Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp968000imm;
        Thu, 13 Sep 2018 10:26:02 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdbiJqtbETeVNSOdXIEbmhRK+H2Mq7B+VKj3e/watl8/XwHZnRrVDRW3Z4SDeoxpvawY6exj
X-Received: by 2002:a62:83ca:: with SMTP id h193-v6mr8415801pfe.123.1536859562564;
        Thu, 13 Sep 2018 10:26:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536859562; cv=none;
        d=google.com; s=arc-20160816;
        b=Hyn/VhPOi6ZmdZBunltBmtSf6cu+SBM6+EirY3ap+ydjGKHRuyuxX5dyDevKu18m0e
         WlKQXdLJF571IzE5aarIwo196zWOPr+DbO12MoP4Ceb9l7zyj7tQ3T8sst0F8f0uY0+p
         ZnKULAOwQ7A+hy3WH+5JBJiKkMWdBEwKqOjn8M//eN2ftorFc0wVjCh5y+aPVj0Z+3A2
         kq15ND2xFoxL5dvLF/utJa32uO8ecC69rCj8elw4EjCF/GneThTQECDI6hp1rJvNezUW
         qP5ZPmAufQFtLeHqiyI/nVNsLq8edG6nO0ScyfG7smn1iRwhKIKZjV2jneJ5ej7pI5/U
         y3sA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=bO2vKXVxrvGcWd1SxdSwTdgUDIfwiYlUNMSbM/e18kY=;
        b=UreqIkywL3z6NDnw3oWp+gPHFEam0qJuNq29sndtqUxF/W40as5QtDDUFXPEEO9zOs
         5tN7oI1wMYUFU5tfL18dNqNhK6lv9qqwbuP/wl38F05cX95rE0g5TkSrO/8HyoyCHmj2
         D6BZ/m8ZTStYXdOWesE0D4BAJnuB+9luPt9xvzYLbsMIP/W5ZFVKgJkHwnF67md/FYtl
         rRbga/l1igJp9M++yB0m9fQOcvNWLaCE8AHUr125KaUtKmyd4Eguj3secRpUKWCmctaO
         hkRyUUqLI8EEy8SXE87bmgYPWDK5w8YIZySORsjWi3LTXWUWERR/7QkCsatqrOeeWLqI
         58rg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v8-v6si4659937pga.487.2018.09.13.10.25.45;
        Thu, 13 Sep 2018 10:26:02 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728166AbeIMWeQ (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Thu, 13 Sep 2018 18:34:16 -0400
Received: from zimbra.alphalink.fr ([217.15.80.77]:49559 "EHLO
        zimbra.alphalink.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726835AbeIMWeQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Sep 2018 18:34:16 -0400
Received: from localhost (localhost [127.0.0.1])
        by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id 5C9CE2B52068;
        Thu, 13 Sep 2018 19:23:47 +0200 (CEST)
Received: from zimbra.alphalink.fr ([127.0.0.1])
        by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1]) (amavisd-new, port 10032)
        with ESMTP id H0tzQJ6NF_dC; Thu, 13 Sep 2018 19:23:45 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
        by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id 4BE362B52072;
        Thu, 13 Sep 2018 19:23:45 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mail-2-cbv2.admin.alphalink.fr
Received: from zimbra.alphalink.fr ([127.0.0.1])
        by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id xLPafC65zXRn; Thu, 13 Sep 2018 19:23:45 +0200 (CEST)
Received: from c-dev-0.admin.alphalink.fr (94-84-15-217.reverse.alphalink.fr [217.15.84.94])
        by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id 16D812B52068;
        Thu, 13 Sep 2018 19:23:45 +0200 (CEST)
Received: by c-dev-0.admin.alphalink.fr (Postfix, from userid 1000)
        id DF8926014D; Thu, 13 Sep 2018 19:23:44 +0200 (CEST)
Date:   Thu, 13 Sep 2018 19:23:44 +0200
From:   Guillaume Nault <g.nault@alphalink.fr>
To:     Alexander Potapenko <glider@google.com>
Cc:     Eric Dumazet <eric.dumazet@gmail.com>,
        syzbot+f5f6080811c849739212@syzkaller.appspotmail.com,
        LKML <linux-kernel@vger.kernel.org>, mostrows@earthlink.net,
        Networking <netdev@vger.kernel.org>,
        syzkaller-bugs@googlegroups.com
Subject: Re: KMSAN: uninit-value in pppoe_rcv
Message-ID: <20180913172344.GB1507@alphalink.fr>
References: <0000000000004624c30575a9fd40@google.com>
 <CAG_fn=Vk2HMPCLJV3aj1dt0KkDmksasBRRfKGnCTRHjvQ6OnQg@mail.gmail.com>
