Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1615350imm; Thu, 14 Jun 2018 00:38:23 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJH0tAcGC4sa65wGPBn5bgB/OGwN0IqmU9U+0iL9HbdeUolS2Q6NOuo7Dr+UJ6HsTFyzmdj X-Received: by 2002:a62:444c:: with SMTP id r73-v6mr921188pfa.255.1528961903927; Thu, 14 Jun 2018 00:38:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528961903; cv=none; d=google.com; s=arc-20160816; b=Bj/od6UiBAnGz+fyp9ujBSoj0Byb7+OPmJiBl5IzruzRrjec6oPpqluWqXjE7Z9H9n GBwc3JLPUo+X+7tN877XfweZKUyw/SNutIxxEtryOrOV3q1WAbLXMCkQIPepBfbMAYy0 YawQFXJ8NLiIYEjlZkuhWSEOVyFNfIzEJN+tU4//DZsxJL2CnRS5NLlCNkAaYntIpREa m80DWQ0mSpEOinOzet3+lW0kkaLJTo+y/Xgi2wqhlXmYPnEBo3VRNsfSG2RaqYf6Wv1+ u2sTE5x9BU3NtKh12JfBcAWseVBZifr4zGSl5E7EG3QxUGo1dhK63FDMLL25BCeogUOk VnHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=AJGqtxtOpabTG+mU8E5hrdM61P/IobeJFiga3nMYWCw=; b=jqHXrPp9wrJnHa1qUAHixnNzvHteADJiIIP1T6+2/QTuCdzpAazaudo8XVsSnJVriY 60SSHyzRdIaRhNnUEzxXHC+ppg0mFK/E6jB9sPDhCrQKs6hG4/toa1bpp+sFWxjVMin4 O0XIrmaJ8nlJpi8hra8Bsxhi2q2P6UQ/mRdSfTx+OsLJQIUKscmAnOmnzunf0gq848e8 kAoPsw9kzMdhczYnLfftvj+uQzazAzT3xVGnmvzcJ9gtP/SRd+ASRM9yoJiPYwD/tLS0 MhO0qsof0YJhJ6uy6lNPVYCC9HGjOUNkqwY78Whp7/OrmOt51v4mDSZSjR4uqMQHiFNs D7kg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vqu3UHu1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d18-v6si4973877pll.393.2018.06.14.00.38.10; Thu, 14 Jun 2018 00:38:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vqu3UHu1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754837AbeFNHhf (ORCPT + 99 others); Thu, 14 Jun 2018 03:37:35 -0400 Received: from mail-pl0-f68.google.com ([209.85.160.68]:43080 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754812AbeFNHhd (ORCPT ); Thu, 14 Jun 2018 03:37:33 -0400 Received: by mail-pl0-f68.google.com with SMTP id c41-v6so3041299plj.10 for ; Thu, 14 Jun 2018 00:37:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=AJGqtxtOpabTG+mU8E5hrdM61P/IobeJFiga3nMYWCw=; b=vqu3UHu1mNsn46LoJ9mRkCZraJ2rTMs7iKpvxxobzur6zZJyN4BloJ1F0YZ/c3hPGB pvYLJDZeqPhihAD1Yv99JdKPwkOjqMzuOIQrdtphJwDktGsspHEtZCCw89hWhH+FjMAB Iu8iES+0RGEdMHqw4iF0oK8G7ggfZcPCKLs+MAHfsFRPqhhl8oMd2QxyketQLAzM3Ols QLGdWulGdI7yDVYJVw2KbFW0OJMi7qplVL5wLWEDEeQ1Uvszq0WWMouCQiGlnHRd9NLC g0OJfNLJ9AXaCrLiXMRQbxc4Y/duhL9CUkZzc8Zasm4IsJtysabn/2sIszOL1ksybdu7 9FvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=AJGqtxtOpabTG+mU8E5hrdM61P/IobeJFiga3nMYWCw=; b=O6M2VSP5BmwLXSdzGBU6Ozg7Fv5pSNIkFIh9aOM/2/EnnQoCzh3+xfGux8YeqUcEtS i1i37W0ZkK0cuVotvWhw9w2QDcssaJO6xAZbklKwpE+eM+7wAb5cdzKe2/ImxiBvD8ze nVDMps+GGWRji0tVPSE7FHVL4NPQHIlY9vC0H5JS0iboxoujyDhVYZcMAwRSCmu3RNdb PL8pL0TzdpKu4i4+XnljZ7wjrtk472Pd4Ne7+u5F+7MaxtXGm1l7CjvVHwFVjBJc6rZN CnfDN9vyW2R9WorQRvJv77n/oJOpnkun86NGcla8GPBYGdU4vfFl8VW3QRQaT+mw4BZl 3iUg== X-Gm-Message-State: APt69E2Z7dRo16Gm9QSKc5wVAZa1BBjXbyeZieHlQfSuddVayXje8Lm8 lu9DYCJ8CXmqgi7/plSA6Xfg+atAqVBrvAD+BkRA81Ne X-Received: by 2002:a17:902:bb81:: with SMTP id m1-v6mr1753396pls.117.1528961852832; Thu, 