Received: by 10.223.176.5 with SMTP id f5csp459904wra; Fri, 2 Feb 2018 00:24:54 -0800 (PST) X-Google-Smtp-Source: AH8x224sLjt7jvJB6pZaBm7JqjuIYuIxEm516sBhnf2sX6j1qzcqKeJUe7qRUFP+wu63dyplgxJX X-Received: by 10.99.112.70 with SMTP id a6mr30470682pgn.152.1517559894448; Fri, 02 Feb 2018 00:24:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517559894; cv=none; d=google.com; s=arc-20160816; b=0pr2zvy5Piog8wu0ALI+ZonV34Wejr+lyzbhPbINyAV7b1didE/pxyGS1IFKtX6Vhr fFSYQG7mppk5iDzEiWqFue8cYj7AJr3fDZWrQKMO2n4baMjxmVB0HhtjOWU/52Rr5pFF Ksfj7zyNfopxREaTGSkhi3/Tpb82jlfDLp+xYZRcGgYw2QFA6GEU+rlqzJtJ86lBMw6U 0cWEQsIrek8LWZE/nXRDCtEHBPxLRBqITh+oz8C7NPY285mmsy1ttW2xo3TnHheTVe6N SEWe1JznISXSiq/PA6Akmn6QELN0syhqk8utTKQtFVA19XY/cSgGl3CT57pWvhrEeEcF BeGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=fizApnlGTZ5dJLFeTckbmp6GfCfgLiENY7G6Ndp4bQc=; b=mHnGbNoePBlpWhpMcYdlAY3kCn+DcEUJ8x/j39PK0mgVOlYHEtbr5+tg9Aq2/zqBBB YOVgU0h1SWcONKAtTEPr1v6ltJk4Ae6D6ezwcRF4oUgytJfoqASCa4rTx2OYpU1qWsFj +8vLyrg93RgbYf7eqwlSVmJYwMAkb2cyVZlO1X+A7Wb28ft6nEAciMb3CfP/Bv7+f5Lq BEiN0GFM68/e9iGxJ/YBROIkxeqTEIEXfxGuecb00ly7aBvMMIasBk8FJlxeRQR64l3e IJ5Y3ROm2NpVFUpn8H8YPTEKBYQE335yz+RPDzIaN0CdqjZuIpHuej+UucQABaAUP5Gh QI0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MVZUfbyr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h189si1102214pge.138.2018.02.02.00.24.38; Fri, 02 Feb 2018 00:24:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MVZUfbyr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751736AbeBBIX5 (ORCPT + 99 others); Fri, 2 Feb 2018 03:23:57 -0500 Received: from mail-pl0-f66.google.com ([209.85.160.66]:35089 "EHLO mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750795AbeBBIXv (ORCPT ); Fri, 2 Feb 2018 03:23:51 -0500 Received: by mail-pl0-f66.google.com with SMTP id j19so5629028pll.2 for ; Fri, 02 Feb 2018 00:23:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fizApnlGTZ5dJLFeTckbmp6GfCfgLiENY7G6Ndp4bQc=; b=MVZUfbyrrIuDOIAUaNVQy3oGE7DOHHXWuQyDoXoX45J+8zbjxtkF51pk5dBryzcwOg 2X/qXTxaRhLe1s4lFjPl5nX/aY4Vh4wvQVXY9KG+G5KOB5HE+dWyNY4STFmma/dK96fK taoE8qODdlSrydxjVdQs1ka6EhXhBgEBghc0glwYknDYll4SXdXZ04Yytg4y4pRvK8ku W1ggeWQY1M9kFEkH5bK/8odJhuuYh7/4GHPLsxN7tdR+cKg0vYPP4KfM8/fgkmzHW4W5 Gtw4mIfNhwGtDSm+8TnfIm8b7fReKaMhBE/BatCC/0HUzwV9rKlpWsQcokh0arfkx8/5 0puQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fizApnlGTZ5dJLFeTckbmp6GfCfgLiENY7G6Ndp4bQc=; b=Tjvue0HipsQw5hS+V4bgf0d2SnMnfM/GmtMsksxmzXJZlkP1Zm9yFMe+2kO6zwRUm4 j65cA9SO8vY1wbJEivvIKsf94ZXt+HpnEGB2W5x9afxkpoQsuCDOaGcowMzm0gBLgAj3 XdxCIkuASCDD5bpVIhgmuCMKHg+f9o3MgFrERv7TSO+ViibTJBSooZfe+hkY416QnqSz A5G9NrNFmT+PTpbfiHY7pL4Uku7SbqsjtEX6R2pba4XmJdVel5nm4/c3F3kih61R5qxj 5VdjPXherDDEtfx44JuZ3BkYC5Osl5iGOmocACSMk1TT7uhzRAqS9hWShceRzuGTTjsf /YVg== X-Gm-Message-State: AKwxytf/n3NgmOJlgzBYOWYSpOdX0erS8mvRk6iQB+XPCKuWrHjcNjYI kU9WiZrugXnyYmvKv28ay+3M/v3FVpVxoLNlSAdc8w== X-Received: by 2002:a17:902:8f8b:: with SMTP id z11-v6mr12307007plo.43.1517559830846; Fri, 02 Feb 2018 00:23:50 -0800 (PST) MIME-Version: 