On Thu 2020-05-28 15:56:03, Tetsuo Handa wrote:
> syzbot found a NULL pointer dereference bug inside mptcp_recvmsg() due to
> ssock == NULL, but this bug manifested inside selinux_socket_recvmsg()
> because pr_debug() was no-op [1].
>
> pr_debug("fallback-read subflow=%p",
> mptcp_subflow_ctx(ssock->sk));
> copied = sock_recvmsg(ssock, msg, flags);
>
> Thus, let's allow fuzzers to always evaluate pr_devel()/pr_debug()
> messages, by redirecting no-op pr_devel()/pr_debug() calls to snprintf().
>
> [1]
> https://syzkaller.appspot.com/bug?id=12be9aa373be9d8727cdd172f190de39528a413a
>
> Signed-off-by: Tetsuo Handa <[email protected]>
> Cc: Petr Mladek <[email protected]>
> Cc: Sergey Senozhatsky <[email protected]>
> Cc: Steven Rostedt <[email protected]>
> Cc: Ondrej Mosnacek <[email protected]>
> Cc: Dmitry Vyukov <[email protected]>
> ---
> include/linux/dev_printk.h | 16 ++++++++++++++++
> include/linux/dynamic_debug.h | 14 ++++++++++++--
> include/linux/printk.h | 10 ++++++++++
> lib/Kconfig.twist | 12 ++++++++++++
> 4 files changed, 50 insertions(+), 2 deletions(-)
I am fine with pushing this into linux-next for testing purposes.
But I am against pushing this to Linus' tree in this form.
Now, it requires lib/Kconfig.twist that is added by a patch in
Andrew's tree. One approach is to push this into linux-next
via Andrew's -mm tree.
Another possibility would be to remove lib/Kconfig.twist
changes from this patch and replace
CONFIG_TWIST_ALWAYS_EVALUATE_PRINTK_ARGUMENTS with
CONFIG_TWIST_FOR_SYZKALLER_TESTING.
Then I could push it into linux-next via printk/linux.git tree.
Best Regards,
Petr
