Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3685818rwb; Sun, 25 Sep 2022 10:42:27 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4jnh5oIKtMY8doxLU3CGEphxloTeR16PKhkrEXi6fhbARCafUp6LMEveqb0nVRe0+Y0C7H X-Received: by 2002:a05:6402:5212:b0:451:6301:593e with SMTP id s18-20020a056402521200b004516301593emr18710635edd.119.1664127747448; Sun, 25 Sep 2022 10:42:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664127747; cv=none; d=google.com; s=arc-20160816; b=lbPba8eQLsNQO6O6bROK4l6ldo2+g9kmkX+sFZ+EUd5fYZa+MDq5Jg6QuqzHduikXj yhzjKZ+4H/5DH/xg4JpbN+XySp28AnQ201/ksDUkucuuM4VyivqHxnweUQIn7z5s0G3H p1zWSU74umSUUegcImSgRi1mi/fB+2VchwDNgbvcODEUA2lfHveNPcg5K38b91wooMCd Ai+Suk04J7uQZZl32bvrb/Seos8p1pBrhb0vTZolbunNBCo+GA060vTPRGOcPEBq6p3r KzlZDaoLwze42A6BfLeQdjj6CmG4T9cstWfmgsWFJwreyvICV0pANc9ufwC/2blNSbz2 PkXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=n9PlaQOOKzBXBufnbzlBXwI7lSGQ9ax7LkG3qVTKbck=; b=IMtP3kUHzpRvhvgVnQJaGg/TByLFw+oCW/W1iqKi5nqF+cVeAxtfbsVbxWZnYFy890 6M016f0zDhthdfp2GDwcrL2lQlgfDrFFCqKRtFHaFvFf5EjswM1wq5m8lPBYx2ZF5wAC 21vIFeidB1AyHliCiHFrxFRum+53T18S7G5c65IKHmIcwDOUAxtEUNc4ENW/5OhWy0Cg kz+bPqoUrEamwIkqsUk56WtPDt8cJV+SYTnjID8aKTwBre5/hgMfqvvFVVi+NV33L3w3 248aZIrVF5Erq6FHMaHavzdRjByXWn9GbDOLAwVM4KMEzneuuyYgJcBSB80EBziBeBg1 nybA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=AswNFAOs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j13-20020a508a8d000000b0044f8511f3e5si12576346edj.582.2022.09.25.10.42.01; Sun, 25 Sep 2022 10:42:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=AswNFAOs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232086AbiIYRez (ORCPT + 99 others); Sun, 25 Sep 2022 13:34:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54354 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232081AbiIYRew (ORCPT ); Sun, 25 Sep 2022 13:34:52 -0400 Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D3726320 for ; Sun, 25 Sep 2022 10:34:50 -0700 (PDT) Received: by mail-yb1-xb36.google.com with SMTP id e187so5774578ybh.10 for ; Sun, 25 Sep 2022 10:34:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=n9PlaQOOKzBXBufnbzlBXwI7lSGQ9ax7LkG3qVTKbck=; b=AswNFAOs8gXUhgvwU31qgNkJDpBw3PVdxE9bvZtoIoujyVVRg9ydAtTlGVPpyKaENc jqta+SqwkR+V9ZyNdRFrOl4Pjoxots2V5dTFEsPcIwWWzMSH+ecE6u4+0EvXSaUJZRVS WSnr1rQW/Au9NudnzVFj96U45wOWJlNp6ucrZZQggj9FCudMj2UUjwcPVS+1eD5MQsdy UXgsS8nkVpW3dfyXvT7hfGFMA1AVD2WpdCCI7vLM62ahCQjNFL/1gKbPH5hrwIxyh2XZ 8Q3vzpNKZ56pi8B6nQrjBjS7MnZ8rBI+Ldu58TY6WfSXdl6MzpAYuGfP+GIgnieWqMU2 XyEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=n9PlaQOOKzBXBufnbzlBXwI7lSGQ9ax7LkG3qVTKbck=; b=qbRcLeDUt7jvj0BC02q2u1wut/UEbupjtkS1RWjwI+VOEHwOkkqYgRNcSBQ6mjeMim qfSCe6sY3MzinmRBSI6IebCGTa7sl0SDJd3ySAIzwWpCzzLlFH6j4SSLURFukWRRXQs/ y8K21Cx7pBVwUb34w6MRCSrOg8dstal1g3tdyfmmqGWSC9mN3/iSucRgVTjVHHEWHUlu