From mboxrd@z Thu Jan 1 00:00:00 1970 From: syzbot Subject: Re: [PATCH ipsec] xfrm: skip policies marked as dead while rehashing Date: Tue, 30 Jan 2018 17:59:58 -0800 Message-ID: <001a114484fc258f34056408d6e1@google.com> References: <20180131015954.vdcywjiga6idam53@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes Cc: christophe.gouault@6wind.com, ebiggers3@gmail.com, fw@strlen.de, herbert@gondor.apana.org.au, netdev@vger.kernel.org, steffen.klassert@secunet.com, syzkaller-bugs@googlegroups.com, timo.teras@iki.fi To: Eric Biggers Return-path: Received: from mail-it0-f69.google.com ([209.85.214.69]:54639 "EHLO mail-it0-f69.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752089AbeAaB77 (ORCPT ); Tue, 30 Jan 2018 20:59:59 -0500 Received: by mail-it0-f69.google.com with SMTP id m184so2348059ith.4 for ; Tue, 30 Jan 2018 17:59:59 -0800 (PST) In-Reply-To: <20180131015954.vdcywjiga6idam53@gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: > On Sun, Dec 31, 2017 at 08:50:17AM +0100, Steffen Klassert wrote: >> On Wed, Dec 27, 2017 at 11:25:45PM +0100, Florian Westphal wrote: >> > syzkaller triggered following KASAN splat: >> > >> > BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00 >> net/xfrm/xfrm_policy.c:618 >> > read of size 2 at addr ffff8801c8e92fe4 by task kworker/1:1/23 [..] >> > Workqueue: events xfrm_hash_rebuild [..] >> > __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428 >> > xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618 >> > process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112 >> > worker_thread+0x223/0x1990 kernel/workqueue.c:2246 [..] >> > >> > The reproducer triggers: >> > 1016 if (error) { >> > 1017 list_move_tail(&walk->walk.all, &x->all); >> > 1018 goto out; >> > 1019 } >> > >> > in xfrm_policy_walk() via pfkey (it sets tiny rcv space, dump >> > callback returns -ENOBUFS). >> > >> > In this case, *walk is located the pfkey socket struct, so this socket >> > becomes visible in the global policy list. >> > >> > It looks like this is intentional -- phony walker has walk.dead set to >> 1 >> > and all other places skip such "policies". >> > >> > Ccing original authors of the two commits that seem to expose this >> > issue (first patch missed ->dead check, second patch adds pfkey >> > sockets to policies dumper list). >> > >> > Fixes: 880a6fab8f6ba5b ("xfrm: configure policy hash table thresholds >> by netlink") >> > Fixes: 12a169e7d8f4b1c ("ipsec: Put dumpers on the dump list") >> > Cc: Herbert Xu >> > Cc: Timo Teras >> > Cc: Christophe Gouault >> > Reported-by: syzbot >> >> > Signed-off-by: Florian Westphal >> Applied, thanks a lot! > This crash seems to have stopped occurring, thanks Florian! Let's tell > syzbot > so that it can start reporting any crashes in this same place again: > #syz fix: xfrm: skip policies marked as dead while rehashing Can't find the corresponding bug. > - Eric > -- > You received this message because you are subscribed to the Google > Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/20180131015954.vdcywjiga6idam53%40gmail.com. > For more options, visit https://groups.google.com/d/optout.