Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Date:   Fri, 24 Sep 2021 20:14:13 +0300
From:   Dan Carpenter <dan.carpenter@oracle.com>
To:     Xin Long <lucien.xin@gmail.com>
Cc:     syzbot <syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com>,
        davem <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        "linux-sctp @ vger . kernel . org" <linux-sctp@vger.kernel.org>,
        Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
        network dev <netdev@vger.kernel.org>,
        Neil Horman <nhorman@tuxdriver.com>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
        Vlad Yasevich <vyasevich@gmail.com>
Subject: Re: [syzbot] general protection fault in sctp_rcv
Message-ID: <20210924171412.GF2083@kadam>
References: <0000000000009a53cd05cc788a95@google.com>
 <CADvbK_c-V6orWGm2ae1pxoUU-5J-1J-a057hYemA6oTESGhFMg@mail.gmail.com>
 <20210923093442.GC2048@kadam>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210923093442.GC2048@kadam>
User-Agent: Mutt/1.9.4 (2018-02-28)
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?5lXF+TLoNpetRMm/yGJAXCSCW/87PkR2zyR4TftnnB9jjyuohxmIToDr8BUU?=
 =?us-ascii?Q?en6OGkObyTg0d/ZXN6JnTIsAQPVd4ZCY9U53xbNKx+mmnzVT5Hfb/Nyqyw3t?=
 =?us-ascii?Q?bBhecSn35r157d+ANyJvEghl0rKbaIGMi+1cK9CumNAswLo0XN5V7visZUSS?=
 =?us-ascii?Q?6sAahnSgbYGfiGA5Ryi5ozQDknxvmCMJY85jBW03qbHawY9Ydz+kneQkImQA?=
 =?us-ascii?Q?DKrEvD7UY8ol64GhHtZvjnWWC4Dh44W4xx7us2RS2K6No8D2SWF7LXN59WfB?=
 =?us-ascii?Q?60Eo9j6lY109XBdeiuzZhboTrFhSo4OAUmZCaAQdZ8HTKxh3gay5ShVHmxtQ?=
 =?us-ascii?Q?kczGj67ajcPl1Sq3Bhqej6vDVqscecpQeiJKfjRI7oZ59ZQeqwWoqdKW8pLs?=
 =?us-ascii?Q?FD2rPkO/fFHoobeUsKeO8Bv982FR+S7Z4ZMzy9J0qNRqAOih/HAThS0Ez2ML?=
 =?us-ascii?Q?Mn/79UD1GxPQ7bKZ87ylgdmSLPyJkXdv+WYh/i/wm/Cere5AoCQPYu5fqBsA?=
 =?us-ascii?Q?sh0NHiD90L0x8bIkPl4Sa0llksn4XOoHGF0DQNJX6ZWKSsfm/Q6UMa4zWAeD?=
 =?us-ascii?Q?nshLK8DzUfYo6BhrnS2LFWy+TvKsMFKvvOItIMpjEMuPv6e0o5VAoyJMdB8R?=
 =?us-ascii?Q?KwdgYOrUXDJuIGlIAe8MevZkwSXgskhBMrQvmvcXSIrZWBzDD2Lr/ejqTPqP?=
 =?us-ascii?Q?7ykS2YA6RCWxy93Pk5RY5YQYnuzDOSoXNXaUGM/TE4Rm2Jj4lmhkTW7/8wqE?=
 =?us-ascii?Q?/UBkf0XTaxn1e7LZa0uleF0qTUNchheIQlGAWqn9VPVGP19jgLOwM2ip45fo?=
 =?us-ascii?Q?YtGekpZcdj+bZGnfL9JiInL1x6efNGGFbzcREQ6Svs8w72i4ukSAqbEjSpzz?=
 =?us-ascii?Q?sBc6d8VwvO49LFlp5tbOGmJWE205QXGCNnFl6V2nn/vUH1X5AH5mBup71AO9?=
 =?us-ascii?Q?7nGCxigknPSe8DHCWliwVymp5RfYGG+irztKuGq+5avLhRECjR2iWrkLHNkp?=
 =?us-ascii?Q?qi7iJAr4u8tef7Xo/M3S3kMuy4NU6S2wmyAST08DZvZGppudzQiKkw9g3xQ4?=
 =?us-ascii?Q?E19IHVwVcN20Wzf1S9dDnMWgGMAYoVrg+O3lllFmi4YjSjBGqpi+bn7WaCWx?=
 =?us-ascii?Q?i9kOQTmCV4nAfkTqk4wM+B9hAbBbEAmDJ1EafE3rxipWeTtur7k0X/fGFwGv?=
 =?us-ascii?Q?Io7iV0YEtYOye66KyHRPWT1m73Xpr21g0PFhJs38AzjHxS+eQRynGyssIlfZ?=
 =?us-ascii?Q?MYBlq87ldxva1JMs3//+tFnQscFskmwvX+x3txdARCO05Hq5Oy7Ncy4eF79P?=
 =?us-ascii?Q?VUSlUPQelc/Fq2bBHLbQDLfL?=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1070ff94-2481-4d43-d5d3-08d97f7ec5ae
X-MS-Exchange-CrossTenant-AuthSource: CY4PR1001MB2358.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Sep 2021 17:14:31.1130
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: awLZUH2VOcXPhNsRwU/xGU8AHo/5omIDS7oSSNHv870mUhwp95xN64bYjXLqpDV3akhNRBhJBBJvlcRqgxZjys2aQEeXwrkOfoTAmIuHg+E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1001MB2088
X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10117 signatures=668682
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 mlxscore=0 malwarescore=0
 adultscore=0 suspectscore=0 mlxlogscore=999 spamscore=0 phishscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001
 definitions=main-2109240108
X-Proofpoint-GUID: Ve5Nq-bL8MXwyA5CfMmFz0C2TfGhg2ci
X-Proofpoint-ORIG-GUID: Ve5Nq-bL8MXwyA5CfMmFz0C2TfGhg2ci
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Sep 23, 2021 at 12:34:42PM +0300, Dan Carpenter wrote:
> On Wed, Sep 22, 2021 at 05:18:29PM +0800, Xin Long wrote:
> > On Tue, Sep 21, 2021 at 12:09 PM syzbot
> > <syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    98dc68f8b0c2 selftests: nci: replace unsigned int with int
> > > git tree:       net
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=11fd443d300000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=c31c0936547df9ea
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=581aff2ae6b860625116
> > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > >
> > > Unfortunately, I don't have any reproducer for this issue yet.
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com
> > >
> > > general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> > > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > > CPU: 0 PID: 11205 Comm: kworker/0:12 Not tainted 5.14.0-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > Workqueue: ipv6_addrconf addrconf_dad_work
> > > RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
> > by anyway, checking if skb_header_pointer() return NULL is always needed:
> > @@ -702,7 +702,7 @@ static int sctp_rcv_ootb(struct sk_buff *skb)
> >                 ch = skb_header_pointer(skb, offset, sizeof(*ch), &_ch);
> > 
> >                 /* Break out if chunk length is less then minimal. */
> > -               if (ntohs(ch->length) < sizeof(_ch))
> > +               if (!ch || ntohs(ch->length) < sizeof(_ch))
> >                         break;
> > 
> 
> The skb_header_pointer() function is annotated as __must_check but that
> only means you have to use the return value.  These things would be
> better as a Coccinelle or Smatch check.
> 
> I will create a Smatch warning for this.

These are the Smatch warnings for this:

net/sctp/input.c:705 sctp_rcv_ootb() error: skb_header_pointer() returns NULL
net/ipv6/netfilter/ip6t_rt.c:111 rt_mt6() error: skb_header_pointer() returns NULL
net/ipv4/icmp.c:1076 icmp_build_probe() error: skb_header_pointer() returns NULL
net/ipv4/icmp.c:1089 icmp_build_probe() error: skb_header_pointer() returns NULL

regards,
dan carpenter