Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp546436imm; Mon, 9 Jul 2018 06:35:51 -0700 (PDT) X-Google-Smtp-Source: AAOMgpe5kekDvYG7mVwjFIr9D/ajFtG20IpBstImbywGnFOnoYuDo2TQ6Rcw3U3VrYj78oVkqJbp X-Received: by 2002:a63:7b1b:: with SMTP id w27-v6mr18338521pgc.199.1531143351534; Mon, 09 Jul 2018 06:35:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531143351; cv=none; d=google.com; s=arc-20160816; b=IKQML3H8WjCe1NT9hi0OmDryR6SqzbEy1Em6LzCiW1fJCOpaVLX/f8Ackk0XR4Dl6c 4RhtMw3A54O0QXEKWkRa9VGlxMRX51IrZKS0YL6NqrTULDliF2hxhAf0iyYTr9wmZ6iQ wONBwrWI/Zv2gzd0A2IGWf19nqc/fWRfdq2iqe9Co3B0Mfde1ULPbkzh4jd1S8H3xEUb tJ5OiOZ2PKlZmeyykzYGvqjjKHjdz3YojQrWtUI0nc3wDG5mDGKeg+LdjNxNHuA5dJoi sKtePJcFqTWMIsGTsZIHovPCbNvPhZCRs8ILVAanHizrkxLtwnLWqy/6wGvcR4VHk9ZH opMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=4xsG5WmC1WkuXrJkmg+dECLaRxEQvkbVblcMvWTcgO0=; b=foRWRok/PeBFDxALWcb/99sGiKXMy6UvA/b72FnkeiCM/GWON6ZHc8nnD3zh7d1x5e IyNO2ovMcZoOhgLMDQEMV+0AZL4evZShAHBM6O6kKEGtlQt8uPpDGaTPe2bUxCwtQHB7 VC35gkB41pBCwiCw9nwxt4N8k4xVpDzhlW7xHNy/TUGWTrTg1BBurB7HLttus8ExpOeB cxOF182iz8Kyk5AxEomKSCw2aSUrO7EjahGKW8q+AZOehQLwuYQZh1rZ9VoKZ1+igejU BJmglvIQh+8pFkSyigCsJWZiSLW2qW+REGFghV0PxBSfGsyiA4pa8pxvrlFVdqqf0+ov DpqQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p1-v6si14406340pld.218.2018.07.09.06.35.32; Mon, 09 Jul 2018 06:35:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754559AbeGINes (ORCPT + 99 others); Mon, 9 Jul 2018 09:34:48 -0400 Received: from www62.your-server.de ([213.133.104.62]:57143 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754437AbeGINer (ORCPT ); Mon, 9 Jul 2018 09:34:47 -0400 Received: from [78.46.172.3] (helo=sslproxy06.your-server.de) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85_2) (envelope-from ) id 1fcWJP-0001mi-Q3; Mon, 09 Jul 2018 15:34:43 +0200 Received: from [62.203.87.61] (helo=linux.home) by sslproxy06.your-server.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1fcWJP-000Tq2-LU; Mon, 09 Jul 2018 15:34:43 +0200 Subject: Re: v4.18-rc4: slab-out-of-bounds in ___bpf_prog_run To: Mark Rutland , linux-kernel@vger.kernel.org, netdev@vger.kernel.org Cc: Alexei Starovoitov , "David S. Miller" References: <20180709123517.daw7bx3gvhnu5jqm@lakrids.cambridge.arm.com> From: Daniel Borkmann Message-ID: Date: Mon, 9 Jul 2018 15:34:41 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20180709123517.daw7bx3gvhnu5jqm@lakrids.cambridge.arm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.100.0/24736/Mon Jul 9 06:41:36 2018) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 07/09/2018 02:35 PM, Mark Rutland wrote: > Hi, > > While fuzzing v4.18-rc4 with Syzkaller, I hit a KASAN slab-out-of-bounds > warning at ___bpf_prog_run+0x1f20 (splat at the end of this mail), which > faddr2line tells me is kernel/bpf/core.c:1303. > > I can reliably trigger this with the below C program, which I minimized from > Syzkaller's auto-generated C reproducer. Thanks Mark! Looking into it.