Eim07mqoqb++iR79/qfcFiJ2VRrBqslp0SP9Ijj4Yq2v4HvC4J1nyXJ88ci6EXBy/h5T puudMyBIck+yFsDnVXjAbv5FSWplGFQt/oNJeYKnN/nl+Ng6zJHMcLohM6w+QcKSC65Z P1Cg== X-Gm-Message-State: ACrzQf3LnCmVLWXp0hEx4Q0yxwgXIzj2TFOfL0z9ZeFKTjnG1y/10463 L8WAhbTXGceZkTIjiv8U/sIoNQNUJb/Aw+SozeurKA== X-Received: by 2002:a25:80d0:0:b0:6b3:f287:93a4 with SMTP id c16-20020a2580d0000000b006b3f28793a4mr16906910ybm.427.1664127289111; Sun, 25 Sep 2022 10:34:49 -0700 (PDT) MIME-Version: 1.0 References: <000000000000a96c0b05e97f0444@google.com> In-Reply-To: From: Eric Dumazet Date: Sun, 25 Sep 2022 10:34:37 -0700 Message-ID: Subject: Re: [syzbot] WARNING in u32_change To: Jamal Hadi Salim Cc: syzbot , David Miller , Jiri Pirko , Jakub Kicinski , LKML , netdev , Paolo Abeni , syzkaller-bugs , Cong Wang , Kees Cook Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Sep 25, 2022 at 10:13 AM Jamal Hadi Salim wrote: > > To be clear, that splat didnt happen for me. > Is there something else syzbot does to activate it? Sure, please look at: commit 54d9469bc515dc5fcbc20eecbe19cea868b70d68 Author: Kees Cook Date: Thu Jun 24 15:39:26 2021 -0700 fortify: Add run-time WARN for cross-field memcpy() > > cheers, > jamal > > On Sun, Sep 25, 2022 at 1:08 PM Jamal Hadi Salim wrote: > > > > Yes, after testing i realize there is nothing wrong here. > > What warning was i supposed to see from running the reproducer? > > > > We will still add the test will multiple keys later > > > > cheers, > > jamal > > > > On Sun, Sep 25, 2022 at 12:29 PM Eric Dumazet wrote: > > > > > > On Sun, Sep 25, 2022 at 9:14 AM Jamal Hadi Salim wrote: > > > > > > > > On Sun, Sep 25, 2022 at 11:38 AM Jamal Hadi Salim wrote: > > > > > > > > > > Is there a way to tell the boat "looking into it?" > > > > > > > > > > > > I guess I have to swim across to it to get the message;-> > > > > > > > > I couldnt see the warning message but it is obvious by inspection that > > > > the memcpy is broken. We should add more test coverage. > > > > This should fix it. Will send a formal patch later: > > > > > > > > diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c > > > > index 4d27300c2..591cbbf27 100644 > > > > --- a/net/sched/cls_u32.c > > > > +++ b/net/sched/cls_u32.c > > > > @@ -1019,7 +1019,7 @@ static int u32_change(struct net *net, struct > > > > sk_buff *in_skb, > > > > } > > > > > > > > s = nla_data(tb[TCA_U32_SEL]); > > > > - sel_size = struct_size(s, keys, s->nkeys); > > > > + sel_size = struct_size(s, keys, s->nkeys) + sizeof(n->sel); > > > > if (nla_len(tb[TCA_U32_SEL]) < sel_size) { > > > > err = -EINVAL; > > > > goto erridr; > > > > > > This patch is not needed, please look at struct_size() definition. > > > > > > Here, we might switch to unsafe_memcpy() instead of memcpy()