Re: [PATCH] net: ipv6: fix slab-out-of-bounds Read in __xfrm6_tunnel_spi_check
From: B K Karthik
Date: Sat, 25 Jul 2020 19:00:31 +0530
> use spi_byaddr instead of spi_byspi
...
> diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
> index 25b7ebda2fab..cab7693ccfe3 100644
> --- a/net/ipv6/xfrm6_tunnel.c
> +++ b/net/ipv6/xfrm6_tunnel.c
> @@ -103,10 +103,10 @@ static int __xfrm6_tunnel_spi_check(struct net *net,
> u32 spi)
> {
> struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
> struct xfrm6_tunnel_spi *x6spi;
> - int index = xfrm6_tunnel_spi_hash_byspi(spi);
> + int index = xfrm6_tunnel_spi_hash_byaddr(spi);
You are passing a u32 integer into a function that expects a pointer as an
argument.
This change isn't even compile tested properly, let alone run tested.
Please stop making such careless submissions, this takes up valuable
developer patch review resources.
Thank you.
Re: [PATCH] net: ipv6: fix slab-out-of-bounds Read in __xfrm6_tunnel_spi_check
Hi K,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on ipsec/master]
[also build test WARNING on ipsec-next/master net-next/master net/master
v5.8-rc6 next-20200724]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url:
https://github.com/0day-ci/linux/commits/B-K-Karthik/net-ipv6-fix-slab-out-of-bounds-Read-in-__xfrm6_tunnel_spi_check/20200725-213142
base: https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git
master
config: x86_64-randconfig-r032-20200726 (attached as .config)
compiler: clang version 12.0.0 (https://github.com/llvm/llvm-project
8bf4c1f4fb257774f66c8cda07adc6c5e8668326)
reproduce (this is a W=1 build):
wget
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O
~/bin/make.cross
chmod +x ~/bin/make.cross
# install x86_64 cross compiling tool for clang build
# apt-get install binutils-x86-64-linux-gnu
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot
All warnings (new ones prefixed by >>):
>> net/ipv6/xfrm6_tunnel.c:106:43: warning: incompatible integer to pointer
>> conversion passing 'u32' (aka 'unsigned int') to parameter of type 'const
>> xfrm_address_t *' [-Wint-conversion]
int index = xfrm6_tunnel_spi_hash_byaddr(spi);
^~~
net/ipv6/xfrm6_tunnel.c:57:79: note: passing argument to parameter 'addr'
here
static inline unsigned int xfrm6_tunnel_spi_hash_byaddr(const xfrm_address_t
*addr)
^
net/ipv6/xfrm6_tunnel.c:69:28: warning: unused function
'xfrm6_tunnel_spi_hash_byspi' [-Wunused-function]
static inline unsigned int xfrm6_tunnel_spi_hash_byspi(u32 spi)
^
2 warnings generated.
vim +106 net/ipv6/xfrm6_tunnel.c
101
102 static int __xfrm6_tunnel_spi_check(struct net *net, u32 spi)
103 {
104 struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
105 struct xfrm6_tunnel_spi *x6spi;
> 106 int index = xfrm6_tunnel_spi_hash_byaddr(spi);
107
108 hlist_for_each_entry(x6spi,
109 _tn->spi_byaddr[index],
110 list_byspi) {
111 if (x6spi->spi == spi)
112 return -1;
113 }
114 return index;
115 }
116
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-...@lists.01.org
.config.gz
Description: application/gzip
Re: [PATCH] net: ipv6: fix slab-out-of-bounds Read in __xfrm6_tunnel_spi_check
Hi K,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on ipsec/master]
[also build test WARNING on ipsec-next/master net-next/master net/master
v5.8-rc6 next-20200724]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url:
https://github.com/0day-ci/linux/commits/B-K-Karthik/net-ipv6-fix-slab-out-of-bounds-Read-in-__xfrm6_tunnel_spi_check/20200725-213142
base: https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git
master
config: parisc-allyesconfig (attached as .config)
compiler: hppa-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O
~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross
ARCH=parisc
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot
All warnings (new ones prefixed by >>):
net/ipv6/xfrm6_tunnel.c: In function '__xfrm6_tunnel_spi_check':
>> net/ipv6/xfrm6_tunnel.c:106:43: warning: passing argument 1 of
>> 'xfrm6_tunnel_spi_hash_byaddr' makes pointer from integer without a cast
>> [-Wint-conversion]
106 | int index = xfrm6_tunnel_spi_hash_byaddr(spi);
| ^~~
| |
| u32 {aka unsigned int}
net/ipv6/xfrm6_tunnel.c:57:79: note: expected 'const xfrm_address_t *' {aka
'const union *'} but argument is of type 'u32' {aka 'unsigned int'}
57 | static inline unsigned int xfrm6_tunnel_spi_hash_byaddr(const
xfrm_address_t *addr)
|
~~^~~~
vim +/xfrm6_tunnel_spi_hash_byaddr +106 net/ipv6/xfrm6_tunnel.c
