Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp6822250pxb; Wed, 17 Feb 2021 14:39:07 -0800 (PST) X-Google-Smtp-Source: ABdhPJy3FXP1EjumbxnYwWsZOgoYmycPXBqJSUN72hrN7wY1WkYIUadZCJdN6ZXNJGmvSHMTrwA/ X-Received: by 2002:a17:906:bcd7:: with SMTP id lw23mr1144695ejb.30.1613601546989; Wed, 17 Feb 2021 14:39:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613601546; cv=none; d=google.com; s=arc-20160816; b=qJ4v3aklagWGShPkLamAE9kGg2Il+RYjUwlWoj5LKK1uF2WLrT2MH03uxYIdRyWiSv vKyrRoxwk8HbtrrjajyFao4grUT73G0uGJAkVIIRabofBTKHPIhhxPwMw73dMwhkd0R8 dkkEaLiKmUq1zSHj0X5p+HUTN1VHnBZU7zYcAigpWhyyV+tlWFKIvGkxsF1Ygaw8OJYy T98HLDNBKkKm131s+N7QdMhgnmV903S5mG7AdMp6/S0JDUnOgNb9ozENoUxP//CL0Owj 5wm7K+NahFM4TW5Q37MOEXFjuqi4tB2r5U2zz/WDpCVM0k9jrOX26CkcQZBtug1wOiNn INag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=3IM9I3UuREFmRHOZr8PZmBSuaPgKWXMfL/0dV2dXv88=; b=hsyqfYbprNzin2aqtON5wKju4mgkl2y3qIRT8C/+6Gh5hMIiiBg09Mu0V+kT84nRNc LDyftA+YPCSJ3GrGzCbFHAZQyvByMm+z/GUv9PavzV5va3kSXC8/8K/f3Ui4035Hnn8a AqsNCy8m/HWE8f+PCHE1PCvRuAKO5OR6ae+phAcwdbE/53luZkZSvGRXf8WqZ1sPC7UF QoDZNpRW1AdmSUELKjAAGUQN25NTcRuRniOZ31MTbtDTUfFkRW/Pcm7i2oG50wLrsfLY OwlEPlVhn4MXP0aVX5ay7dw8N0fbs3YgHNyCtUiSiAazF8/GaY+HVG050G24cVZhw9Vu smSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="RUufMfR/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e19si2169175eja.333.2021.02.17.14.38.42; Wed, 17 Feb 2021 14:39:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="RUufMfR/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232849AbhBQW2c (ORCPT + 99 others); Wed, 17 Feb 2021 17:28:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38286 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229459AbhBQW20 (ORCPT ); Wed, 17 Feb 2021 17:28:26 -0500 Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E54BDC061574 for ; Wed, 17 Feb 2021 14:27:45 -0800 (PST) Received: by mail-ej1-x634.google.com with SMTP id w1so25532075ejf.11 for ; Wed, 17 Feb 2021 14:27:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3IM9I3UuREFmRHOZr8PZmBSuaPgKWXMfL/0dV2dXv88=; b=RUufMfR/U88vgEIKMQ/LDi22jwTmXQJ0ZzdLLrwjOeb2a6jxx89c5m71xViuNKTPN3 JCiqUTrs/gSZvIeYSh2vG3o5gjoJeTry484YaIo5wXMQnTBcloj9bwlikI+MKJvl0wrr OgvD3I/1FL7Cwez+5fGQbNFh6+uv/eTFz5w3mi+ruOSLSKoa5DV4VrQKVsRTBR9lU4lK +4g84dLy60M7fk9RT+uY3qUCGCYXA9t1rMSJKBx/rVuru6kTvBbLg38bOTCR1Z6j/GQp zuxkVyQJDItb8GG1ENIdF5/Ghqk9jp3/rS+b5kqFcHOP+2dJYW/tMUo9hRDIyB5ZHaVb ODIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3IM9I3UuREFmRHOZr8PZmBSuaPgKWXMfL/0dV2dXv88=; b=olcaaDarS14VwnMJQMAPFgCsSJQ5qLcQu5PA0xFs0ZraguEX6RSv/cWeGLceHsoxCc Ic5GRFLlRlsVzOZC7oqAN9/TYIQkexZsEY2b3OUftkFXzKXbd98QWVmB+3EbKikFrCZ0 GFkdsS7+0O3ffBpA2KQugleLSnRK7jVjoxCc3Ms8tAUtpW2b2gZ83+80LzVg2GvpmYvP wOi22v+HiIoDjHp9dHcr0G9lIQdzYXacheWz9ZEzKjrcD04nv0H1eO3+QgweP/LLbwv2 v7FttRrnuOcrlFGQALneVCGCOU39lpdOmonWEmEiel3sKkoQiTTlrRvuPh43No0SizJD 1ljw== X-Gm-Message-State: AOAM531nnvZz2LIHeGLr/J8Pdrw3ueTyGqvZtuteUf9pFsNtxadUInEM Cy2nZeuJf0hYpUzTSeNfSGVhrmJwu18= X-Received: by 2002:a17:906:da1e:: with SMTP id fi30mr1047059ejb.151.1613600864049; Wed, 17 Feb 2021 14:27:44 -0800 (PST) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com. [209.85.221.47]) by