Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp5705555pxu; Wed, 23 Dec 2020 03:28:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJyK+NiIfag1qjMPEu+v3Qld8n3vasAsHx/k9mBP5muyizUhLWf0WJBwky7Gzlvo4Bs5SC3R X-Received: by 2002:a17:906:2358:: with SMTP id m24mr23126017eja.198.1608722885431; Wed, 23 Dec 2020 03:28:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608722885; cv=none; d=google.com; s=arc-20160816; b=qSG46ki5ie0wJ/NaHXLiNL9b3lg1AWowVx7tBbRSJ7NtF3a29Imk2L7AbI3oyedPqt 3IsHfXjaHOqN0nQhiTXiMaWGOMg2jyDJkV4WzelXa57GjKblGx/JsF3L9Ffo/1BCh/ja NIAwSVymrPvzXwkacvBL7uHOkTA4UGtj4WPgP/sJqIuxuQ6asadyc68OT/FTKB7s35Ro 4jrj54jrIilNAmZ/9Q3tsAzwuJfcpAGELgk6OjgMjVDo7rf7P9KM3NV1oD91fBHSl0SG xgqHGaz5PjW08Yoq3KG79HaR2NVjLy2Kw3R2okr5pSu5iZliQ4yAcfPu3FwBbvoyJI1G GHaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Mih3zdmMFaoRMuxqceFLQMdjm46eO32W/WpvGGFu29A=; b=LhWCRQ7LsUQGhmZGICGEDvFLe+vPZITd87O48V1MaBfQVStEOAxzjeNQhv7JAMlFcX 56d70ypYhtMjHxytwapdrqFBz58FFFWj2SbxJJdRZJ/962yaB+SzNO1oLSFofDFiHQbT CaVfe2x53ieL9CFxDKOA0v37DvNJZ04xTmwP/jT3xZlxRFZ9cNIFNsyGeSFtKKWQrj9x tcz+pubv+W1EHRks6oUAVi3kUPKoBQ4Di24tH7U7+P8cpDOWei7uVc9Xo5qO8TcEHzcG AcKta/2Wp3S6YhkvGwhdn4aUh942XEdXALk+nziUl4F91r0BD1aec6xBEEp6x+bMXLoA Ao3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Zju0KZKI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e14si13338216edy.505.2020.12.23.03.27.42; Wed, 23 Dec 2020 03:28:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Zju0KZKI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728413AbgLWL0Q (ORCPT + 99 others); Wed, 23 Dec 2020 06:26:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35066 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728382AbgLWL0Q (ORCPT ); Wed, 23 Dec 2020 06:26:16 -0500 Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D5FB9C0613D6 for ; Wed, 23 Dec 2020 03:25:35 -0800 (PST) Received: by mail-qk1-x72e.google.com with SMTP id f26so12960185qka.0 for ; Wed, 23 Dec 2020 03:25:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Mih3zdmMFaoRMuxqceFLQMdjm46eO32W/WpvGGFu29A=; b=Zju0KZKIMoE5gTdV4iSMFl27LmL9bQ/nJv7OmQVVioq/LiiYkYXxqe3sdhMMZOi4O9 pP4NJ77XHbLvD3mwmJR9OgrfXV2wGUMdVEfm83FX45Kt+MKvwNQHgwWF8G0UycS9a41c nIut6/TlrtbYj3Gqd/78K6oOIGLh05cbkHZDAh0rgDawzcKXxF0/L/ieM7gXPA8NsedM Oh8CkljKfvI9M4AACY8hTbalqeNATI2ycuNlcRqsaKGkXdk287uhcasf7FERumCTByfz CKPkAMCpWH6qwssegTGS6BF2QYNVtpH1AmfjbMDRIMsxHi5E/MiVM+rMLQuqOdY+vbls +bQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Mih3zdmMFaoRMuxqceFLQMdjm46eO32W/WpvGGFu29A=; b=maHlYyRo9X618clAdys5uL0qcKvXtlLK0iDv1aJOTWfZguCNL86poEIhnCsbHyqdBi VlvnbylQRjLMJp73Nd8bZeyjAL5+DRgpsheN4yHPIjyOf8yME2V4uqIt/HKkXj0xRA40 AEJlxmMPSY63pvvTznRKT5hvBzKBDmxo3FBEqerB0WjI8oMK2ZXqTpXH+r+24RHILho3 KTKbs+ALiN3uk40WKsgkjawXwFRZLkBnrYRz69SlJ9l8gIiZoVhpm85ZRXfwyKNSF3zj MXME3VinCMUbK6Kxq0mOr9YGmbQTprJ/cFtjt/tQah59lop+4qPMi+FAbpatwzvJluja QoTg== X-Gm-Message-State: