Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp2970632pxb; Tue, 12 Jan 2021 03:12:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJx+KwRG8ZI1RojtITKdiC+faoZzHp4sbOsAgv0n0UTJ4oWTW1b7t28P3b8noiH4gaIxkttl X-Received: by 2002:a05:6402:40e:: with SMTP id q14mr2929404edv.85.1610449958289; Tue, 12 Jan 2021 03:12:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610449958; cv=none; d=google.com; s=arc-20160816; b=j1+gH1SZc4MKdRk7txFP5cFuiRYS2eEOsON7Nga4NJsPT5UT8dmBlLtrkLDlSorTPV rF2x7dWS6ZfshiOa8WbMHg4rvP0bSiN2TZxGAgYfHVyG8n8Yzzap/psmq0Im/kCwEg0M bfrPm+K+0PpkbFYz9zcCV4wR6ng8uK7vbydlNtsELhq/WJVDWAFxnXAad1Fu6XWK2Xcg bU5Nbq80yFAZ7K9/VgEHRQZdVybr4BWz3qlqNR2Z8gF9ybu6UZKfwZNeknV5NBgE3ApZ JqlN6ug74ax8B9R16h7v9xIbk6KxuE1qjq53EFMWEVj8VQPTJeWQr2/suq0f96a/FA+8 8H0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=W1IEn1o6eWOwCU+LqSBLdPY2mzZjKp1Qh5GWlNBzenQ=; b=GEjYPTjlRy2PHxtmkm+VNWlReUz5+fSLSqDJypQEXJF1x0GQ0vZVG5cgImV2YJuRjW yg+BoBCrmYDVev8djH42CZuN/0bpyAsu+SRJQ4egXmNkmwy4GuMkILGfP1VLjMOI/hST Hv8Sj5UPHIVoLHLQgnNvaJJJj//MA3WlU4rGW4Eatcv3EIctPGhS0q+uOBHy7s8fMiPx JkYBA3ppJ8A5Dnpa2WBykgk5UkG8caowczzKX3buVKS4qSa9BqF4sgz08Co6waXpqH/s ZPS4OqR5i/auXNTxBz2qzDmPLsBWLlYW9/F557eGbwcl70qbNHQYgKPpHcyIzAfg8RuH mAKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=WWfaItCu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v17si1171851edr.428.2021.01.12.03.12.15; Tue, 12 Jan 2021 03:12:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=WWfaItCu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726983AbhALD16 (ORCPT + 99 others); Mon, 11 Jan 2021 22:27:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35770 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726875AbhALD15 (ORCPT ); Mon, 11 Jan 2021 22:27:57 -0500 Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 68193C061575; Mon, 11 Jan 2021 19:27:17 -0800 (PST) Received: by mail-qk1-x729.google.com with SMTP id b64so752430qkc.12; Mon, 11 Jan 2021 19:27:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=W1IEn1o6eWOwCU+LqSBLdPY2mzZjKp1Qh5GWlNBzenQ=; b=WWfaItCu7eMkjGNiBic3Iz+khFM6SaikBC7i6LdeJiOODc6bg6MDvC2ShCF3Hl5ZTt jp/mlgW3trjRXruymsuSs5uLWwCrp2y+jViZ3gUFA888SdZSItK60yG3VAniBByGDhyG bG2ZnjURgWPbdagnrZtndw2zKRRQlXrRJpFK/wUx35Cxkgz+xcJJE4aC5tXchkO18zA/ lfJU3P7BiCbdEAKhDbDHK+4SL2sVBCTpiB5kI1acpizjfT84MgCE/0X96lrLsQT/Movh Eh6ZsRGrg8pY+4RMQyn2Ri6ONsdbf6ZXe22v81MTxe+iibq3qhPVHXWVftY2k+gGdlAM /QhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=W1IEn1o6eWOwCU+LqSBLdPY2mzZjKp1Qh5GWlNBzenQ=; b=fvGAaixF/4V+aKW2fIEhWgIaC3YurcpienRgnG3ALGiSepR4IHsZdW87+Coc3SFa4X kxssUGhGadoNL5KPLbhdW5RN1mXbwmEh6uf/GlPKnaVwW93qPArk0ZY+6O1qcjlNWY2C sW/9qtAiBX6llJg3bJ18pkC3TK2y211sHo/zB2VV7ENVNpSYDI7TxID1fbPNPWHuA3ge ywQpzOR3OQKp68KJwxh/UNMwcfZt/FymF0LDUDPko/uVynW54/MUqBXIwqJb/oABFFQ8 JxT5l6U5BAWDmo83HKjwlUEioQBs6MJeN6cSNehqXZcO00yIuNF7tG0rBz6mSD5Z097e HtUQ== X-Gm-Message-State: AOAM53216ar5qH4fP3vPnuJTujOVUnSD5SGwi2kuDBrFjl15lJhD5M1D EHsdYjUlPayp6BuKWSokq2s= X-Received: by 2002:a05:620a:1256:: with SMTP id a22mr2542089qkl.484.1610422036661; Mon, 11 Jan 2021 19:27:16 -0800 (PST) Received: from horizon.localdomain ([2001:1284:f016:2182:69ea:afba:d188:e39c]) by smtp.gmail.com with ESMTPSA id n5sm829838qkh.126.2021.01.11.19.27.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Jan 2021 19:27:16 -0800 (PST) Received: by horizon.localdomain (Postfix, from userid 1000) id B3840C085D; Tue, 12 Jan 2021 00:27:13 -0300 (-03) Date: Tue, 12 Jan 2021 00:27:13 -0300 From: Marcelo Ricardo Leitner To: =?utf-8?B?5oWV5Yas5Lqu?= Cc: davem@davemloft.net, kuba@kernel.org, linux-kernel , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, nhorman@tuxdriver.com, vyasevich@gmail.com, rkovhaev@gmail.com, syzkaller-bugs Subject: Re: "general protection fault in sctp_ulpevent_notify_peer_addr_change" and "general protection fault in sctp_ulpevent_nofity_peer_addr_change" should share the same root cause Message-ID: <20210112032713.GB2677@horizon.localdomain> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 12, 2021 at 10:18:00AM +0800, 慕冬亮 wrote: > Dear developers, > > I find that "general protection fault in l2cap_sock_getsockopt" and > "general protection fault in sco_sock_getsockopt" may be duplicated > bugs from the same root cause. > > First, by comparing the PoC similarity after own minimization, we find > they share the same PoC. Second, the stack traces for both bug reports > are the same except for the last function. And the different last > functions are due to a function name change (typo fix) from > "sctp_ulpevent_nofity_peer_addr_change" to > "sctp_ulpevent_notify_peer_addr_change" Not sure where you saw stack traces with this sctp function in it, but the syzkaller reports from 17 Feb 2020 are not related to SCTP. The one on sco_sock_getsockopt() seems to be lack of parameter validation: it doesn't check if optval is big enough when handling BT_PHY (which has the same value as SCTP_STATUS). It seems also miss a check on if level != SOL_BLUETOOTH, but I may be wrong here. l2cap_sock_getsockopt also lacks checking optlen. Marcelo