 <7424e094-afda-084a-ad80-299f219ced92@gmail.com>
 <CAG_fn=WXPsQBWR1GDsprY3aL4oW0v6EGhNB5wrvPJCOMh_U7wQ@mail.gmail.com>
 <20180913161929.GA1507@alphalink.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180913161929.GA1507@alphalink.fr>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Sep 13, 2018 at 06:19:29PM +0200, Guillaume Nault wrote:
> On Thu, Sep 13, 2018 at 04:12:38PM +0200, Alexander Potapenko wrote:
> > On Thu, Sep 13, 2018 at 3:57 PM Eric Dumazet <eric.dumazet@gmail.com> wrote:
> > >
> > >
> > >
> > > On 09/12/2018 03:38 AM, Alexander Potapenko wrote:
> > > > On Wed, Sep 12, 2018 at 12:24 PM syzbot
> > > > <syzbot+f5f6080811c849739212@syzkaller.appspotmail.com> wrote:
> > > >>
> > > >> Hello,
> > > >>
> > > >> syzbot found the following crash on:
> > > >>
> > > >> HEAD commit:    d2d741e5d189 kmsan: add initialization for shmem pages
> > > >> git tree:       https://github.com/google/kmsan.git/master
> > > >> console output: https://syzkaller.appspot.com/x/log.txt?x=1465fc37800000
> > > >> kernel config:  https://syzkaller.appspot.com/x/.config?x=48f9de3384bcd0f
> > > >> dashboard link: https://syzkaller.appspot.com/bug?extid=f5f6080811c849739212
> > > >> compiler:       clang version 7.0.0 (trunk 329391)
> > > >> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14d6e607800000
> > > >> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10a15b5b800000
> > > >>
> > > >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > >> Reported-by: syzbot+f5f6080811c849739212@syzkaller.appspotmail.com
> > > >>
> > > >> IPVS: ftp: loaded support on port[0] = 21
> > > >> ==================================================================
> > > >> BUG: KMSAN: uninit-value in __get_item drivers/net/ppp/pppoe.c:172 [inline]
> > > >> BUG: KMSAN: uninit-value in get_item drivers/net/ppp/pppoe.c:236 [inline]
> > > >> BUG: KMSAN: uninit-value in pppoe_rcv+0xcef/0x10e0
> > > >> drivers/net/ppp/pppoe.c:450
> > > >> CPU: 0 PID: 4543 Comm: syz-executor355 Not tainted 4.16.0+ #87
> > > >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > >> Google 01/01/2011
> > > >> Call Trace:
> > > >>   __dump_stack lib/dump_stack.c:17 [inline]
> > > >>   dump_stack+0x185/0x1d0 lib/dump_stack.c:53
> > > >>   kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
> > > >>   __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
> > > >>   __get_item drivers/net/ppp/pppoe.c:172 [inline]
> > > >>   get_item drivers/net/ppp/pppoe.c:236 [inline]
> > > >>   pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450
> > > >>   __netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4562
> > > >>   __netif_receive_skb net/core/dev.c:4627 [inline]
> > > >>   netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
> > > >>   netif_receive_skb+0x230/0x240 net/core/dev.c:4725
> > > >>   tun_rx_batched drivers/net/tun.c:1555 [inline]
> > > >>   tun_get_user+0x740f/0x7c60 drivers/net/tun.c:1962
> > > >>   tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
> > > >>   call_write_iter include/linux/fs.h:1782 [inline]
> > > >>   new_sync_write fs/read_write.c:469 [inline]
> > > >>   __vfs_write+0x7fb/0x9f0 fs/read_write.c:482
> > > >>   vfs_write+0x463/0x8d0 fs/read_write.c:544
> > > >>   SYSC_write+0x172/0x360 fs/read_write.c:589
> > > >>   SyS_write+0x55/0x80 fs/read_write.c:581
> > > >>   do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
> > > >>   entry_SYSCALL_64_after_hwframe+0x3d/0xa2
> > > >> RIP: 0033:0x4447c9
> > > >> RSP: 002b:00007fff64c8fc28 EFLAGS: 00000297 ORIG_RAX: 0000000000000001
> > > >> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004447c9
