Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2708795pxk; Sun, 27 Sep 2020 19:25:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwZzWili/F97nf4RRdlKpS0yTg8dz0X+nyoLEMD9w09Sna3HmEUntgejxPpIeZU/j+GcDbz X-Received: by 2002:a50:d4d8:: with SMTP id e24mr13710693edj.1.1601259926180; Sun, 27 Sep 2020 19:25:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601259926; cv=none; d=google.com; s=arc-20160816; b=vgVefmutjQ/nAzcXkQMKFC+S1TPJjzhrd7nxXFqT030XPPMpbfQBMjiJsdyLbt2032 FJmUwj9nANTj1ISHL6r5b4QYjWKp1+UfMJ+/Pqmo6IxmtujXOBPEtWicLvB4gGl/qtHA OzWMKqRDMm6ZIKtFizxzELgovzvpvMksjF6CFl5eCpy7RUmNSzHs+EQeBxoQDlPOzoA7 b5oXTO4scCGBlSfC5ZvL2ICI3ksS5WDoC+YqaTP62nLcPvFSwQJ33HV8GIRC/eanloFM dOjjFGcQM9hnBsR3K3PleT8HbNUzoPcFFLR5z0FFlwNkWnT+TANcgollKz74Z41Up3Xv uVfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=vOX5Sd+xpTPA9/G3a3HyLwKA39unA0IaH2aJ/ahSQ48=; b=PZtxG54hyNIo89BvMJYV2ccOvv0VD6XdgxYSyVplDMJKL1hdllzrzPLx4pW5XxKEDk jLY4zDsMSyqYyD3VCuLYJZCYHBeMBBJo2N01sjK1FuTa//W6c2JTUXxi15NNJ9S7M8Or uL33Z7KkA3E0o/y6J8wffnFU7stiLhzdnYErkLxkjhqHoVvc5PXQrPC3XzKnzcRjecBZ OwlHMIhKLRrfH6hxiNl0l03Vnx621+fY1mYronVwKfljDsuNoqz/r2NxKEO8X910xPld aOe7dD/ya9EK19PqhawpduCPbb7x9cwdWNc8D7lxxCcoZsXZdzF1KjveCVGF5S53Z9dU VJoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=qWrMSVm6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e24si6637616ejx.162.2020.09.27.19.25.03; Sun, 27 Sep 2020 19:25:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=qWrMSVm6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726469AbgI1CWC (ORCPT + 99 others); Sun, 27 Sep 2020 22:22:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40848 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726458AbgI1CWC (ORCPT ); Sun, 27 Sep 2020 22:22:02 -0400 Received: from mail-ed1-x544.google.com (mail-ed1-x544.google.com [IPv6:2a00:1450:4864:20::544]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 16CB5C0613D3 for ; Sun, 27 Sep 2020 19:22:02 -0700 (PDT) Received: by mail-ed1-x544.google.com with SMTP id a12so8368644eds.13 for ; Sun, 27 Sep 2020 19:22:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vOX5Sd+xpTPA9/G3a3HyLwKA39unA0IaH2aJ/ahSQ48=; b=qWrMSVm6zYmVaFJcTErsVXateVeWWiDTida+WlvUE+uTdTpqtnEDoAS5/Fab3urTai zVC/L+EmWCWMmZZLXmcfTTewmXUlNJHZKMHMlOXI21wFMAIiCPKQBsVcXWBOuIWdkSJw wRjVb0qNA/Wr0py5s32t6cT2qH4mMisal2HMbwAzd587SjYazqjs730xTKftVO/LuVh8 z5SqJGPe6Z6FkYdOzbDRlTuU8q6aT+KfFqcKMNC6Uq0DHawFoME2NoXJCWrpEwOSakwj aqz4/eyirVDPTcjNHeg2KSOdgmBn2yafu/pWbZ8fXwYjpOa4lrAz9lroe+Wfwt0jlbYj xUug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vOX5Sd+xpTPA9/G3a3HyLwKA39unA0IaH2aJ/ahSQ48=; b=kVpIMAD2fjqz9WP/zuFdnjuvABDvueL918of0gXqE6dqGlWI3WTFZQGXSkzbylZ2ft HLyMeZymsYrAP+b+CK5eBaP3xLtvd2XPwrTXvu9lpZMON28LZW1AYpakWQdLISgjZ0PO /S7teDAZFDGL18fg/KYjT8XkI3VdMXmtudsEKozGux01auS3fU6NhtCajdZS+bLNUB/g f2Y+tvsfJb3z56ZBSo5mBXckUhP7lHJVqn3U6tZGG9M/GnCHc/G0oDd29ClPy6Kbd++n c1j+JrAutW/2ICp/hMaALcU4kcCuesyWZ07nb4t7CwLtYghkaH1MV/5tng9d4wrlfb9p StBw== X-Gm-Message-State: AOAM533A+t7qfMpQ7aQ/dNG8QpEq8SdzLJv04TDVVGsynYEhWhyAQttg U5xtl5V1swS6Vm3SC8PSekzZv+sSp0jIy8viJZi9 X-Received: by 2002:a05:6402:1805:: with SMTP id g5mr13063002edy.135.1601259720569; Sun, 27 Sep 2020 19:22:00 -0700 (PDT) MIME-Version: 