Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp117766pxk; Thu, 24 Sep 2020 00:44:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzyx6VwuIjIUpdg5acFvEH8Wd/5GrwQ4cTEgNACLTt+l7xxUACJ3ibf5Zs32fXjQCuQwnpx X-Received: by 2002:a50:e799:: with SMTP id b25mr3144273edn.225.1600933459271; Thu, 24 Sep 2020 00:44:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600933459; cv=none; d=google.com; s=arc-20160816; b=DCkulMpVTLhcyjAo2zC2ck1kQFb8X3PHzg/DtsusE/uAA+LWr2Mlng1wof2Vuxvq/r q5XUvwjrn4cfScdjfoH988hYMdu2YlnK/SwyVx6Cpg0TquBJTWwBmaAxi55uvjkuej4r yhWCEkT9LPHN3sWRJIn27wElpzQ7dQw+WhTvHiNXlK3GU4k2qH0C5+D4TRsr9m7FAOtQ bA4Ap84fvaGb6DbbDjMOfwjXFB60NWqwKITrxKbHTXnA9rHFllig/4vsFLz6B6/JkC+O CCC5/BigyoMR//HZkqtmIxYJZEuPc439jBeafcB5JUkpWqkcRoZrKvZdTDK62K3oc5no Yryw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=zg7CCCRvgkVyYmYhz9PcXlHu9akeV716lPbY/FGcHmM=; b=p5CObVlq/6WAIBuZwxx3q2YWXr7wZgw9eKCeTF+tPkB3spWibe9CRCekF6HDOC8Ypo FamzqjGzv7w47NbUw9VPfTCG3UbVV6hTSgPhVynBuQSkCyxguZU2L8A4iHZayiRFQE6j j5zGMaXxsY0MekY80Iar1SfQ5YrZq51IHsfPBx7V/H07qM3QljYXLn/ggdIiNN1EAEDU mwylOpisFZeqdMKBbQqhMERb0k4eIfiTu+ALK7UAThcjLOiqA9/LOK4D76kdpzcfcWJs ov7b9pSE+opwPiUcw1kdgbaSXD45wAFhUX6CgbxNfaewhLtlHzO+OPgXkRP8bsKvul5n SNrw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id kt6si1494665ejb.276.2020.09.24.00.43.56; Thu, 24 Sep 2020 00:44:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727238AbgIXHke (ORCPT + 99 others); Thu, 24 Sep 2020 03:40:34 -0400 Received: from a.mx.secunet.com ([62.96.220.36]:44452 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727151AbgIXHke (ORCPT ); Thu, 24 Sep 2020 03:40:34 -0400 Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id B34E42056D; Thu, 24 Sep 2020 09:40:32 +0200 (CEST) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxvJixmP7KwB; Thu, 24 Sep 2020 09:40:27 +0200 (CEST) Received: from mail-essen-01.secunet.de (unknown [10.53.40.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id DAC35201AA; Thu, 24 Sep 2020 09:40:27 +0200 (CEST) Received: from mbx-essen-01.secunet.de (10.53.40.197) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server (TLS) id 14.3.487.0; Thu, 24 Sep 2020 09:40:27 +0200 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Thu, 24 Sep 2020 09:40:27 +0200 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 04C0C3180126; Thu, 24 Sep 2020 09:40:26 +0200 (CEST) Date: Thu, 24 Sep 2020 09:40:26 +0200 From: Steffen Klassert To: syzbot CC: , , , , , Subject: Re: KASAN: stack-out-of-bounds Read in xfrm_selector_match (2) Message-ID: <20200924074026.GC20687@gauss3.secunet.de> References: <0000000000009fc91605afd40d89@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <0000000000009fc91605afd40d89@google.com> User-Agent: Mutt/1.9.4 (2018-02-28) X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-01.secunet.de (10.53.40.197) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 21, 2020 at 07:56:20AM -0700, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: eb5f95f1 Merge tag 's390-5.9-6' of git://git.kernel.org/pu.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=13996ad5900000 > kernel config: https://syzkaller.appspot.com/x/.config?x=ffe85b197a57c180 > dashboard link: https://syzkaller.appspot.com/bug?extid=577fbac3145a6eb2e7a5 > compiler: gcc (GCC) 10.1.0-syz 20200507 > > Unfortunately, I don't have any reproducer for this issue yet. > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+577fbac3145a6eb2e7a5@syzkaller.appspotmail.com > > ================================================================== > BUG: KASAN: stack-out-of-bounds in xfrm_flowi_dport include/net/xfrm.h:877 [inline] > BUG: KASAN: stack-out-of-bounds in __xfrm6_selector_match net/xfrm/xfrm_policy.c:216 [inline] > BUG: KASAN: stack-out-of-bounds in xfrm_selector_match+0xf36/0xf60 net/xfrm/xfrm_policy.c:229 > Read of size 2 at addr ffffc9001914f55c by task syz-executor.4/15633 This is yet another ipv4 mapped ipv6 address with IPsec socket policy combination bug, and I'm sure it is not the last one. We could fix this one by adding another check to match the address family of the policy and the SA selector, but maybe it is better to think about how this should work at all. We can have only one socket policy for each direction and that policy accepts either ipv4 or ipv6. We treat this ipv4 mapped ipv6 address as ipv4 and pass it down the ipv4 stack, so this dual usage will not work with a socket policy. Maybe we can require IPV6_V6ONLY for sockets with policy attached. Thoughts?