Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp1630402rdb; Sat, 23 Dec 2023 15:17:41 -0800 (PST) X-Google-Smtp-Source: AGHT+IGBsmcV2N/9lf2K+/WOm1AEb2FxoRO74q0Gv0BD6qGth3Tu5j7yDzBqffAO3dVskeClEZQ4 X-Received: by 2002:a05:6a21:78a1:b0:195:8b20:77ee with SMTP id bf33-20020a056a2178a100b001958b2077eemr337719pzc.35.1703373461588; Sat, 23 Dec 2023 15:17:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703373461; cv=none; d=google.com; s=arc-20160816; b=aUE+b4S4zsVcRJYZ73K/6AYCSxDOFbx6SOHxuG4vZHbAniJGejFoM1/+RXjkbOFCzX QfeLX+w/TH6NPM4JFvTxaEA6tbQa3hEAFn6hg0utsJ3DWAS8BJjTktNstGtAGfoJC2BV Vtb6lPJjHLbX3OeGX6/OopXNiQ7RLg6O/E7LuQRhAW3DZ1NnrRrMpzuXP7LWqPvteY8N OUqRR8XEDT0Y17TzpFX01HrAg4//JC97u8jHTjskGX5qr7aBSHzuwZFxUBpZXWTgClZy YDu6Q4UTGZoS3EU0iAL63f+wEGpF3hQhhq8FMwJz0UswHjBqkfQMXjL7o1apMVYO9Qtp Tv1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:from:subject:message-id:in-reply-to:date:mime-version :list-unsubscribe:list-subscribe:list-id:precedence; bh=qUZpK4dHEqnEesO3MJLqD1Yf+ic5Z6+dFQBYzrg0joE=; fh=4N+d33i3nR97fsiPEO7NhqKZ0eH3Ho+V5Wd0ffY5ISI=; b=uVjbT5bKNiYfJ7FGmLpe0E86ToSh+jmmNz1ArG1mLip/SBuZVZwJLjm6AkOS5yozFV dhJLGX/FSLFSvhk+VVi3YMelT2zqnEnYKjghp9aJtsuApKZ9JeajH2hauHlxqEglhkua SfdUIvRedQ5MmSf7zF5UlJy4b/FYTjMXrbdSvrlC1giieEbauySfc4qZ9yNt8FUcAcO/ ZFFoKRPOb3osAoYR3WxsnoI5DzdYewj16KSYD4peGcZRSgcJyYxexJMGPjbDvqdJfTzs numqdtoBZCYXdGkEEv4XVwOxk53gQGivm60LFkTHCqpVjLFXLJFOU0+Hz8L3VlIIeKDw jNgQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-10602-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10602-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id a192-20020a6390c9000000b005bdfda8e044si2537788pge.775.2023.12.23.15.17.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 Dec 2023 15:17:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-10602-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-10602-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10602-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 080C5B21E8D for ; Sat, 23 Dec 2023 23:17:40 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B948D200DC; Sat, 23 Dec 2023 23:17:24 +0000 (UTC) X-Original-To: linux-kernel@vger.kernel.org Received: from mail-il1-f198.google.com (mail-il1-f198.google.com [209.85.166.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09F611D55E for ; Sat, 23 Dec 2023 23:17:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-il1-f198.google.com with SMTP id e9e14a558f8ab-35fcbbd1dbaso32230775ab.0 for ; Sat, 23 Dec 2023 15:17:22 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703373442; x=1703978242; h=cc:to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=qUZpK4dHEqnEesO3MJLqD1Yf+ic5Z6+dFQBYzrg0joE=; b=ovjYFcl8OG67EQo+9Htsm0/ZqhR+MvXxgHrCz2tEWvaMsf6hsF6+k/O1hG2E1OQQDT aKKwR81UaKNWl0Fr1dFUwddWJGD5C1RUC4F9IHwaL0oAh723b5Pcuu3vuRfnOc1TROQT LSacgaApe10RnES2HSteU6Bi/tZJZt6y0LQahwAxB1NMl4sq+gnoFH5xC900jil2GVk3 WdcJ0DTERjul+OfHA9LLrJ2y5JpALxE9oHg9WqcGJd6WuPWxKPLVK3iY4i6W2pJXJhUz 3EYYRM9OSRTJqNINFsNcAfDohD4FaKmztZYFmpHRS0d/q+7KAR2B4OL88k+F9kRPZeJX G6UQ== X-Gm-Message-State: AOJu0YwXI9l7i23wZXyREzFeAjorrmZ/9LkSy4c6jhUoWDjXjRH5dVnq gD/yxyq2OMczyL5U/v2I2V8y6b2TLQtOVyxO8f6nmfdMFDN8 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6e02:218a:b0:35f:ebc7:6065 with SMTP id j10-20020a056e02218a00b0035febc76065mr240526ila.1.1703373442281; Sat, 23 Dec 2023 15:17:22 -0800 (PST) Date: Sat, 23 Dec 2023 15:17:22 -0800 In-Reply-To: <2591733.1703373433@warthog.procyon.org.uk> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <000000000000f27a0d060d358835@google.com> Subject: Re: [syzbot] [net?] KASAN: slab-out-of-bounds Read in dns_resolver_preparse From: syzbot To: dhowells@redhat.com Cc: davem@davemloft.net, dhowells@redhat.com, edumazet@google.com, jarkko@kernel.org, jmorris@namei.org, keyrings@vger.kernel.org, kuba@kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, netdev@vger.kernel.org, pabeni@redhat.com, paul@paul-moore.com, serge@hallyn.com, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git want either no args or 2 args (repo, branch), got 5 > > diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c > index 2a6d363763a2..f18ca02aa95a 100644 > --- a/net/dns_resolver/dns_key.c > +++ b/net/dns_resolver/dns_key.c > @@ -91,8 +91,6 @@ const struct cred *dns_resolver_cache; > static int > dns_resolver_preparse(struct key_preparsed_payload *prep) > { > - const struct dns_server_list_v1_header *v1; > - const struct dns_payload_header *bin; > struct user_key_payload *upayload; > unsigned long derrno; > int ret; > @@ -103,27 +101,28 @@ dns_resolver_preparse(struct key_preparsed_payload *prep) > return -EINVAL; > > if (data[0] == 0) { > + const struct dns_server_list_v1_header *v1; > + > /* It may be a server list. */ > - if (datalen <= sizeof(*bin)) > + if (datalen <= sizeof(*v1)) > return -EINVAL; > > - bin = (const struct dns_payload_header *)data; > - kenter("[%u,%u],%u", bin->content, bin->version, datalen); > - if (bin->content != DNS_PAYLOAD_IS_SERVER_LIST) { > + v1 = (const struct dns_server_list_v1_header *)data; > + kenter("[%u,%u],%u", v1->hdr.content, v1->hdr.version, datalen); > + if (v1->hdr.content != DNS_PAYLOAD_IS_SERVER_LIST) { > pr_warn_ratelimited( > "dns_resolver: Unsupported content type (%u)\n", > - bin->content); > + v1->hdr.content); > return -EINVAL; > } > > - if (bin->version != 1) { > + if (v1->hdr.version != 1) { > pr_warn_ratelimited( > "dns_resolver: Unsupported server list version (%u)\n", > - bin->version); > + v1->hdr.version); > return -EINVAL; > } > > - v1 = (const struct dns_server_list_v1_header *)bin; > if ((v1->status != DNS_LOOKUP_GOOD && > v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) { > if (prep->expiry == TIME64_MAX) >