Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3369217pxj;
        Mon, 14 Jun 2021 22:34:03 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxqZsgbVAjJfVOgQ9lBwQlsz6G26U/Tk2RZD6le5/RFQxx6WblidFzFNKJSK+RHcn6nW1IE
X-Received: by 2002:a5d:9e03:: with SMTP id h3mr16674550ioh.36.1623735243355;
        Mon, 14 Jun 2021 22:34:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1623735243; cv=none;
        d=google.com; s=arc-20160816;
        b=y2S87aR0SDDXqVScihA1NLZenxNS+LzX5D4u8CRuliXYl6nGWfsFbCZLGeotgRGhQs
         q221MNbI7IMCAx2Wz1C/v6Jjp44/JkRP36q9P6HbtHOEUH4tJj9U7ZcAHr2uDq2rZslp
         XsNA+CmOMLvl0xVyRDp/NB+R71QF8IupXzTQUubcRNsd9UNcTmhHudxToVAxE5eKtFDz
         ffQKAE78RH5hqBld5dotMH86eBLOHJhL0JrwnmqUyPqTODbNCSEPow9fizvPZFZn8+RD
         i0udkjomubaue7MA7QHoj1stgoMUvp78bd9VkTQFX71qCiX1qzY44RrlwbC2UJayusYv
         d9Kg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=nBTBDxSP2hmi0QPzL0Jstc5+j7CMZVykA3MCHy7jWD4=;
        b=G+5aeQDnAwa4i+XKs0DKzyZt/aidzSnhT8bIJqbRiHcgmaAz8N4Ze4t6oDN4ERwz5q
         B9BrSn7onkMhwNAkblVkydOoI3bFlcaGE4PF6fASYDSiz7e9zqi+d2CSsYPuIQZ4FAPH
         CkrETLEdA+my5L4eP8pQat/89F5ccbKHyguo3WOUrdc/4N21g6rLrMlalLsQur6494Kq
         Juow9YNoOyjrCBmRs4XgktH1SVzBdSJCGU604L2cV5NZksXo6CeuSzqpbCeUfmJn6xK2
         UZqxhuHYlx5HrDQEt/L77kAQy0FcxLAnVg3GrgsmZ2Oo2Oqd11Yofc13uGfiCGoq6ABn
         D9fg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g3si12441493ile.15.2021.06.14.22.33.50;
        Mon, 14 Jun 2021 22:34:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230084AbhFOFeN (ORCPT <rfc822;lwx169@gmail.com> + 99 others);
        Tue, 15 Jun 2021 01:34:13 -0400
Received: from helcar.hmeau.com ([216.24.177.18]:50658 "EHLO deadmen.hmeau.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S230038AbhFOFeN (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 15 Jun 2021 01:34:13 -0400
Received: from gondobar.mordor.me.apana.org.au ([192.168.128.4] helo=gondobar)
        by deadmen.hmeau.com with esmtp (Exim 4.92 #5 (Debian))
        id 1lt1gD-0006u3-8A; Tue, 15 Jun 2021 13:32:05 +0800
Received: from herbert by gondobar with local (Exim 4.92)
        (envelope-from <herbert@gondor.apana.org.au>)
        id 1lt1g7-0001R0-Bs; Tue, 15 Jun 2021 13:31:59 +0800
Date:   Tue, 15 Jun 2021 13:31:59 +0800
From:   Herbert Xu <herbert@gondor.apana.org.au>
To:     syzbot <syzbot+e4c1dd36fc6b98c50859@syzkaller.appspotmail.com>
Cc:     davem@davemloft.net, kuba@kernel.org, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, steffen.klassert@secunet.com,
        syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] UBSAN: shift-out-of-bounds in xfrm_selector_match
Message-ID: <20210615053159.GA5412@gondor.apana.org.au>
References: <000000000000008a6c05c46e45a4@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <000000000000008a6c05c46e45a4@google.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jun 10, 2021 at 12:19:26PM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    13c62f53 net/sched: act_ct: handle DNAT tuple collision
> git tree:       net
> console output: https://syzkaller.appspot.com/x/log.txt?x=16635470300000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=770708ea7cfd4916
> dashboard link: https://syzkaller.appspot.com/bug?extid=e4c1dd36fc6b98c50859
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+e4c1dd36fc6b98c50859@syzkaller.appspotmail.com
> 
> UBSAN: shift-out-of-bounds in ./include/net/xfrm.h:838:23
> shift exponent -64 is negative
> CPU: 0 PID: 12625 Comm: syz-executor.1 Not tainted 5.13.0-rc3-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:79 [inline]
>  dump_stack+0x141/0x1d7 lib/dump_stack.c:120
>  ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
>  __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
>  addr4_match include/net/xfrm.h:838 [inline]
>  __xfrm4_selector_match net/xfrm/xfrm_policy.c:201 [inline]
>  xfrm_selector_match.cold+0x35/0x3a net/xfrm/xfrm_policy.c:227
>  xfrm_state_look_at+0x16d/0x440 net/xfrm/xfrm_state.c:1022

This appears to be an xfrm_state object with an IPv4 selector
that somehow has a prefixlen (d or s) of 96.

AFAICS this is not possible through xfrm_user.  OTOH it is not
obvious that af_key is entirely consistent in how it verifies
the prefix length, in particular, it seems to be possible for
two addresses with conflicting families to be provided as src/dst.

Can you confirm that this is indeed using af_key (a quick read
of the syzbot log seems to indicate that this is the case)?

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt