Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1899615pxp; Thu, 10 Mar 2022 14:36:57 -0800 (PST) X-Google-Smtp-Source: ABdhPJy+Kn8qYpLWQXrUwL+1NEYLGUDyyeU4Ve+EsdQ+Q1KGADZ8c3HSi9IMkGLlBFalarDzk2su X-Received: by 2002:a17:90a:199:b0:1be:dba1:afa4 with SMTP id 25-20020a17090a019900b001bedba1afa4mr7444195pjc.104.1646951817270; Thu, 10 Mar 2022 14:36:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646951817; cv=none; d=google.com; s=arc-20160816; b=hg2zc/nRZINjTYJXEcQcb3F/rokQogKzHV5Z677/PqfLlOh/Z6BaT3opvkKE4oDq+8 3kIxdGwag+4G6T/Q3pRCjGk8bv+qLkR0p5SkYmlpOP54GDbTMkN30qbsxqKsdktFC8Ll 0h+igZT51dBm2+uO4+mSn/RuWbqKrlhqALOsl4e6nkOE97PyjdNJvVQImdjb7pkWr3cx CL0Y0bSuSf3ROFC7xhWXV2FAjTPi42ETjt9oXHPgSaUGKJd/JxT0Jlstn52bj2hczJ6b pQdFjw9xTSjHTHLzZ6dMsRJXNCyxqrJcky60w8sf6JDYvxuOqvgWVXC6zGaZE6Z2EYi7 3gGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=SS7nrrNHVUaT5n6CRCXmiOuXobp29ColNc9iGvYhPoU=; b=ED19UU3R+04RVwL7RgZIjxK6pwBDW+XqjdLwVrmaWG4J6Zfc6Pfs2+52FVyXYY+bE/ zDMJoZcNsBhgylT+f300Vi+VI0WVWgzGBHWDBMQ60PZ6brFGfGK1v8xck2ntcfNEtuoT Ew6hvexCZoCiUESQESymzv6YoUbj5g++hyMIa0CNnqJwXuZxDZ0I9zWmfgahFmQU7Wfp 3Tm5y7OzMVUpueCnatx/563uAe8+XKZoEbRY6caWD2u89TOmz9AvTBjm3at7HCd5lwrp PGJ4SDHIaohM5XXUjrZmuE5E1gmwo3FIYPmcwByFbSMPm2eT2yXZhEdnO6nV9W9UPUg2 cIgA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=W860HSrE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h185-20020a636cc2000000b00380b14cdb15si5936994pgc.435.2022.03.10.14.36.40; Thu, 10 Mar 2022 14:36:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=W860HSrE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245220AbiCJRef (ORCPT + 99 others); Thu, 10 Mar 2022 12:34:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58392 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245210AbiCJRee (ORCPT ); Thu, 10 Mar 2022 12:34:34 -0500 Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0A57141457 for ; Thu, 10 Mar 2022 09:33:32 -0800 (PST) Received: by mail-qt1-x82d.google.com with SMTP id v14so879813qta.2 for ; Thu, 10 Mar 2022 09:33:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SS7nrrNHVUaT5n6CRCXmiOuXobp29ColNc9iGvYhPoU=; b=W860HSrEH6X1gW4Zy3kzEe2y2LtS9ojECWxkLzo2l+t9tgStOGe7Vy2L9ba+PqRBa7 6d8oeeU3rO1yqshfOqQ2ItFwtWlKG8ytM8pBp4wpUJLHqp+LOlT8XtChDuGY2DM1H2Sk iWZkNLLqo3taaaK0r8wE7mqslSO/ql/Y9sP8oQPCYTxFB/3GaCq+H6lLQOONTalkurCD pp+Uc0PpsDsdlIShrk1IQ50U4A586LzklHw5+pSblvQeh3GXnRnC+QpNhUFb++8S/l4/ lARsEWhAwmyZg0x3ziyOor53HxFOcFWjicr4hoKARk29D8eyeAxj7Gj2rR7HhgKQ8yAb ccHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SS7nrrNHVUaT5n6CRCXmiOuXobp29ColNc9iGvYhPoU=; b=lqeKFbSGOskU2pBGWsUvr7vqLxKrRtBA5ttg8Y4nsUkPcM4MLwaNkwDSHUUTlCHO2d UZU/s9hXhXwC+ohuFOA8EzC4hgf3RPUZHsd8XO3hgRgkLYGuc2gse0d8YTyOYTBDGV61 T0+EPeftQ1RKiIKei8zGEoNJ0tWp7NruLgQPwyEKKFoYCriC4YjjPiJ0PE2nNSI28LYz mpO1ACNM5OMSY1Yp+Da8/EiayklqvvdlBK6m/O9QyyWUqzvGHLNij5Fhk6KyR/YUFB7P H3O3bkpexcMrbAtBUOEJdxlCZwCRD9/pApaiRn9bcAcZAAFVuDpg+CTr0rXFq4Hl+ViB ql1w== X-Gm-Message-State: AOAM531eEQnae89nL1a26/gom8i+Fp56QRAHovhxSCRLYM3qRk/u0Stq VlEH6IJUkZqWWiKiaXew7daMxiqMnW4= X-Received: by 2002:a05:622a:1903:b0:2dd:a07e:659e with SMTP id w3-20020a05622a190300b002dda07e659emr4823568qtc.360.1646933611675; Thu, 10 Mar 2022 09:33:31 -0800 (PST) Received: from mail-yw1-f172.google.com (mail-yw1-f172.google.com. [209.85.128.172]) by smtp.gmail.com with ESMTPSA id w4-20020a05620a0e8400b0067b1bcd081csm2485354qkm.66.2022.03.10.09.33.26 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 10 Mar 2022 09:33:27 -0800 (PST) Received: by mail-yw1-f172.google.com with SMTP id 00721157ae682-2dc348dab52so66325707b3.6 for ; Thu, 10 Mar 2022 09:33:26 -0800 (PST) X-Received: by 2002:a0d:e288:0:b0:2db:f50a:9d10 with SMTP id