Server id 14.3.361.1; Fri, 2 Feb 2018
 08:21:31 +0100
Received: by gauss2.secunet.de (Postfix, from userid 1000)      id 82DF531808B0;
 Fri,  2 Feb 2018 08:22:34 +0100 (CET)
Date:   Fri, 2 Feb 2018 08:22:34 +0100
From:   Steffen Klassert <steffen.klassert@secunet.com>
To:     Dmitry Vyukov <dvyukov@google.com>
CC:     syzbot <syzbot+e1a1577ca8bcb47b769a@syzkaller.appspotmail.com>,
        "David Miller" <davem@davemloft.net>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        LKML <linux-kernel@vger.kernel.org>,
        netdev <netdev@vger.kernel.org>,
        <syzkaller-bugs@googlegroups.com>
Subject: Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (4)
Message-ID: <20180202072234.knjilchejpb6uudo@gauss3.secunet.de>
References: <001a1148251a36716f0564148ba9@google.com>
 <20180201083418.rfarzrodccdy54xx@gauss3.secunet.de>
 <CACT4Y+a1DEqBWSXvVC+=pV_J_aMnof3Ky5W5t1FpwiCHZUTqJA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CACT4Y+a1DEqBWSXvVC+=pV_J_aMnof3Ky5W5t1FpwiCHZUTqJA@mail.gmail.com>
User-Agent: NeoMutt/20170609 (1.8.3)
X-G-Data-MailSecurity-for-Exchange-State: 0
X-G-Data-MailSecurity-for-Exchange-Error: 0
X-G-Data-MailSecurity-for-Exchange-Sender: 23
X-G-Data-MailSecurity-for-Exchange-Server: d65e63f7-5c15-413f-8f63-c0d707471c93
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
X-G-Data-MailSecurity-for-Exchange-Guid: 1C617599-0AF3-4398-92D9-7079867A4870
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Feb 01, 2018 at 11:30:00AM +0100, Dmitry Vyukov wrote:
> On Thu, Feb 1, 2018 at 9:34 AM, Steffen Klassert
> 
> Hi Steffen,
> 
> Please see the email footer:
> 
> > If you want to test a patch for this bug, please reply with:
> > #syz test: git://repo/address.git branch
> > and provide the patch inline or as an attachment.

Thanks for the hint, I've overlooked this. This is very usefull
for the case that I can not reproduce the bug, but I think I know
how to fix it.

There are two more cases that come to my mind where syzbot could
help.

1. I can not reproduce the bug and I don't know how to fix it,
   but some debug output would be helpfull:

   syz test-debug-patch-and-send-dmesg-output: git://repo/address.git branch

2. I can not reproduce the bug and I have absolutely no idea what it
   could be:

   syz bisect: git://repo/address.git branch commit a commit b

I don't know if this is possible, but it would bring the bugfixing
process a bit coser to the case where a real user does a bug report.


#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Subject: [PATCH RFC] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems

We don't have compat layer for xfrm, so userspace and kernel
structures have different sizes in this case. This results in
a broken confuguration, so refuse to configure socket policies
when trying to insert from 32 bit userspace as we do it already
with policies inserted via netlink.

Reported-by: syzbot+e1a1577ca8bcb47b769a@syzkaller.appspotmail.com
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_state.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index a3785f538018..25861a4ef872 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2056,6 +2056,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen
 	struct xfrm_mgr *km;
 	struct xfrm_policy *pol = NULL;
 
+#ifdef CONFIG_COMPAT
+	if (in_compat_syscall())
+		return -EOPNOTSUPP;
+#endif
+
 	if (optlen <= 0 || optlen > PAGE_SIZE)
 		return -EMSGSIZE;
 
-- 
2.14.1