101
102 static int __xfrm6_tunnel_spi_check(struct net *net, u32 spi)
103 {
104 struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
105 struct xfrm6_tunnel_spi *x6spi;
> 106 int index = xfrm6_tunnel_spi_hash_byaddr(spi);
107
108 hlist_for_each_entry(x6spi,
109 _tn->spi_byaddr[index],
110 list_byspi) {
111 if (x6spi->spi == spi)
112 return -1;
113 }
114 return index;
115 }
116
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-...@lists.01.org
.config.gz
Description: application/gzip
[PATCH] net: ipv6: fix slab-out-of-bounds Read in __xfrm6_tunnel_spi_check
use spi_byaddr instead of spi_byspi == BUG: KASAN: slab-out-of-bounds in __xfrm6_tunnel_spi_check+0x316/0x330 net/ipv6/xfrm6_tunnel.c:108 Read of size 8 at addr 8880a93a5e08 by task syz-executor.1/8482 CPU: 0 PID: 8482 Comm: syz-executor.1 Not tainted 5.8.0-rc5-next-20200716-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 __xfrm6_tunnel_spi_check+0x316/0x330 net/ipv6/xfrm6_tunnel.c:108 __xfrm6_tunnel_alloc_spi net/ipv6/xfrm6_tunnel.c:131 [inline] xfrm6_tunnel_alloc_spi+0x296/0x8a0 net/ipv6/xfrm6_tunnel.c:174 ipcomp6_tunnel_create net/ipv6/ipcomp6.c:84 [inline] ipcomp6_tunnel_attach net/ipv6/ipcomp6.c:124 [inline] ipcomp6_init_state net/ipv6/ipcomp6.c:159 [inline] ipcomp6_init_state+0x2af/0x700 net/ipv6/ipcomp6.c:139 __xfrm_init_state+0x9a6/0x14b0 net/xfrm/xfrm_state.c:2498 xfrm_init_state+0x1a/0x70 net/xfrm/xfrm_state.c:2525 pfkey_msg2xfrm_state net/key/af_key.c:1291 [inline] pfkey_add+0x1a10/0x2b70 net/key/af_key.c:1508 pfkey_process+0x66d/0x7a0 net/key/af_key.c:2834 pfkey_sendmsg+0x42d/0x800 net/key/af_key.c:3673 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 sys_sendmsg+0x331/0x810 net/socket.c:2362 ___sys_sendmsg+0xf3/0x170 net/socket.c:2416 __sys_sendmmsg+0x195/0x480 net/socket.c:2506 __do_sys_sendmmsg net/socket.c:2535 [inline] __se_sys_sendmmsg net/socket.c:2532 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2532 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45c1d9 Code: Bad RIP value. RSP: 002b:7fe3fa739c78 EFLAGS: 0246 ORIG_RAX: 0133 RAX: ffda RBX: 00025a40 RCX: 0045c1d9 RDX: 04000282 RSI: 2180 RDI: 0003 RBP: 0078bf48 R08: R09: R10: R11: 0246 R12: 0078bf0c R13: 7fffec91896f R14: 7fe3fa73a9c0 R15: 0078bf0c Allocated by task 1: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 kmem_cache_alloc_trace+0x16e/0x2c0 mm/slab.c:3550 kmalloc include/linux/slab.h:554 [inline] kzalloc include/linux/slab.h:666 [inline] device_private_init drivers/base/core.c:2763 [inline] device_add+0x1008/0x1c40 drivers/base/core.c:2813 netdev_register_kobject+0x17d/0x3b0 net/core/net-sysfs.c:1888 register_netdevice+0xd29/0x1540 net/core/dev.c:9523 register_netdev+0x2d/0x50 net/core/dev.c:9654 ip6gre_init_net+0x3c4/0x5e0 net/ipv6/ip6_gre.c:1587 ops_init+0xaf/0x470 net/core/net_namespace.c:151 __register_pernet_operations net/core/net_namespace.c:1140 [inline] register_pernet_operations+0x35a/0x850 net/core/net_namespace.c:1217 register_pernet_device+0x26/0x70 net/core/net_namespace.c:1304 ip6gre_init+0x1f/0x132 net/ipv6/ip6_gre.c:2327 do_one_initcall+0x10a/0x7b0 init/main.c:1201 do_initcall_level init/main.c:1274 [inline] do_initcalls init/main.c:1290 [inline] do_basic_setup init/main.c:1310 [inline] kernel_init_freeable+0x4f4/0x5a3 init/main.c:1507 kernel_init+0xd/0x1c0 init/main.c:1401 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 The buggy address belongs to the object at 8880a93a5c00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes to the right of 512-byte region [8880a93a5c00, 8880a93a5e00) The buggy address belongs to the page: page:64ff38cf refcount:1 mapcount:0 mapping: index:0x0 pfn:0xa93a5 flags: 0xfffe000200(slab) raw: 00fffe000200 ea00028deec8 ea00027a5388 8880aa000600 raw: 8880a93a5000 00010004 page dumped because: kasan: bad access detected Memory state around the buggy address: 8880a93a5d00: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8880a93a5d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >8880a93a5e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ 8880a93a5e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8880a93a5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc == Reported-by: syzbot+7da3fdf292816554b...@syzkaller.appspotmail.com Signed-off-by: B K Karthik --- net/ipv6/xfrm6_tunnel.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c index 25b7ebda2fab..cab7693ccfe3 100644 --- a/net/ipv6/xfrm6_tunnel.c +++ b/net/ipv6/xfrm6_tunnel.c @@
