Received: by 10.223.164.202 with SMTP id h10csp1514030wrb;
        Mon, 27 Nov 2017 03:56:30 -0800 (PST)
X-Google-Smtp-Source: AGs4zMbdQtcAuLbejdox9z4+/KIvBt7B0+y/i2cNda6aNMZnrjhIzGCr6lB7kzUQn1ohYMTqbrTX
X-Received: by 10.101.86.76 with SMTP id m12mr36210705pgs.143.1511783790552;
        Mon, 27 Nov 2017 03:56:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511783790; cv=none;
        d=google.com; s=arc-20160816;
        b=Da5DJ6ZPU/lirLlDlZuWPghea7EK+ZL+6m2+z4wrVG6mB1mysdqjBi25Rox+tgfy+/
         2038sNWd9fCFeN3GULkVflAI9jMMW5q6DRJJ3lDH8HKB1PeWh479jidSQ2MA/c9/bJTk
         JExGA3p1MMwkn21QY6OruCOU8dFnhEyh9AEBPMIJ9x7R3tLKFLw4yuQo5dNw998gI13s
         N6ZkxGN+k01VAxsw9tINtWTv6Xsd4fnZeZa26hgr6WvvsgWwl1acDz44wQ7UA0u7zvi8
         fIsJUipzCkhc+Dhb0NW66efU6h8EsefS0Ef2BF535pUFsZ0lZ4I1xCLQUHcYlJe0oX9n
         zBAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=szzfwcjz3l/J9izk53S6qfTCNvi7SY9Q93HHzqcKkh8=;
        b=bLixD65m2fl8SKIsSxD0BPYaNNlMpwVp5or3UfJ/pbS8Q3ljYgwUSACKe0W7ZXsM+p
         Wezgzies6fJyWJv8ZNI/MMSbRqNYIgaSNN2Y1ENo0D3RJEKl7lIqAyU2i8kOTx2q0WGm
         4SERPc2fBDGKJC45JLNPwQIEsA/Oe8fluJ9jGptc/OZ/5NLuWD5rqIv/PyvtSCt8XoQz
         lg2XNV16J/DYnnQ8Rd5vYaNmL2L3r1YTOgRM3dVFconKulWcgh+CMOshJxrG8ce98VYk
         d8Ag3JlPLSnBDahb6zfw/r/3sKNb0jGGLMlnipQnXmexq/U1+1h8txEUU5MW/NxR+RnJ
         Ufrg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s25si25222243pfg.318.2017.11.27.03.56.18;
        Mon, 27 Nov 2017 03:56:30 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752083AbdK0Lzk (ORCPT <rfc822;xqjcool@gmail.com> + 77 others);
        Mon, 27 Nov 2017 06:55:40 -0500
Received: from a.mx.secunet.com ([62.96.220.36]:45644 "EHLO a.mx.secunet.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751685AbdK0Lzi (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 27 Nov 2017 06:55:38 -0500
Received: from localhost (localhost [127.0.0.1])
        by a.mx.secunet.com (Postfix) with ESMTP id 814B6200BD;
        Mon, 27 Nov 2017 12:55:37 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1])
        by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id FzizNQBgtyC8; Mon, 27 Nov 2017 12:55:35 +0100 (CET)
Received: from mail-essen-01.secunet.de (mail-essen-01.secunet.de [10.53.40.204])
        (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by a.mx.secunet.com (Postfix) with ESMTPS id B02AE20087;
        Mon, 27 Nov 2017 12:55:35 +0100 (CET)
Received: from gauss2.secunet.de (10.182.6.161) by mail-essen-01.secunet.de
 (10.53.40.204) with Microsoft SMTP Server id 14.3.361.1; Mon, 27 Nov 2017
 12:55:35 +0100
Received: by gauss2.secunet.de (Postfix, from userid 1000)      id 437BE31827AC;
 Mon, 27 Nov 2017 12:55:35 +0100 (CET)
Date:   Mon, 27 Nov 2017 12:55:35 +0100
From:   Steffen Klassert <steffen.klassert@secunet.com>
To:     Cong Wang <xiyou.wangcong@gmail.com>
CC:     syzbot 
        <bot+427f0a9138719ba183c0d37d8c2d070567f7761a@syzkaller.appspotmail.com>,
        David Miller <davem@davemloft.net>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux Kernel Network Developers <netdev@vger.kernel.org>,
        <syzkaller-bugs@googlegroups.com>
Subject: Re: WARNING in xfrm_state_fini
Message-ID: <20171127115535.mlsjbrj7pt3d4jvo@gauss3.secunet.de>
