Re: [syzbot] linux-next test error: WARNING in set_peer
I think I'll open code it like below. I'll include this in my next push to net. >From 19fb26af00a8266df65b706dc02727c6a608b1b6 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Wed, 14 Sep 2022 18:42:00 +0100 Subject: [PATCH] wireguard: netlink: avoid variable-sized memcpy on sockaddr Doing a variable-sized memcpy is slower, and the compiler isn't smart enough to turn this into a constant-size assignment. Further, Kees' latest fortified memcpy will actually bark, because the destination pointer is type sockaddr, not explicitly sockaddr_in or sockaddr_in6, so it thinks there's an overflow: memcpy: detected field-spanning write (size 28) of single field "" at drivers/net/wireguard/netlink.c:446 (size 16) Fix this by just assigning by using explicit casts for each checked case. Cc: Kees Cook Signed-off-by: Jason A. Donenfeld --- drivers/net/wireguard/netlink.c | 13 ++--- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c index d0f3b6d7f408..5c804bcabfe6 100644 --- a/drivers/net/wireguard/netlink.c +++ b/drivers/net/wireguard/netlink.c @@ -436,14 +436,13 @@ static int set_peer(struct wg_device *wg, struct nlattr **attrs) if (attrs[WGPEER_A_ENDPOINT]) { struct sockaddr *addr = nla_data(attrs[WGPEER_A_ENDPOINT]); size_t len = nla_len(attrs[WGPEER_A_ENDPOINT]); + struct endpoint endpoint = { { { 0 } } }; - if ((len == sizeof(struct sockaddr_in) && -addr->sa_family == AF_INET) || - (len == sizeof(struct sockaddr_in6) && -addr->sa_family == AF_INET6)) { - struct endpoint endpoint = { { { 0 } } }; - - memcpy(, addr, len); + if (len == sizeof(struct sockaddr_in) && addr->sa_family == AF_INET) { + endpoint.addr4 = *(struct sockaddr_in *)addr; + wg_socket_set_peer_endpoint(peer, ); + } else if (len == sizeof(struct sockaddr_in6) && addr->sa_family == AF_INET6) { + endpoint.addr6 = *(struct sockaddr_in6 *)addr; wg_socket_set_peer_endpoint(peer, ); } } -- 2.37.3
Re: [syzbot] linux-next test error: WARNING in set_peer
On Tue, Sep 13, 2022 at 12:51:42PM -0700, syzbot wrote: > memcpy: detected field-spanning write (size 28) of single field > "" at drivers/net/wireguard/netlink.c:446 (size 16) This is one way to fix it: diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c index 0c0644e762e5..dbbeba216530 100644 --- a/drivers/net/wireguard/netlink.c +++ b/drivers/net/wireguard/netlink.c @@ -434,16 +434,16 @@ static int set_peer(struct wg_device *wg, struct nlattr **attrs) } if (attrs[WGPEER_A_ENDPOINT]) { - struct sockaddr *addr = nla_data(attrs[WGPEER_A_ENDPOINT]); + struct endpoint *raw = nla_data(attrs[WGPEER_A_ENDPOINT]); size_t len = nla_len(attrs[WGPEER_A_ENDPOINT]); if ((len == sizeof(struct sockaddr_in) && -addr->sa_family == AF_INET) || +raw->addr.sa_family == AF_INET) || (len == sizeof(struct sockaddr_in6) && -addr->sa_family == AF_INET6)) { +raw->addr.sa_family == AF_INET6)) { struct endpoint endpoint = { { { 0 } } }; - memcpy(, addr, len); + memcpy(, >addrs, len); wg_socket_set_peer_endpoint(peer, ); } } diff --git a/drivers/net/wireguard/peer.h b/drivers/net/wireguard/peer.h index 76e4d3128ad4..4fbe7940828b 100644 --- a/drivers/net/wireguard/peer.h +++ b/drivers/net/wireguard/peer.h @@ -19,11 +19,13 @@ struct wg_device; struct endpoint { - union { - struct sockaddr addr; - struct sockaddr_in addr4; - struct sockaddr_in6 addr6; - }; + struct_group(addrs, + union { + struct sockaddr addr; + struct sockaddr_in addr4; + struct sockaddr_in6 addr6; + }; + ); union { struct { struct in_addr src4; diffoscope shows the bounds check gets updated to the full union size: │ - cmp$0x11,%edx │ + cmp$0x1d,%edx and the field name changes in the warning: $ strings clang/drivers/net/wireguard/netlink.o.after | grep ^field field "" at drivers/net/wireguard/netlink.c:446 -- Kees Cook