1.0 Received: by 10.236.140.151 with HTTP; Fri, 2 Feb 2018 00:23:30 -0800 (PST) In-Reply-To: <20180202072234.knjilchejpb6uudo@gauss3.secunet.de> References: <001a1148251a36716f0564148ba9@google.com> <20180201083418.rfarzrodccdy54xx@gauss3.secunet.de> <20180202072234.knjilchejpb6uudo@gauss3.secunet.de> From: Dmitry Vyukov Date: Fri, 2 Feb 2018 09:23:30 +0100 Message-ID: Subject: Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (4) To: Steffen Klassert Cc: syzbot , David Miller , Herbert Xu , LKML , netdev , syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 2, 2018 at 8:22 AM, Steffen Klassert wrote: > On Thu, Feb 01, 2018 at 11:30:00AM +0100, Dmitry Vyukov wrote: >> On Thu, Feb 1, 2018 at 9:34 AM, Steffen Klassert >> >> Hi Steffen, >> >> Please see the email footer: >> >> > If you want to test a patch for this bug, please reply with: >> > #syz test: git://repo/address.git branch >> > and provide the patch inline or as an attachment. > > Thanks for the hint, I've overlooked this. This is very usefull > for the case that I can not reproduce the bug, but I think I know > how to fix it. > > There are two more cases that come to my mind where syzbot could > help. > > 1. I can not reproduce the bug and I don't know how to fix it, > but some debug output would be helpfull: > > syz test-debug-patch-and-send-dmesg-output: git://repo/address.git branch This is supported by "syz test", see: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot > 2. I can not reproduce the bug and I have absolutely no idea what it > could be: > > syz bisect: git://repo/address.git branch commit a commit b > > I don't know if this is possible, but it would bring the bugfixing > process a bit coser to the case where a real user does a bug report. This is on my plate: https://github.com/google/syzkaller/issues/501 I think we probably will do bisection always without user request, and then just post an additional email with results. > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master > > > Subject: [PATCH RFC] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems > > We don't have compat layer for xfrm, so userspace and kernel > structures have different sizes in this case. This results in > a broken confuguration, so refuse to configure socket policies > when trying to insert from 32 bit userspace as we do it already > with policies inserted via netlink. > > Reported-by: syzbot+e1a1577ca8bcb47b769a@syzkaller.appspotmail.com > Signed-off-by: Steffen Klassert > --- > net/xfrm/xfrm_state.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c > index a3785f538018..25861a4ef872 100644 > --- a/net/xfrm/xfrm_state.c > +++ b/net/xfrm/xfrm_state.c > @@ -2056,6 +2056,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen > struct xfrm_mgr *km; > struct xfrm_policy *pol = NULL; > > +#ifdef CONFIG_COMPAT > + if (in_compat_syscall()) > + return -EOPNOTSUPP; > +#endif > + > if (optlen <= 0 || optlen > PAGE_SIZE) > return -EMSGSIZE; > > -- > 2.14.1 >