Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp1619740pxy; Fri, 23 Apr 2021 12:28:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzZmPX+CoMPAA3xbrcwuallp++5/JgM5aYDJmK3hhutwfXHCeFNXch3QYRRnBVR621CAsr5 X-Received: by 2002:a65:4c8e:: with SMTP id m14mr5075955pgt.377.1619206114749; Fri, 23 Apr 2021 12:28:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619206114; cv=none; d=google.com; s=arc-20160816; b=worprQcFxU14LMpf5r3t/S44+vHF8P6LRV717wCImb61AfskXS7housNdtQa986JQD L4gDpNgdIQ8yspFY9RKIzycGI1bR9Bwh2vwMvCxJ3DDjOWkdD68+i02GLZmFwQ8kYfIt b3Co+b5orpRMMjQVGLJWyaTit0f7JVmEvTdAjPkzor7paC4EH+FGWQ04dZ94Y6zHwbND jvuTb0ozQ/jy0PbyGdW2oSgqei9VOqsAx7EfXy02NXGSWm7guQnRYnJPsrDILnqtgesb w+qAV/gvgktxYm4vMSJzuJBbzXp037lGJEDFazvLOB+3bNnZT8+/ILRj4j+tHggEcx+3 XI0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=GGmswUWs0RhjLm11KvpLJnLg6G3DSRO1QkIM1fXbk7s=; b=oTcM5n6m9bZkgQo2cMb9dBQFfri/6Mhq0G9D3fLKsZxtrJ4AO1WslXQ6WGSuA7P+g1 nlXOm79WihOlkgiCP5eWVlwEbJwQCefo8L8P4d8rgV5LwdYirtOLcVIBoX6mdUApStUh 9HM8pO9Ga975G9Y0YFFrCZhaU/fZRys46nlQrtIi4rHl43+OHCtPZ7M2kc/iIlKRzLJd /l3cZSd2wbu2rvmPleQSnLRHFEbGgYND4yPsyljyzV4PJNE02CC8F5tFpm+U/1N81thj UpqMipwSEiN8flMRlhWcD3kRkA4sfmf20B2IRLvf3x3jNxoz62sqLK+KzUM9rudE5iLE TL9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=02tLZjLe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t12si7858835plg.195.2021.04.23.12.28.21; Fri, 23 Apr 2021 12:28:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=02tLZjLe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232238AbhDWT21 (ORCPT + 99 others); Fri, 23 Apr 2021 15:28:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229549AbhDWT20 (ORCPT ); Fri, 23 Apr 2021 15:28:26 -0400 Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 32E85C061574 for ; Fri, 23 Apr 2021 12:27:48 -0700 (PDT) Received: by mail-ej1-x62e.google.com with SMTP id sd23so66772588ejb.12 for ; Fri, 23 Apr 2021 12:27:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=GGmswUWs0RhjLm11KvpLJnLg6G3DSRO1QkIM1fXbk7s=; b=02tLZjLeYkxGPB2kXMhpJATnGAtGmYPsmzTboVgl/LmG2WbReuSJpJrPlxJd90ALKR 97sPdAcYuV4/oaDQXmOwIgdjD3nkc+vwW8/gPUaZkaeqTEC94+s9E0R4OCZ0ig8W1+nl nqyN38L7dwd2RMuWYF5cioO9XPfvVR8M4cdSiNRh2SX+d3OdOTrXdAsX8ksUKHDvZ72w waDXwP7pSE48qNSKfm0IAeh4BaI4PqR+hSTGCwLYYApnxxeImRsdoFWDHwFXJVBi+Q3C zRKDs+BLZ0nrlPvvpF+sufIB8MBeGS7GtuL2Al6hW3uvcCJLJ1xC0gcUtMBvVM0hyzO2 HqhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=GGmswUWs0RhjLm11KvpLJnLg6G3DSRO1QkIM1fXbk7s=; b=hPaLB6Z0C7W3796phkcMdUhXt6DwX1/q4w84h+FyAVryhRrHMk61hyWVsiSdjDNPmG wKmTZSrDSqho+a4RK8bCsLXaKP8R6Uv8Y/OyCg6J+jTNeNrjJQ03tl0W8J0f7xBhL7ls rD0VuBEwGBFbMhepknQYuptHoS2lT7kUwpMq2X+rbCqn51TsvWvAN/ED4c6/3RYvgFSj 8lidzqGAOLRzHoTZixjI/9o8a5V2pOVW1Wj6WjuMW9xGN4priXazCYAXPwj9FmguxE18 PyqLCSltx0CH2gnv3Mb6K2pbz+7Qi59TjhNMY9qw8Y2vzck0NS9FJxZVghap17abD5Y/ 5Alw== X-Gm-Message-State: AOAM530Ihf35csFHdphlAm9LzabZKtgd+CneLnJ3tglIpgWpnZD8dYwn Px1kSX3dZvqMFMsmITg2NBD8n5BNVpQnK+rQVMSJ X-Received: by 2002:a17:906:f283:: with SMTP id gu3mr5825341ejb.91.1619206066758; Fri, 23 Apr 2021 12:27:46 -0700 (PDT) MIME-Version: 1.0 References: <000000000000307cc205bbbf31d3@google.com> <29f03460-c0ba-07a0-ef98-9597ef157797@oracle.com> In-Reply-To: <29f03460-c0ba-07a0-ef98-9597ef157797@oracle.com> From: Paul Moore Date: Fri, 23 Apr 2021 15:27:35 -0400 Message-ID: Subject: Re: WARNING in netlbl_cipsov4_add To: Vegard Nossum Cc: syzbot , akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 23, 2021 at 6:47 AM Vegard Nossum wr= ote: > Hi Paul, > > This syzbot report reproduces in mainline for me and it looks like > you're the author/maintainer of this code, so I'm just adding some info > to hopefully aid the preparation of a fix: Hi Vegard, Yes, you've come to the right place, thank you for your help in tracking this down. Some comments