AOAM533BWL9LwzBlf/9fAZjv53csAFyJZOw1HDaEqlS7HiONSv1KQjSW grfcFY3XKNlyKM82unuf9ogHTFnASZuS+Dco6opxeg== X-Received: by 2002:a37:4285:: with SMTP id p127mr9869581qka.501.1608722734822; Wed, 23 Dec 2020 03:25:34 -0800 (PST) MIME-Version: 1.0 References: <000000000000fcbe0705b70e9bd9@google.com> <20201222220719.GB9639@breakpoint.cc> In-Reply-To: <20201222220719.GB9639@breakpoint.cc> From: Dmitry Vyukov Date: Wed, 23 Dec 2020 12:25:23 +0100 Message-ID: Subject: Re: kernel BUG at lib/string.c:LINE! (6) To: Florian Westphal , syzkaller Cc: Linus Torvalds , syzbot , Andrew Morton , coreteam@netfilter.org, David Miller , Jakub Jelinek , Lai Jiangshan , Jozsef Kadlecsik , Jakub Kicinski , Linux Kernel Mailing List , Netdev , NetFilter , Pablo Neira Ayuso , Peter Zijlstra , syzkaller-bugs , Tejun Heo Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 22, 2020 at 11:07 PM Florian Westphal wrote: > > Linus Torvalds wrote: > > On Tue, Dec 22, 2020 at 6:44 AM syzbot > > wrote: > > > > > > The issue was bisected to: > > > > > > commit 2f78788b55ba ("ilog2: improve ilog2 for constant arguments") > > > > That looks unlikely, although possibly some constant folding > > improvement might make the fortify code notice something with it. > > > > > detected buffer overflow in strlen > > > ------------[ cut here ]------------ > > > kernel BUG at lib/string.c:1149! > > > Call Trace: > > > strlen include/linux/string.h:325 [inline] > > > strlcpy include/linux/string.h:348 [inline] > > > xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143 > > > > Honestly, this just looks like the traditional bug in "strlcpy()". > > Yes, thats exactly what this is, no idea why the bisection points > at ilog2 changes. The end result is usually clear from the bisection log: > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1584f137500000 In this case it looks like the most common cause of diverted bisection -- interference from other kernel bugs, this __queue_work issue that happened on ilog2 commit: [03f4935135b9efeb780b970ba023c201f81cf4e6] checkpatch: fix unescaped left brace testing commit 03f4935135b9efeb780b970ba023c201f81cf4e6 with gcc (GCC) 8.1.0 all runs: crashed: kernel BUG at lib/string.c:LINE! # git bisect bad 03f4935135b9efeb780b970ba023c201f81cf4e6 Bisecting: 21 revisions left to test after this (roughly 5 steps) [2f78788b55baa3410b1ec91a576286abe1ad4d6a] ilog2: improve ilog2 for constant arguments testing commit 2f78788b55baa3410b1ec91a576286abe1ad4d6a with gcc (GCC) 8.1.0 run #0: crashed: WARNING in __queue_work # git bisect bad 2f78788b55baa3410b1ec91a576286abe1ad4d6a > > That BSD function is complete garbage, exactly because it doesn't > > limit the source length. People tend to _think_ it does ("what's that > > size_t argument for?") but strlcpy() only limits the *destination* > > size, and the source is always read fully. > > Right, I'll send a patch shortly.