14 Jun 2018 00:37:32 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a17:90a:de2:0:0:0:0 with HTTP; Thu, 14 Jun 2018 00:37:12 -0700 (PDT) In-Reply-To: <26c434ee-0a0a-fbba-282c-dabddfac652e@iogearbox.net> References: <000000000000402477056e89f067@google.com> <26c434ee-0a0a-fbba-282c-dabddfac652e@iogearbox.net> From: Dmitry Vyukov Date: Thu, 14 Jun 2018 09:37:12 +0200 Message-ID: Subject: Re: KASAN: slab-out-of-bounds Read in bpf_skb_vlan_push To: Daniel Borkmann Cc: syzbot , Alexei Starovoitov , David Miller , LKML , netdev , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 13, 2018 at 8:15 PM, Daniel Borkmann wrote: > On 06/13/2018 08:13 PM, syzbot wrote: >>> On 06/13/2018 06:17 PM, syzbot wrote: >>>> Hello, >> >>>> syzbot found the following crash on: >> >>>> HEAD commit: 75d4e704fa8d netdev-FAQ: clarify DaveM's position for stab.. >>>> git tree: bpf-next >>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1754783f800000 >>>> kernel config: https://syzkaller.appspot.com/x/.config?x=a601a80fec461d44 >>>> dashboard link: https://syzkaller.appspot.com/bug?extid=76de61614cb1abdd73fc >>>> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >>>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=12c1e1bf800000 >> >>>> IMPORTANT: if you fix the bug, please add the following tag to the commit: >>>> Reported-by: syzbot+76de61614cb1abdd73fc@syzkaller.appspotmail.com >> >>>> IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready >>>> IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready >>>> 8021q: adding VLAN 0 to HW filter on device team0 >>>> 8021q: adding VLAN 0 to HW filter on device team0 >>>> ================================================================== >>>> BUG: KASAN: slab-out-of-bounds in skb_at_tc_ingress include/net/sch_generic.h:535 [inline] >>>> BUG: KASAN: slab-out-of-bounds in bpf_push_mac_rcsum net/core/filter.c:1625 [inline] >>>> BUG: KASAN: slab-out-of-bounds in ____bpf_skb_vlan_push net/core/filter.c:2446 [inline] >>>> BUG: KASAN: slab-out-of-bounds in bpf_skb_vlan_push+0x6b7/0x720 net/core/filter.c:2437 >>>> Read of size 5 at addr ffff8801b77347d0 by task syz-executor6/6529 >> >>> Should be fixed already by: >> >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58990d1ff3f7896ee341030e9a7c2e4002570683 >> >> >>> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git >> >> want 2 args (repo, branch), got 1 > > Fair enough ... assumed default would have been master. ;-) There is an issue with making defaults. Some email clients reflow emails and split lines and git repo address can be lengthy and trigger such reflow. To work around this syzbot currently looks for 2 "tokens" after syz test, not necessary on the same line. The default for branch will cause ambiguity in parsing: is it only repo without branch, or is it repo with branch on the next line? Engineering hits reality... > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master