and initial thoughts below ... > On 2021-02-20 08:05, syzbot wrote: > > Hello, > > > > syzbot found the following issue on: ... > Running strace on the reproducer says: > > socket(PF_NETLINK, SOCK_RAW, NETLINK_GENERIC) =3D 3 > socket(PF_NETLINK, SOCK_RAW, NETLINK_GENERIC) =3D 4 > sendto(4, > "(\0\0\0\20\0\5\0\0\0\0\0\0\0\0\0\3\0\0\0\21\0\2\0NLBL_CIPSOv4\0\0\0\0", > 40, 0, {sa_family=3DAF_NETLINK, pid=3D0, groups=3D00000000}, 12) =3D 40 > recvfrom(4, > "\234\0\0\0\20\0\0\0\0\0\0\0\f\r\0\0\1\2\0\0\21\0\2\0NLBL_CIPSOv4\0\0\0\0= \6\0\1\0\24\0\0\0\10\0\3\0\3\0\0\0\10\0\4\0\0\0\0\0\10\0\5\0\f\0\0\0T\0\6\0= \24\0\1\0\10\0\1\0\1\0\0\0\10\0\2\0\v\0\0\0\24\0\2\0\10\0\1\0\2\0\0\0\10\0\= 2\0\v\0\0\0\24\0\3\0\10\0\1\0\3\0\0\0\10\0\2\0\n\0\0\0\24\0\4\0\10\0\1\0\4\= 0\0\0\10\0\2\0\f\0\0\0", > 4096, 0, NULL, NULL) =3D 156 > recvfrom(4, > "$\0\0\0\2\0\0\0\0\0\0\0\f\r\0\0\0\0\0\0(\0\0\0\20\0\5\0\0\0\0\0\0\0\0\0"= , > 4096, 0, NULL, NULL) =3D 36 > sendmsg(3, {msg_name(0)=3DNULL, > msg_iov(1)=3D[{"T\0\0\0\24\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0,\0\10\200\34\0\7= \200\10\0\5\0\3608) > \10\0\6\0\0\0\0\0\10\0\6\0\0\0\0\0\f\0\7\200\10\0\5\0\0\0\0\0\4\0\4\200\1= 0\0\1\0\0\0\0\0\10\0\2\0\1\0\0\0", > 84}], msg_controllen=3D0, msg_flags=3D0}, 0) =3D 84 > > We're ending up in netlbl_cipsov4_add() with CIPSO_V4_MAP_TRANS, so it > calls netlbl_cipsov4_add_std() where this is the problematic allocation: > > doi_def->map.std->lvl.local =3D kcalloc(doi_def->map.std->lvl.local_size, > sizeof(u32), > GFP_KERNEL); > > It looks like there is already a check on the max size: > > if (nla_get_u32(nla_b) > > CIPSO_V4_MAX_LOC_LVLS) > goto add_std_failure; > if (nla_get_u32(nla_b) >=3D > doi_def->map.std->lvl.local_size) > doi_def->map.std->lvl.local_size =3D > nla_get_u32(nla_b) + 1; > > However, the limit is quite generous: > > #define CIPSO_V4_INV_LVL 0x80000000 > #define CIPSO_V4_MAX_LOC_LVLS (CIPSO_V4_INV_LVL - 1) > > so maybe a fix would just lower this to something that agrees with the > page allocator? Hmm, I agree that from a practical point of view the limit does seem high. The issue is that I'm not sure we have an easy way to determine an appropriate local limit considering that it is determined by the LSM and in some cases it is determined by the LSM's loaded policy. On the plus side you need privilege to get this far in the code so the impact is minimized, although we still should look into catching this prior to the WARN_ON_ONCE() in __alloc_pages_nodemask(). If nothing else it allows the fuzzers to keep making progress and not die here. We could drop CIPSO_V4_MAX_LOC_LVLS to an arbitrary value, or better yet make it a sysctl (or similar), but that doesn't feel right and I'd prefer to not create another runtime config knob if we don't have to do so. Is there a safe/stable way to ask the allocator what size is *too* big? That might be a better solution as we could catch it in the CIPSO code and return an error before calling kmalloc. I'm not a mm expert, but looking through include/linux/slab.h I wonder if we could just compare the allocation size with KMALLOC_SHIFT_MAX? Or is that still too big? > At first glance it may appear like there is a similar issue with > doi_def->map.std->lvl.cipso_size, but that one looks restricted to a > saner limit of CIPSO_V4_MAX_REM_LVLS =3D=3D 255. It's probably better to > double check both in case I read this wrong. This one is a bit easier, that limit is defined by the CIPSO protocol and we really shouldn't change that. FWIW, I would expect that we would have a similar issue with the CIPSO_V4_MAX_LOC_CATS check in the same function. My initial thinking is that we can solve it in the same manner as the CIPSO_V4_MAX_LOC_LVLS fix. --=20 paul moore www.paul-moore.com