Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

2017-11-15 Thread Steffen Klassert
On Mon, Nov 06, 2017 at 11:16:46AM +0100, Steffen Klassert wrote: > > Subject: [PATCH ipsec] xfrm: Fix stack-out-of-bounds read in xfrm_state_find. > > When we do tunnel or beet mode, we pass saddr and daddr from the > template to xfrm_state_find(), this is ok. On transport mode, > we pass the ad

Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

2017-11-06 Thread Dmitry Vyukov
On Mon, Nov 6, 2017 at 11:16 AM, Steffen Klassert wrote: > On Fri, Nov 03, 2017 at 01:10:12PM +0100, Steffen Klassert wrote: >> On Thu, Nov 02, 2017 at 01:25:28PM +0100, Florian Westphal wrote: >> > Steffen Klassert wrote: >> > >> > > I'd propose to use the addresses from the template uncondition

Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

2017-11-06 Thread Steffen Klassert
On Fri, Nov 03, 2017 at 01:10:12PM +0100, Steffen Klassert wrote: > On Thu, Nov 02, 2017 at 01:25:28PM +0100, Florian Westphal wrote: > > Steffen Klassert wrote: > > > > > I'd propose to use the addresses from the template unconditionally, > > > like the (untested) patch below does. > > > > > >

Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

2017-11-03 Thread Steffen Klassert
On Thu, Nov 02, 2017 at 01:25:28PM +0100, Florian Westphal wrote: > Steffen Klassert wrote: > > > I'd propose to use the addresses from the template unconditionally, > > like the (untested) patch below does. > > > > Unfortunalely the reproducer does not work with my config, > > sendto returns EA

Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

2017-11-02 Thread Florian Westphal
Steffen Klassert wrote: > On Wed, Nov 01, 2017 at 11:06:08PM +0100, Florian Westphal wrote: > > I also don't understand how address comparision is supposed to work in this > > case, > > it seems that if saddr/daddr are v4 and template v6 we compare full ipv6 > > addresses > > (how would that suc

Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

2017-11-02 Thread Steffen Klassert
On Wed, Nov 01, 2017 at 11:06:08PM +0100, Florian Westphal wrote: > syzbot > > wrote: > > [ cc Thomas Egerer ] > > > syzkaller hit the following crash on > > 36ef71cae353f88fd6e095e2aaa3e5953af1685d > > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > > compiler: gcc

Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

2017-11-01 Thread Florian Westphal
syzbot wrote: [ cc Thomas Egerer ] > syzkaller hit the following crash on > 36ef71cae353f88fd6e095e2aaa3e5953af1685d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > C reprod