Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp6832088pxb; Wed, 17 Feb 2021 15:00:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJz+3P2mB763vX3YKO1XafUnG/S7y1ySiHO5xKACz3haqtHs2RMCO9bUybU0JbwodNZLeLgJ X-Received: by 2002:a17:906:4e1a:: with SMTP id z26mr1135792eju.349.1613602801984; Wed, 17 Feb 2021 15:00:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613602801; cv=none; d=google.com; s=arc-20160816; b=meYsy5WZ/Kg/+8vHjy2h16iZYSf7gsObuAYcxz+o2BUZbaavJguJQUjx5NcVEvilm6 J1N9mmljcF4+v/hg8gGTjW/nMGnqL+zi9SEBHza7WRU9efpkZsiVzBotnf3WZWKVjC+A iqSirJArHTsDz4zqEC4nwLSJsFsjUa1ry25BqGjNQ8szdDuHC7If7T7sUUykSzmGOVK6 3oPvmaOwH+bg72dNqsqebssPDPnsZHE71yGsnmuAcq5wtf9rcS3SvOlGoeYV2h3fxYSj iw6494EvucHRM4Ekiex/zwx45nXxSecAX0onigHzFKiLiFIwuNBy8iWZO2XDP5H1LomW /jAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=a+IvpyKzSNnla/+PLMoHPA0EpqHUtnND/kL3l63t4Ao=; b=gJ5hP5ONjczzxpHpQfqCLK5i3to9KHeXAURTUx6vZsde8ASSC8EBVTbTl9MXTWK4EL 4Mo8uzEb3zzGmdMgk8pbgRfqQsljjf9nlI6TJW8BoiTGSDpgPVfpLmSfktATrdoaIl4R Hya0jZDuc/wy0K0lRai+WPjLJmWiHpFkZ45RM36wHVi1ykivjh06SJHpfje74TGMP9Vp 0fkmfiBimpW2Awv4Te2zGp68sCptslhethwlpDrO0YazDLyDtpJWbrRYh+OohCyiwmOX 9bShlTzq2yAGhmXZmwB80o32CvhNibZQ7kcYXO8ujHh2mFPgc1bKuePVU8icP8ZJQ+JC WqOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=D+HuXq+7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w5si2769209edv.513.2021.02.17.14.59.35; Wed, 17 Feb 2021 15:00:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=D+HuXq+7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233056AbhBQW44 (ORCPT + 99 others); Wed, 17 Feb 2021 17:56:56 -0500 Received: from mail.zx2c4.com ([104.131.123.232]:49508 "EHLO mail.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232953AbhBQW4y (ORCPT ); Wed, 17 Feb 2021 17:56:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1613602570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=a+IvpyKzSNnla/+PLMoHPA0EpqHUtnND/kL3l63t4Ao=; b=D+HuXq+7DuxMMA1R1cSCF5nlEThvRTyDKmmMHayRIrsIGMFezddx2tuRCDQIUFrWTUton1 ZC+RtaVQUl7wDuVgrRTP+6G1m7PexIHaceuJnjCIm7EDgEVwNyPstgNevN+qmxnLdP99ES IfW19TFgjTciuxdn0gWJJk1PZ5598+0= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id dc0cb23b (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Wed, 17 Feb 2021 22:56:09 +0000 (UTC) Received: by mail-yb1-f182.google.com with SMTP id n195so271335ybg.9; Wed, 17 Feb 2021 14:56:09 -0800 (PST) X-Gm-Message-State: AOAM5333xEf71yxd0KXETydUfzvTX5IMJNVk8PCw4cfW+rEf12agrlU7 xBekExorPb+EEnu7Hvi/GqgCjFbGwTFkGj7xdLE= X-Received: by 2002:a25:80c9:: with SMTP id c9mr2477741ybm.279.1613602569273; Wed, 17 Feb 2021 14:56:09 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: "Jason A. Donenfeld" Date: Wed, 17 Feb 2021 23:55:58 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: possible stack corruption in icmp_send (__stack_chk_fail) To: Willem de Bruijn Cc: Netdev , LKML , Willem de Bruijn Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Willem, On Wed, Feb 17, 2021 at 11:27 PM Willem de Bruijn wrote: > A vmlinux image might help. I couldn't find one for this kernel. https://data.zx2c4.com/icmp_send-crash-e03b4a42-706a-43bf-bc40-1f15966b3216.tar.xz has .debs with vmlinuz in there, which you can extract to vmlinux, as well as my own vmlinux elf construction with the symbols added back in by extracting them from kallsyms. That's the best I've been able to do, as all of this is coming from somebody random emailing me. > But could it be > that the forwarded packet is not sensible IPv4? The skb->protocol is > inferred in wg_packet_consume_data_done->ip_tunnel_parse_protocol. The wg calls to icmp_ndo_send are gated by checking skb->protocol: if (skb->protocol == htons(ETH_P_IP)) icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); else if (skb->protocol == htons(ETH_P_IPV6)) icmpv6_ndo_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0); On the other hand, that code is hit on an error path when wg_check_packet_protocol returns false: static inline bool wg_check_packet_protocol(struct sk_buff *skb) { __be16 real_protocol = ip_tunnel_parse_protocol(skb); return real_protocol && skb->protocol == real_protocol; } So that means, at least in theory, icmp_ndo_send could be called with skb->protocol != ip_tunnel_parse_protocol(skb). I guess I can address that. But... is it actually a problem? Jason