Re: BUG() can be hit in tcp_collapse()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <greg@kroah.com>
To: Vladis Dronov <vdronov@redhat.com>
Cc: netdev@vger.kernel.org, stable@vger.kernel.org,
	Marco Grassi <marco.gra@gmail.com>
Subject: Re: BUG() can be hit in tcp_collapse()
Date: Thu, 10 Nov 2016 16:34:44 +0100	[thread overview]
Message-ID: <20161110153444.GA17206@kroah.com> (raw)
In-Reply-To: <1623420310.11961160.1478789246631.JavaMail.zimbra@redhat.com>

On Thu, Nov 10, 2016 at 09:47:26AM -0500, Vladis Dronov wrote:
> Hello,
> 
> It was discovered by Marco Grassi <marco.gra@gmail.com> (many thanks) that the
> latest stable Linux kernel v4.8.6 is crashing in tcp_collapse() after making
> certain syscalls:
> 
> [    9.622886] kernel BUG at net/ipv4/tcp_input.c:4813!
> [    9.623299] invalid opcode: 0000 [#1] SMP
> [    9.623642] Modules linked in: iptable_nat nf_nat_ipv4 nf_nat
> [    9.624287] CPU: 2 PID: 2871 Comm: poc Not tainted 4.8.6 #2
> [    9.624730] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014
> [    9.625459] task: ffff8801387b9a00 task.stack: ffff8801380e4000
> [    9.625929] RIP: 0010:[<ffffffff8178d4ec>]  [<ffffffff8178d4ec>] tcp_collapse+0x3ac/0x3b0
> [    9.626609] RSP: 0018:ffff8801380e7b78  EFLAGS: 00010282
> [    9.627028] RAX: 00000000fffffff2 RBX: 0000000000000ec0 RCX: 0000000000000ec0
> [    9.627587] RDX: ffff8801365cd000 RSI: 0000000000000000 RDI: ffff8801364106e0
> [    9.628142] RBP: ffff8801380e7bc8 R08: 0000000000000000 R09: ffff88013b003300
> [    9.628704] R10: ffff8801365cd000 R11: 0000000000000000 R12: 0000000000000ec0
> [    9.629259] R13: ffff88013663ae00 R14: 00000000cdf0ca26 R15: ffff8801364106e0
> [    9.629819] FS:  00007f2cef695800(0000) GS:ffff88013fc80000(0000) knlGS:0000000000000000
> [    9.630945] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [    9.631655] CR2: 000000002002a000 CR3: 0000000139d46000 CR4: 00000000001406e0
> [    9.632462] Stack:
> [    9.632900]  0000000000000000 cdf0da2600000001 ffff880138050000 ffff8801380500a8
> [    9.634138]  ffff880100000000 ffff880138050688 0000000000000900 ffff8801364136e0
> [    9.635379]  ffff880138050000 ffff880138050688 ffff8801380e7c00 ffffffff8178d630
> [    9.636622] Call Trace:
> [    9.637087]  [<ffffffff8178d630>] tcp_try_rmem_schedule+0x140/0x380
> [    9.637834]  [<ffffffff81791aa8>] tcp_data_queue+0x898/0xcf0
> [    9.638538]  [<ffffffff8179210b>] tcp_rcv_established+0x20b/0x6c0
> [    9.639268]  [<ffffffff81710143>] ? sk_reset_timer+0x13/0x30
> [    9.639968]  [<ffffffff81813009>] tcp_v6_do_rcv+0x1b9/0x420
> [    9.640666]  [<ffffffff81710b02>] __release_sock+0x82/0xf0
> [    9.641353]  [<ffffffff81710b9b>] release_sock+0x2b/0x90
> [    9.642029]  [<ffffffff817890ca>] tcp_sendmsg+0x55a/0xb60
> [    9.642714]  [<ffffffff817b29d0>] inet_sendmsg+0x60/0x90
> [    9.643389]  [<ffffffff8170c7b3>] sock_sendmsg+0x33/0x40
> [    9.644064]  [<ffffffff8170ccee>] SYSC_sendto+0xee/0x160
> [    9.645530]  [<ffffffff8170d6f9>] SyS_sendto+0x9/0x10
> [    9.646190]  [<ffffffff81909df2>] entry_SYSCALL_64_fastpath+0x1a/0xa4
> [    9.646947] Code: 48 c7 07 00 00 00 00 48 89 42 08 48 89 10 e8 cc 7e f8 ff 49 8b 47 30 48 8b 80 80 01 00 00 65 48 ff 80 b0 01 00 00 e9 72 fd ff ff <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 fe 53 8b 
> [    9.651794] RIP  [<ffffffff8178d4ec>] tcp_collapse+0x3ac/0x3b0
> [    9.652554]  RSP <ffff8801380e7b78>
> 
