Received: by 10.192.165.148 with SMTP id m20csp5195575imm; Wed, 9 May 2018 00:36:38 -0700 (PDT) X-Google-Smtp-Source: AB8JxZodN2XQVyWaaDWkPPA2TlgjEuQCdHQA5A7s5SzspqkxqYMuDOwYwA+V/A2njoXX4LGv1NIG X-Received: by 2002:a63:2787:: with SMTP id n129-v6mr35121252pgn.167.1525851398841; Wed, 09 May 2018 00:36:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525851398; cv=none; d=google.com; s=arc-20160816; b=GFilFnQGzkLusJroWBsmTQLID9wxJLgNZh5opq1kugAYz5s+qhjIpurs7ixL3bIpcc v5i+ofXfAn2hbUiWkQWgFQJ0CtPStgEViBPfPofAhdGgplVrK9ubJkjgdoJfsAmGi1jR obvDUldbTh7FYbRHuWYy1IC+G6SQ8g5jmkv+dme52UJLk5nKLlwlrfvh2gylxfV1i4pn sTcyWUsMyw0PCS0yelnK9uUcr1CeR0UbfRKGWWlfLw5715D5iXbyVAJbWbGKE8ByxSxK nFo5cZBjnzlJmlICZdD1jb79bP/wONCAEAVQ+iS6B2FT3IgztxtfOV7xXy/QuHlWNskW wQxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=J6ZFtrEgtk/aaUaPrdt1hCQtgGzR6HolDuq680c8N40=; b=GBGpSKob8GyZPdCBHJGrqqzbLCVCt7UoRmy1dB1mh0tyz6rlbXluJ64ZpeZmcivrF8 S1KLhWm7QnGQxpKlXBl8AUtkNSMNgzOidRDx8sqtueFwi8+4R7EspxTUg2OuYfnVpkQt wYFX4kbaCEzh0NuZRVvcGuq2v+WrVrYhza6Q3kzPzoRAa+H2Wzj0TTmZIJYf0iQiqbhg /GBz6UH5BHbLTqB9qLevutRkdtYrHBPnR9qtf67B49zqv7Bql5u4ral7wfAw/cAJGFqG j6AKe0/5m3WNKqJri5tYiwT5zcApgrdthrFJutv9XUCZNw2P3ti8a1SxXw2LAWGoID0j Rk4A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=EQ47f0F3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u6-v6si26510361plz.461.2018.05.09.00.36.24; Wed, 09 May 2018 00:36:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=EQ47f0F3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933745AbeEIHgD (ORCPT + 99 others); Wed, 9 May 2018 03:36:03 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:32852 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753176AbeEIHgB (ORCPT ); Wed, 9 May 2018 03:36:01 -0400 Received: by mail-pf0-f194.google.com with SMTP id f20so16414869pfn.0; Wed, 09 May 2018 00:36:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=J6ZFtrEgtk/aaUaPrdt1hCQtgGzR6HolDuq680c8N40=; b=EQ47f0F31kGBoS/RKHVz1ZuEWj3WzNJwrBmVSG4W1dSj5cPR4WVy2m+GO5yUtWw7sN Bnm7j9OqHm6WBw/KHop3L0M3dLbGx8mzq+o2wg0ZqPTG1aQsWrw/gIJf+0o0Ir45gF4M SXEJ+LFOKwYLR11pbudkVRxfDfS8MHq4mQ4fGM+r7V5AlxaTON+JgxDxrHW9DTlWzMC7 ccnpoBWJCNwk/NnzszxmYsA6YCTdSzTOc+YWgqciYd/kQqTxiFPfd1A5+gAewyUvgLlG k0t1s2ESG9kOd8VsAC1wNijNetWzpnQgAN9BD0mNejATh04Avdt4KBBbEG1isrqthjE/ 8iiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=J6ZFtrEgtk/aaUaPrdt1hCQtgGzR6HolDuq680c8N40=; b=jXVZdiNXduKVj1vyAvpDVENKO/3s7MUkzGZpfWlD7pdF51d9PMf7Xqb2GyUdQOAGni 1FXZ76O1vRvnSVA0YJn8298LSsVzG++Qm+aSUu65dWF63A9+HFrz1fwu20fjnowWWUOp mNfffKn2l0+I3KDR9mSb/3PyRy+0CjbE8kItM5kqcGgt00c56/d/XAqxW2E39DkcUgS8 DI0qHuOjWZYe4Fk1a2MYTc5El97Q02ONvyUCsN3s6UxDZr2oHUvxZfKCYp+W9UJquJs5 U/Y9CJnvVNajeGpOyJQLvfaw4yrQapn4E+cybtm9M/Fxogcar1eM9CJkYhVUbqe5drwL MwkA== X-Gm-Message-State: ALQs6tAFS28cxKGMrp8uK9JxJ5fjO2ZQh2m3MwrcINjPheWeJWQcOiAX WWELDOPw9D83dFyPJY1uoUE= X-Received: by 2002:a65:5645:: with SMTP id m5-v6mr4448547pgs.175.1525851360675; Wed, 09 May 2018 00:36:00 -0700 (PDT) Received: from sol.