Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2526579imm;
        Thu, 27 Sep 2018 14:30:56 -0700 (PDT)
X-Google-Smtp-Source: ACcGV61hzXyIy8zmPS8jpe1Shd3IW2YiGnoWtkxnYi5ZVe0CA/G50+O6H71Y/woFPziGgajoUShX
X-Received: by 2002:a63:7b09:: with SMTP id w9-v6mr12290839pgc.385.1538083856599;
        Thu, 27 Sep 2018 14:30:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538083856; cv=none;
        d=google.com; s=arc-20160816;
        b=kdvcaOj72evHwtNzPBTE0QJo4eI3vj/6ecR7Wi4MWuk6clFH/z4vQDtKL/A+Ur6TYI
         RjrgQFBeNOU6nnw9F/rYEekV+hEDF6/sb6rS0vjCCSwIvc8R8WP1neq/1faQ6kVLkp+C
         PFl6UsYxFcdFBi2knZTStDMSaWDyvOAg2F2YCscykhr3QGN/+QRoFDARuU16slMRfwRE
         tkik68r07gYDbLUUaQI9crKsO1FEUfPksf7JhfQSnzOZR+yHC2sO9oBLyh7MrJxKxzyb
         lDMjEL0hyrwnJ84FVjre/XWKSKn4zw6E6w/qZDAQnER0tRcJLTxJi14sGEKxjjDJXN2z
         GL4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:references:in-reply-to
         :message-id:date:subject:to:from;
        bh=MC4pY+ROWtJF7xOLvjDlj7qO+XMdl6bDL3IrSRjdxVA=;
        b=KQCRZ4Gu7BU2m9VwdXPCOyGzTbeC9uwTQ6ANo8kLDdCsxtqviskg+NNle7gZ1HI5lA
         hJcPXZ+ln9ravS+cnkME43uRTJl7RLmmgh5C6/uOC65uJP09tH1nslmoNvHVmawZ/yot
         Nd5bZYxWUao4KAzrX4I9ySINdnmMhUaCGbHKSawch9bFLA+WZ+/CNCQu7R39YAipRplF
         wpQVTzlldojNcTgeT0Yu/punjatZmiTg77CA89BQp2Q6RdeZ8KHgvwnNFvG5b+Zu6Q+w
         yldGUUgJwkGJYFqZ03RMqF8iWTfch/QCQ5+atFTDwlsR907PIkGv/+IdB3F5777AIpfw
         dNjw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p13-v6si3049782pli.454.2018.09.27.14.30.37;
        Thu, 27 Sep 2018 14:30:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727524AbeI1Dur (ORCPT <rfc822;1990.zhangzhen@gmail.com>
        + 99 others); Thu, 27 Sep 2018 23:50:47 -0400
Received: from mx1.redhat.com ([209.132.183.28]:42912 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727340AbeI1Dur (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 Sep 2018 23:50:47 -0400
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 9EE843086249;
        Thu, 27 Sep 2018 21:30:30 +0000 (UTC)
Received: from rules.brq.redhat.com (ovpn-200-20.brq.redhat.com [10.40.200.20])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 8DAC3600C5;
        Thu, 27 Sep 2018 21:30:28 +0000 (UTC)
From:   Vladis Dronov <vdronov@redhat.com>
To:     syzbot+001516d86dbe88862cec@syzkaller.appspotmail.com,
        "David S . Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: KMSAN: uninit-value in __dev_mc_add
Date:   Thu, 27 Sep 2018 23:30:26 +0200
Message-Id: <20180927213026.16863-1-vdronov@redhat.com>
In-Reply-To: <0000000000005e2e530576c6f9ce@google.com>
References: <0000000000005e2e530576c6f9ce@google.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------2.14.4"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.49]); Thu, 27 Sep 2018 21:30:30 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This is a multi-part message in MIME format.
--------------2.14.4
Content-Type: text/plain; charset=UTF-8; format=fixed
Content-Transfer-Encoding: 8bit

Hello,

This report is actually for the same bug which was reported in:

https://syzkaller.appspot.com/bug?id=088efeac32fdde781038a777a63e436c0d4d7036

The note there that the bug was fixed by "Commits: net: fix uninit-value in
__hw_addr_add_ex()" is wrong. A C-reproducer from the 2nd syzkaller report
can trigger the bug from this one.

I've researched this and a result is a proposed patch, the problem is the tun
device code allowing to set an arbitrary link type.

https://lkml.org/lkml/2018/9/26/416
https://lore.kernel.org/lkml/20180926093018.6646-1-vdronov@redhat.com/T/#u
https://marc.info/?l=linux-netdev&m=153795423320016&w=2

A simplified reproducer is attached.

Best regards,
Vladis Dronov

--------------2.14.4
Content-Type: text/plain; name="kmsan-hw_addr_add_ex.c"; charset=UTF-8;
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="kmsan-hw_addr_add_ex.c"

#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <linux/futex.h>
#include <pthread.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <unistd.h>

#include <errno.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  int ret, sockfd, tunfd;

  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);

  // socket(AF_PACKET, SOCK_DGRAM|SOCK_NONBLOCK, 0)
  sockfd = syscall(__NR_socket, 0x11, 0x100000802, 0);
  if (sockfd < 0) {
    perror("socket()");
    ret = 1;
    goto exit_end;
  }

  memcpy((void*)0x20000240, "/dev/net/tun", 13);
  tunfd = open((char *)0x20000240, 0);
  if (tunfd < 0) {
    perror("open()");
    ret = 2;
    goto exit_sock_close;
  }

  memcpy((void*)0x200000c0, "\x69\x67\x62\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16);
  *(uint16_t*)0x200000d0 = 0x4012;
  ret = syscall(__NR_ioctl, tunfd, 0x400454ca, 0x200000c0); // TUNSETIFF _IOW('T', 202, int)
  if (ret < 0) {
    perror("ioctl(TUNSETIFF)");
    ret = 3;
    goto exit_tun_close;
  }

  // TUNSETLINK _IOW('T', 205, int) / 0x30a = 778 = ARPHRD_IPGRE
  if (argc < 2)
    ret = syscall(__NR_ioctl, tunfd, 0x400454cd, 0x30a);
  else
    ret = syscall(__NR_ioctl, tunfd, 0x400454cd, atoi(argv[1]));
  if (ret < 0) {
    perror("ioctl(TUNSETLINK)");
    ret = 4;
    goto exit_tun_close;
  }

  memcpy((void*)0x20000040, "\x69\x67\x62\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16);
  *(uint16_t*)0x20000050 = 0xa201;
  ret = syscall(__NR_ioctl, sockfd, 0x8914, 0x20000040); // SIOCSIFFLAGS 0x8914
  if (ret < 0) {
    perror("ioctl(SIOCSIFFLAGS)");
    ret = 5;
    goto exit_tun_close;
  }

  printf("done:\n");
  system("/usr/sbin/ip -details link show igb0");

exit_tun_close:
  close(tunfd);
exit_sock_close:
  close(sockfd);
exit_end:
  munmap((void *)0x20000000, 0x1000000);
  return 0;
}
--------------2.14.4--