> The reproducer is generated by the syzkaller, please, see attached. The
> following BUG() is hit:
> 
> [net/ipv4/tcp_input.c]
> static void
> tcp_collapse(struct sock *sk, struct sk_buff_head *list,
>              struct sk_buff *head, struct sk_buff *tail,
>              u32 start, u32 end)
> {
> ...
> /* Copy data, releasing collapsed skbs. */
> while (copy > 0) {
>         int offset = start - TCP_SKB_CB(skb)->seq;
>         int size = TCP_SKB_CB(skb)->end_seq - start;
> 
>         BUG_ON(offset < 0);
>         if (size > 0) {
>                 size = min(copy, size);
> 4812:           if (skb_copy_bits(skb, offset, skb_put(nskb, size), size))
> 4813:                   BUG();
> 
> /usr/src/linux-4.8.6/net/ipv4/tcp_input.c: 4812
> 0xffffffff8178d390 <tcp_collapse+0x250>:        mov    %r12d,%esi
> 0xffffffff8178d393 <tcp_collapse+0x253>:        callq  0xffffffff81713ce0 <skb_put>
> 0xffffffff8178d398 <tcp_collapse+0x258>:        mov    -0x30(%rbp),%r8d
> 0xffffffff8178d39c <tcp_collapse+0x25c>:        mov    %r12d,%ecx
> 0xffffffff8178d39f <tcp_collapse+0x25f>:        mov    %rax,%rdx
> 0xffffffff8178d3a2 <tcp_collapse+0x262>:        mov    %r15,%rdi
> 0xffffffff8178d3a5 <tcp_collapse+0x265>:        mov    %r8d,%esi
> 0xffffffff8178d3a8 <tcp_collapse+0x268>:        callq  0xffffffff81714b90 <skb_copy_bits>
> 0xffffffff8178d3ad <tcp_collapse+0x26d>:        test   %eax,%eax
> 0xffffffff8178d3af <tcp_collapse+0x26f>:        jne    0xffffffff8178d4ec <tcp_collapse+0x3ac>
> ...
> /usr/src/linux-4.8.6/net/ipv4/tcp_input.c: 4813
> 0xffffffff8178d4ec <tcp_collapse+0x3ac>:        ud2    
> 
> I have checked that the reproducer can cause hitting this BUG() in the kernels
> since, at least v4.0. I was not checking the earlier kernels except RHEL-7 ones
> (3.10.0-xxx) which are not vulnerable.
> 
> The upstream kernels since v4.9-rc1 are not vulnerable too and I have bisected
> the repo to the commit c9c3321257 which fixes the issue.
> 
> $ git tag --contain c9c3321257e1b95be9b375f811fb250162af8d39
> v4.9-rc1
> 
> Stable v4.8.6 kernel with the c9c3321257 commit applied does not hit the BUG(),
> so I believe this commit should be backported to the stable branch. This commit
> applies cleanly to the v4.8.6 tree with just line offsets.

I'll be glad to take it if the network maintainer says it is safe to do
so and acks it :)

thanks,

greg k-h

next prev parent reply	other threads:[~2016-11-10 15:34 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1348037656.11947320.1478787081068.JavaMail.zimbra@redhat.com>
2016-11-10 14:47 ` BUG() can be hit in tcp_collapse() Vladis Dronov
2016-11-10 15:34   ` Greg KH [this message]
2016-11-10 15:44   ` Eric Dumazet
2016-11-10 19:26     ` Eric Dumazet
2016-11-10 19:49       ` Eric Dumazet
2016-11-10 20:13         ` Eric Dumazet
2016-11-10 20:50           ` [PATCH net] tcp: take care of truncations done by sk_filter() Eric Dumazet
2016-11-10 21:04             ` Eric Dumazet
2016-11-10 21:12             ` [PATCH v2 " Eric Dumazet
2016-11-13 17:30               ` David Miller
2016-11-11 13:08           ` BUG() can be hit in tcp_collapse() Vladis Dronov
2016-11-30 17:00             ` Vladis Dronov
2016-11-30 17:33               ` Eric Dumazet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161110153444.GA17206@kroah.com \
    --to=greg@kroah.com \
    --cc=marco.gra@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=vdronov@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.