smtp.gmail.com with ESMTPSA id d5sm1756897edu.12.2021.02.17.14.27.43 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 17 Feb 2021 14:27:43 -0800 (PST) Received: by mail-wr1-f47.google.com with SMTP id t15so206851wrx.13 for ; Wed, 17 Feb 2021 14:27:43 -0800 (PST) X-Received: by 2002:adf:ec43:: with SMTP id w3mr1325377wrn.12.1613600862672; Wed, 17 Feb 2021 14:27:42 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Willem de Bruijn Date: Wed, 17 Feb 2021 17:27:05 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: possible stack corruption in icmp_send (__stack_chk_fail) To: "Jason A. Donenfeld" Cc: Netdev , LKML , Willem de Bruijn Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 17, 2021 at 1:12 PM Jason A. Donenfeld wrote: > > Hi Netdev & Willem, > > I've received a report of stack corruption -- via the stack protector > check -- in icmp_send. I was sent a vmcore, and was able to extract > the OOPS from there. However, I've been unable to produce the bug and > I don't see where it'd be in the code. That might point to a more > sinister problem, or I'm simply just not seeing it. Apparently the > reporter reproduces it every 40 or so minutes, and has seen it happen > since at least ~5.10. Willem - I'm emailing you because it seems like > you were making a lot of changes to the icmp code around then, and > perhaps you have an intuition. For example, some of the error handling > code takes a pointer to a stack buffer (_objh and such), and maybe > that's problematic? I'm not quite sure. The vmcore, along with the > various kernel binaries I hunted down are here: > https://data.zx2c4.com/icmp_send-crash-e03b4a42-706a-43bf-bc40-1f15966b3216.tar.xz > . The extracted dmesg follows below, in case you or anyone has a > pointer. I've been staring at this for a while and don't see it. > > Jason Sorry, I also don't immediately see a cause. The _objh is a fairly standard approach to accessing skb data with skb_header_pointer. More importantly, that codepath is in the icmp receive path and then guarded by a socket option (inet_sk(sk)->recverr_rfc4884), so unlikely to be exercised here. This is an icmp send in response to a forwarded packet (assuming __qdisc_run dequeued the packet that triggered it). The icmp send code is quite robust against, e.g., undersized packets. But could it be that the forwarded packet is not sensible IPv4? The skb->protocol is inferred in wg_packet_consume_data_done->ip_tunnel_parse_protocol. As for on-stack variable overflow, __ip_options_echo parses the (untrusted) input to write into stack allocated icmp_param. But that is fairly well tested, rarely touched, code by now. Perhaps relevant, though, the opt passed is in skb->cb[], which at should probably not be interpreted as inet_skb_parm (IPCB). static inline void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) { __icmp_send(skb_in, type, code, info, &IPCB(skb_in)->opt); } A vmlinux image might help. I couldn't find one for this kernel. Or if the kernel can be modified and this path is rarely taken, logging the packet, e.g., with skb_dump.