References: <001a11352f4a2b4fca055e7b441e@google.com>
 <CAM_iQpXBDfdZe4bUu-taidaC1djz7N=AOizEjCpzCeDxuEjPBA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAM_iQpXBDfdZe4bUu-taidaC1djz7N=AOizEjCpzCeDxuEjPBA@mail.gmail.com>
User-Agent: NeoMutt/20170609 (1.8.3)
X-G-Data-MailSecurity-for-Exchange-State: 0
X-G-Data-MailSecurity-for-Exchange-Error: 0
X-G-Data-MailSecurity-for-Exchange-Sender: 23
X-G-Data-MailSecurity-for-Exchange-Server: d65e63f7-5c15-413f-8f63-c0d707471c93
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
X-G-Data-MailSecurity-for-Exchange-Guid: 9CAA085F-F76F-4B56-9D44-8600BC3D320F
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Nov 21, 2017 at 06:44:04PM -0800, Cong Wang wrote:
> On Tue, Nov 21, 2017 at 2:00 AM, syzbot
> <bot+427f0a9138719ba183c0d37d8c2d070567f7761a@syzkaller.appspotmail.com>
> wrote:
> > Hello,
> >
> > syzkaller hit the following crash on
> > c8a0739b185d11d6e2ca7ad9f5835841d1cfc765
> > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> > compiler: gcc (GCC) 7.1.1 20170620
> > .config is attached
> > Raw console output is attached.
> > C reproducer is attached
> > syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> > for information about syzkaller reproducers
> >
> >
> > Kernel panic - not syncing: panic_on_warn set ...
> >
> > CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 4.14.0+ #187
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Workqueue: netns cleanup_net
> > Call Trace:
> >  __dump_stack lib/dump_stack.c:17 [inline]
> >  dump_stack+0x194/0x257 lib/dump_stack.c:53
> >  panic+0x1e4/0x41c kernel/panic.c:183
> >  __warn+0x1dc/0x200 kernel/panic.c:547
> >  report_bug+0x211/0x2d0 lib/bug.c:184
> >  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
> >  fixup_bug arch/x86/kernel/traps.c:246 [inline]
> >  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
> >  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
> >  invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:926
> > RIP: 0010:xfrm_state_fini+0x46a/0x620 net/xfrm/xfrm_state.c:2323
> > RSP: 0018:ffff8801d9ce70f0 EFLAGS: 00010293
> > RAX: ffff8801d9cde580 RBX: ffff8801ccf50040 RCX: ffffffff845cb0fa
> > RDX: 0000000000000000 RSI: 1ffff1003b39bdd1 RDI: ffffed003b39ce10
> > RBP: ffff8801d9ce7248 R08: 1ffff1003b39cda4 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1003b39ce20
> > R13: ffff8801d9ce7220 R14: 1ffff1003b39ce24 R15: ffff8801ccf51500
> >  xfrm_net_exit+0x25/0x30 net/xfrm/xfrm_policy.c:2957
> 
> User-space uses proto==0 as a wildcard, but xfrm_id_proto_match()
> doesn't consider it as a match with IPSEC_PROTO_ANY, in this case
> it should match all. Not sure if the following patch is the best way to
> fix it, or perhaps x->id.proto should be initialized to some of these 3
> values, but looking into ->init_temprop() it is not the case.

x->id is copied from the policy template and it seems that we don't
validate the id of the template when inserting the policy. iproute2
checks for a valid IPsec proto but the kernel does not do so. I think
we should check the policy template and reject inserting if the proto
is invalid.


From 1584732570728722038@xxx Wed Nov 22 02:45:51 +0000 2017
X-GM-THRID: 1584669402483724238
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread