Fw: [Bug 200191] New: UBSAN: Undefined behaviour in ./include/net/xfrm.h:894

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Hemminger <stephen@networkplumber.org>
To: steffen.klassert@secunet.com, herbert@gondor.apana.org.au
Cc: netdev@vger.kernel.org
Subject: Fw: [Bug 200191] New: UBSAN: Undefined behaviour in ./include/net/xfrm.h:894
Date: Fri, 22 Jun 2018 09:54:52 -0700	[thread overview]
Message-ID: <20180622095452.77a261fb@xeon-e3> (raw)



Begin forwarded message:

Date: Fri, 22 Jun 2018 15:20:06 +0000
From: bugzilla-daemon@bugzilla.kernel.org
To: stephen@networkplumber.org
Subject: [Bug 200191] New: UBSAN: Undefined behaviour in ./include/net/xfrm.h:894


https://bugzilla.kernel.org/show_bug.cgi?id=200191

            Bug ID: 200191
           Summary: UBSAN: Undefined behaviour in ./include/net/xfrm.h:894
           Product: Networking
           Version: 2.5
    Kernel Version: v4.18-rc2
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Other
          Assignee: stephen@networkplumber.org
          Reporter: icytxw@gmail.com
        Regression: No

static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
{
        /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
        if (sizeof(long) == 4 && prefixlen == 0)
                return true;
        return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen)));
}


$ cat report0 
================================================================================
UBSAN: Undefined behaviour in ./include/net/xfrm.h:894:23
shift exponent -128 is negative
CPU: 0 PID: 6190 Comm: syz-executor1 Not tainted 4.18.0-rc1 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x122/0x1c8 lib/dump_stack.c:113
 ubsan_epilogue+0x12/0x86 lib/ubsan.c:159
 __ubsan_handle_shift_out_of_bounds+0x29a/0x2ff lib/ubsan.c:425
 addr4_match include/net/xfrm.h:894 [inline]
 __xfrm4_selector_match net/xfrm/xfrm_policy.c:77 [inline]
 xfrm_selector_match+0xde9/0x11e0 net/xfrm/xfrm_policy.c:102
 xfrm_sk_policy_lookup+0x179/0x460 net/xfrm/xfrm_policy.c:1178
 xfrm_lookup+0x20e/0x1be0 net/xfrm/xfrm_policy.c:2149
 xfrm_lookup_route+0x42/0x1f0 net/xfrm/xfrm_policy.c:2282
 ip_route_output_flow+0x86/0xc0 net/ipv4/route.c:2588
 udp_sendmsg+0x15c1/0x2180 net/ipv4/udp.c:1086
 inet_sendmsg+0x103/0x490 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:645 [inline]
 sock_sendmsg+0xf9/0x180 net/socket.c:655
 __sys_sendto+0x239/0x3c0 net/socket.c:1833
 __do_sys_sendto net/socket.c:1845 [inline]
 __se_sys_sendto net/socket.c:1841 [inline]
 __x64_sys_sendto+0xef/0x1c0 net/socket.c:1841
 do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a09
Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83
eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007f0b710bdc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f0b710be6d4 RCX: 0000000000455a09
RDX: 0000000000000000 RSI: 00000000200014c0 RDI: 0000000000000013
RBP: 000000000072bea0 R08: 0000000020001540 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000005d7 R14: 00000000006fdcc8 R15: 0000000000000000
================================================================================
sr 1:0:0:0: [sr0] unaligned transfer
sr 1:0:0:0: [sr0] unaligned transfer
sr 1:0:0:0: [sr0] unaligned transfer
sr 1:0:0:0: [sr0] unaligned transfer
sr 1:0:0:0: [sr0] unaligned transfer
sr 1:0:0:0: [sr0] unaligned transfer
sr 1:0:0:0: [sr0] unaligned transfer
EXT4-fs (sda): re-mounted. Opts: jqfmt=vfsold,
sr 1:0:0:0: [sr0] unaligned transfer
sr 1:0:0:0: [sr0] unaligned transfer
audit: type=1326 audit(1529680282.002:2): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=6558 comm="syz-executor0" exe="/syz-executor0"
sig=31 arch=c000003e syscall=202 compat=0 ip=0x455a09 code=0x0
sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] 
sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present
sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 40 00
print_req_error: 25 callbacks suppressed
print_req_error: I/O error, dev sr0, sector 0
sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] 
sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present
sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 40 00
print_req_error: I/O error, dev sr0, sector 0
sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] 
sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present
sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 40 00
print_req_error: I/O error, dev sr0, sector 0
sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] 
sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present
sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 40 00
print_req_error: I/O error, dev sr0, sector 0
cgroup: cgroup2: unknown option ""
cgroup: cgroup2: unknown option ""

-- 
You are receiving this mail because:
You are the assignee for the bug.

                 reply	other threads:[~2018-06-22 16:54 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180622095452.77a261fb@xeon-e3 \
    --to=stephen@networkplumber.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=netdev@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.