> > > >> RDX: 000000000000fd87 RSI: 0000000020000600 RDI: 0000000000000004
> > > >> RBP: 00000000006cf018 R08: 00007fff64c8fda8 R09: 00007fff00006bda
> > > >> R10: 0000000000005fe7 R11: 0000000000000297 R12: 00000000004020d0
> > > >> R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000
> > > >>
> > > >> Uninit was created at:
> > > >>   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
> > > >>   kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
> > > >>   kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
> > > >>   kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
> > > >>   slab_post_alloc_hook mm/slab.h:445 [inline]
> > > >>   slab_alloc_node mm/slub.c:2737 [inline]
> > > >>   __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
> > > >>   __kmalloc_reserve net/core/skbuff.c:138 [inline]
> > > >>   __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
> > > >>   alloc_skb include/linux/skbuff.h:984 [inline]
> > > >>   alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
> > > >>   sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
> > > >>   tun_alloc_skb drivers/net/tun.c:1532 [inline]
> > > >>   tun_get_user+0x2242/0x7c60 drivers/net/tun.c:1829
> > > >>   tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
> > > >>   call_write_iter include/linux/fs.h:1782 [inline]
> > > >>   new_sync_write fs/read_write.c:469 [inline]
> > > >>   __vfs_write+0x7fb/0x9f0 fs/read_write.c:482
> > > >>   vfs_write+0x463/0x8d0 fs/read_write.c:544
> > > >>   SYSC_write+0x172/0x360 fs/read_write.c:589
> > > >>   SyS_write+0x55/0x80 fs/read_write.c:581
> > > >>   do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
> > > >>   entry_SYSCALL_64_after_hwframe+0x3d/0xa2
> > > >> ==================================================================
> > > > I did a little digging before sending the bug upstream.
> > > > If I add memset(obj, 0xfe, size) to __kmalloc_reserve(), these 0xfe
> > > > bytes are visible in __get_item() at the place where KMSAN reports an
> > > > error.
> > > >
> > > > The problem is somehow related to tun_get_user() creating a fragmented
> > > > sk_buff - when I change the call to tun_alloc_skb() so that it
> > > > allocates a single buffer the bug goes away.
> > > >
> > >
> > > I guess the following patch would fix the issue
> > >
> > > (I will submit it more formally)
> > No, as far as I can see it doesn't.
> > Saving sid before __skb_pull() is still a good idea, but in this
> > particular case |ph| doesn't change.
> 
> Yes, we probably need to save sid.
> 
> But I think the problem found by syzbot is related to
> eth_hdr(skb)->h_source. PPPoE expects that Ethernet header has already
> been parsed and is accessible at skb_mac_header(skb).
> But here skb_mac_header(skb) == skb->data, and we may pull only 6 bytes
> (sizeof(truct pppoe_hdr)). Therefore eth_hdr(skb)->h_source points past
> skb's head length.
> 
> Not sure if something needs to be changed in tun.c for properly setting
> skb_mac_header. But PPPoE has no reason to consider packets from
> non-Ethernet devices anyway.

Nothing to change in tun.c. Just some more tests in pppoe.
Can you try this patch? It only addresses this particular report, not
the problems spotted by Eric.

-------- 8< --------
diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index 5aa59f41bf8c..77241b584dff 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -429,6 +429,9 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
 	if (!skb)
 		goto out;
 
+	if (skb_mac_header_len(skb) < ETH_HLEN)
+		goto drop;
+
 	if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
 		goto drop;