[syzbot] linux-next test error: WARNING in set_peer
Hello, syzbot found the following issue on: HEAD commit:0caac1da9949 Add linux-next specific files for 20220913 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=172d78d888 kernel config: https://syzkaller.appspot.com/x/.config?x=2fd6142ea1cf631c dashboard link: https://syzkaller.appspot.com/bug?extid=a448cda4dba2dac50de5 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/4916ab25f774/disk-0caac1da.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/16dace3b273b/vmlinux-0caac1da.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+a448cda4dba2dac50...@syzkaller.appspotmail.com netdevsim netdevsim0 netdevsim1: renamed from eth1 netdevsim netdevsim0 netdevsim2: renamed from eth2 netdevsim netdevsim0 netdevsim3: renamed from eth3 [ cut here ] memcpy: detected field-spanning write (size 28) of single field "" at drivers/net/wireguard/netlink.c:446 (size 16) WARNING: CPU: 0 PID: 3616 at drivers/net/wireguard/netlink.c:446 set_peer+0x991/0x10c0 drivers/net/wireguard/netlink.c:446 Modules linked in: CPU: 0 PID: 3616 Comm: syz-executor.0 Not tainted 6.0.0-rc5-next-20220913-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 RIP: 0010:set_peer+0x991/0x10c0 drivers/net/wireguard/netlink.c:446 Code: 00 e8 63 30 b3 fc b9 10 00 00 00 48 c7 c2 00 4c 72 8a be 1c 00 00 00 48 c7 c7 60 4c 72 8a c6 05 d0 e7 02 09 01 e8 f1 d7 74 04 <0f> 0b e9 03 04 00 00 e8 33 30 b3 fc 89 ee 44 89 ef e8 79 2c b3 fc RSP: 0018:c90003d4f540 EFLAGS: 00010282 RAX: RBX: c90003d4f6d8 RCX: RDX: 888072ed57c0 RSI: 81611eb8 RDI: f520007a9e9a RBP: c90003d4f5e8 R08: 0005 R09: R10: 8000 R11: 7720676e696e6e6d R12: 001c R13: R14: 888072f1d104 R15: 888024cb0960 FS: 5616b400() GS:8880b9a0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fa5644d32c0 CR3: 6e43c000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: wg_set_device+0x8d7/0x11b0 drivers/net/wireguard/netlink.c:589 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:731 genl_family_rcv_msg net/netlink/genetlink.c:778 [inline] genl_rcv_msg+0x3b7/0x630 net/netlink/genetlink.c:795 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2540 genl_rcv+0x24/0x40 net/netlink/genetlink.c:806 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734 __sys_sendto+0x236/0x340 net/socket.c:2117 __do_sys_sendto net/socket.c:2129 [inline] __se_sys_sendto net/socket.c:2125 [inline] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2125 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fa56343c18c Code: fa fa ff ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 20 fb ff ff 48 8b RSP: 002b:7ffe4bc97580 EFLAGS: 0293 ORIG_RAX: 002c RAX: ffda RBX: 7fa5644d4320 RCX: 7fa56343c18c RDX: 0170 RSI: 7fa5644d4370 RDI: 0005 RBP: R08: 7ffe4bc975d4 R09: 000c R10: R11: 0293 R12: R13: 7fa5644d4370 R14: 0005 R15: --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.