1.0 References: <0000000000009fc91605afd40d89@google.com> <20200925030759.GA17939@gondor.apana.org.au> In-Reply-To: <20200925030759.GA17939@gondor.apana.org.au> From: Paul Moore Date: Sun, 27 Sep 2020 22:21:48 -0400 Message-ID: Subject: Re: KASAN: stack-out-of-bounds Read in xfrm_selector_match (2) To: Herbert Xu Cc: syzbot , davem@davemloft.net, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com, syzkaller-bugs@googlegroups.com, James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 24, 2020 at 11:08 PM Herbert Xu wrote: > On Mon, Sep 21, 2020 at 07:56:20AM -0700, syzbot wrote: > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: eb5f95f1 Merge tag 's390-5.9-6' of git://git.kernel.org/pu.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=13996ad5900000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=ffe85b197a57c180 > > dashboard link: https://syzkaller.appspot.com/bug?extid=577fbac3145a6eb2e7a5 > > compiler: gcc (GCC) 10.1.0-syz 20200507 > > > > Unfortunately, I don't have any reproducer for this issue yet. > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+577fbac3145a6eb2e7a5@syzkaller.appspotmail.com > > > > ================================================================== > > BUG: KASAN: stack-out-of-bounds in xfrm_flowi_dport include/net/xfrm.h:877 [inline] > > BUG: KASAN: stack-out-of-bounds in __xfrm6_selector_match net/xfrm/xfrm_policy.c:216 [inline] > > BUG: KASAN: stack-out-of-bounds in xfrm_selector_match+0xf36/0xf60 net/xfrm/xfrm_policy.c:229 > > Read of size 2 at addr ffffc9001914f55c by task syz-executor.4/15633 > > > > CPU: 0 PID: 15633 Comm: syz-executor.4 Not tainted 5.9.0-rc5-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x198/0x1fd lib/dump_stack.c:118 > > print_address_description.constprop.0.cold+0x5/0x497 mm/kasan/report.c:383 > > __kasan_report mm/kasan/report.c:513 [inline] > > kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 > > xfrm_flowi_dport include/net/xfrm.h:877 [inline] > > This one goes back more than ten years. This patch should fix > it. > > ---8<--- > The struct flowi must never be interpreted by itself as its size > depends on the address family. Therefore it must always be grouped > with its original family value. > > In this particular instance, the original family value is lost in > the function xfrm_state_find. Therefore we get a bogus read when > it's coupled with the wrong family which would occur with inter- > family xfrm states. > > This patch fixes it by keeping the original family value. > > Note that the same bug could potentially occur in LSM through > the xfrm_state_pol_flow_match hook. I checked the current code > there and it seems to be safe for now as only secid is used which > is part of struct flowi_common. But that API should be changed > so that so that we don't get new bugs in the future. We could > do that by replacing fl with just secid or adding a family field. I'm thinking it might be better to pass the family along with the flow instead of passing just the secid (less worry of passing an incorrect secid that way). Let me see if I can cobble together a quick patch for testing before bed ... -- paul moore www.paul-moore.com