l130-20020a0de288000000b002dbf50a9d10mr5058002ywe.419.1646933605614; Thu, 10 Mar 2022 09:33:25 -0800 (PST) MIME-Version: 1.0 References: <20220308000146.534935-1-tadeusz.struk@linaro.org> <14626165dad64bbaabed58ba7d59e523@AcuMS.aculab.com> <6155b68c-161b-0745-b303-f7e037b56e28@linaro.org> <66463e26-8564-9f58-ce41-9a2843891d1a@kernel.org> <45522c89-a3b4-4b98-232b-9c69470124a3@linaro.org> <8fdab42f-171f-53d7-8e0e-b29161c0e3e2@linaro.org> In-Reply-To: From: Willem de Bruijn Date: Thu, 10 Mar 2022 12:32:49 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] net: ipv6: fix invalid alloclen in __ip6_append_data To: Tadeusz Struk Cc: Willem de Bruijn , David Ahern , David Laight , "davem@davemloft.net" , Hideaki YOSHIFUJI , Jakub Kicinski , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , "netdev@vger.kernel.org" , "bpf@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" , "syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 10, 2022 at 11:06 AM Tadeusz Struk wrote: > > On 3/10/22 06:39, Willem de Bruijn wrote: > > On Wed, Mar 9, 2022 at 4:37 PM Tadeusz Struk wrote: > >> > >> On 3/8/22 21:01, David Ahern wrote: > >>> On 3/8/22 12:46 PM, Tadeusz Struk wrote: > >>>> That fails in the same way: > >>>> > >>>> skbuff: skb_over_panic: text:ffffffff83e7b48b len:65575 put:65575 > >>>> head:ffff888101f8a000 data:ffff888101f8a088 tail:0x100af end:0x6c0 > >>>> dev: > >>>> ------------[ cut here ]------------ > >>>> kernel BUG at net/core/skbuff.c:113! > >>>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN > >>>> CPU: 0 PID: 1852 Comm: repro Not tainted > >>>> 5.17.0-rc7-00020-gea4424be1688-dirty #19 > >>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35 > >>>> RIP: 0010:skb_panic+0x173/0x175 > >>>> > >>>> I'm not sure how it supposed to help since it doesn't change the > >>>> alloclen at all. > >>> > >>> alloclen is a function of fraglen and fraglen is a function of datalen. > >> > >> Ok, but in this case it doesn't affect the alloclen and it still fails. > > > > This is some kind of non-standard packet that is being constructed. Do > > we understand how it is different? > > > > The .syz reproducer is generally a bit more readable than the .c > > equivalent. Though not as much as an strace of the binary, if you > > can share that. > > > > r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) > > connect$inet6(r0, &(0x7f0000000040)={0xa, 0x0, 0x0, @dev, 0x6}, 0x1c) > > setsockopt$inet6_IPV6_HOPOPTS(r0, 0x29, 0x36, > > &(0x7f0000000100)=ANY=[@ANYBLOB="52b3"], 0x5a0) > > sendmmsg$inet(r0, &(0x7f00000002c0)=[{{0x0, 0x0, > > &(0x7f0000000000)=[{&(0x7f00000000c0)="1d2d", 0xfa5f}], 0x1}}], 0x1, > > 0xfe80) > > Here it is: > https://termbin.com/krtr > It won't be of much help, I'm afraid, as the offending sendmmsg() > call isn't fully printed. Thanks. It does offer some hints on the other two syscalls: [pid 644] connect(3, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "fe80::", &sin6_addr), sin6_scope_id=if_nametoindex("tunl0")}, 28) = 0 [pid 644] setsockopt(3, SOL_IPV6, IPV6_HOPOPTS, "R\263\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1440) = 0 IPV6_HOPOPTS is ns_capable CAP_NET_RAW. So this adds 1440 bytes to opt_nflen, which is included in fragheaderlen, causing that to be exactly mtu. This means that the payload can never be sent, as each fragment header eats up the entire mtu? This is without any transport headers that would only be part of the first fragment (which go into opt_flen). If you can maybe catch the error before the skb_put and just return EINVAL, we might see whether sendmmsg is relevant or a simple send would be equivalent. (not super important, that appears unrelated.)