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198]) by smtp.gmail.com with ESMTPSA id a77sm20522533pfe.70.2018.05.09.00.35.59 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 09 May 2018 00:35:59 -0700 (PDT) Date: Wed, 9 May 2018 00:37:54 -0700 From: Eric Biggers To: Eric Dumazet Cc: Eric Dumazet , syzbot , alexander.deucher@amd.com, Andrey Konovalov , Anoob Soman , chris@chris-wilson.co.uk, David Miller , elena.reshetova@intel.com, Greg Kroah-Hartman , Kees Cook , LKML , Mike Maloney , mchehab@kernel.org, netdev , rami.rosen@intel.com, Sowmini Varadhan , syzkaller-bugs@googlegroups.com, Willem de Bruijn Subject: Re: KASAN: use-after-free Read in __dev_queue_xmit Message-ID: <20180509073754.GG711@sol.localdomain> References: <94eb2c0ce3aa27cfa40561ec2dc3@google.com> <1515048794.131759.4.camel@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1515048794.131759.4.camel@gmail.com> User-Agent: Mutt/1.9.5 (2018-04-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 03, 2018 at 10:53:14PM -0800, Eric Dumazet wrote: > On Wed, 2018-01-03 at 21:13 -0800, Eric Dumazet wrote: > > Note: all commands must start from beginning of the line in the email body. > > > > I guess skb_probe_transport_header() should be hardened to reject malicious > > packets given by user space, instead of being gentle. > > Although bug triggered for this particular repro is in flow dissector > :/ > > I will test : > > diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c > index 15ce300637650e17fcab7e378b20fe7972686d46..544bddf08e13c7f6e47aadc737244c9ba5af56b2 100644 > --- a/net/core/flow_dissector.c > +++ b/net/core/flow_dissector.c > @@ -976,8 +976,8 @@ bool __skb_flow_dissect(const struct sk_buff *skb, > ?out_good: > ????????ret = true; > ? > -???????key_control->thoff = (u16)nhoff; > ?out: > +???????key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen); > ????????key_basic->n_proto = proto; > ????????key_basic->ip_proto = ip_proto; > ? > @@ -985,7 +985,6 @@ bool __skb_flow_dissect(const struct sk_buff *skb, > ? > ?out_bad: > ????????ret = false; > -???????key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen); > ????????goto out; > ?} > ?EXPORT_SYMBOL(__skb_flow_dissect); Fix for this was commit d0c081b49137cd: #syz fix: flow_dissector: properly cap thoff field But a crash with the same signature is still occurring, so it should eventually get reported again. C reproducer is here, it works on Linus' tree (commit 036db8bd963): https://syzkaller.appspot.com/text?tag=ReproC&x=105b1ae7800000 - Eric