From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: * X-Spam-Status: No, score=1.3 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FSL_HELO_FAKE,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,USER_AGENT_MUTT autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31259C43381 for ; Tue, 12 Mar 2019 21:10:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F12912077B for ; Tue, 12 Mar 2019 21:10:55 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="WYU7ylzj" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726329AbfCLVKz (ORCPT ); Tue, 12 Mar 2019 17:10:55 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:33515 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726284AbfCLVKz (ORCPT ); Tue, 12 Mar 2019 17:10:55 -0400 Received: by mail-pg1-f194.google.com with SMTP id h11so2781428pgl.0 for ; Tue, 12 Mar 2019 14:10:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=feT/m4OdN3m5KG0QcgsShncjT0+/aZ2N5Y/T22FYzVc=; b=WYU7ylzjtKwARBEIFaO4OWjkVNJWNo6DsSjs22lOpuYc51sbcaWOWQVGWfW7YK6oUR zFCBz8XUsx/3qHz8G/hoLUZY5DAEka+Tac+YRa/9SXCFtCbG9KX1gbZtvgYfmiXKQCh5 gdhroRfKHiOuzVbXv0SC+oMS5sHFWzNT2ZOzo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=feT/m4OdN3m5KG0QcgsShncjT0+/aZ2N5Y/T22FYzVc=; b=oznB3g/Ggqu4WSnsekLYKsmG3uHxiX/4zRvE75NANA8uXdNqllZ0W7HSoQ81fN1tbf NiKHKDX9SntJJwAY/Y6xqFRV8OwC4cQ7c+HxHKrpBdLQocSV8ksCNdXI6nDPZksVlveO JRVx6QSWTLJOYGg4sm9BACRpI7uxlwrqdfeNYQ6UOy6B+6YM4FBHH1esBnEuEWoECPfk gIeIfgMgmFHFLoJGYaJ+N0J76A6J61wABZYl+4f3icuKkwRGI8SuQ6dXeKxypvYRkZmW gaN9EUAsriefvioOHsj9HQgVaBvFTlFTvBdA4co68t0P6vi2qILpDqx/uZmbgOtRpieB AbHg== X-Gm-Message-State: APjAAAVN8zHycN2IUJXFj8cX7Tj93oFqdPCgDyLWTlDfr/SmJaaeiMoB IF+VQ0TNuV2Kmj5lnYOdbgaCi8ly1P8= X-Google-Smtp-Source: APXvYqxiRVyPaGqMJMCO30IyKPOm9T5hSbmVt1oScB433ot2wKurk/1xllIW4Rqw/mNdYzYCQFXLTw== X-Received: by 2002:a63:780e:: with SMTP id t14mr19418216pgc.276.1552425054027; Tue, 12 Mar 2019 14:10:54 -0700 (PDT) Received: from google.com ([2620:15c:202:201:49ea:b78f:4f04:4d25]) by smtp.googlemail.com with ESMTPSA id z12sm13551627pgv.0.2019.03.12.14.10.53 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 12 Mar 2019 14:10:53 -0700 (PDT) Date: Tue, 12 Mar 2019 14:10:50 -0700 From: Zubin Mithra To: stable@vger.kernel.org Cc: groeck@chromium.org, gregkh@linuxfoundation.org, kadlec@blackhole.kfki.hu, sploving1@gmail.com, pablo@netfilter.org, fw@strlen.de, davem@davemloft.net Subject: 644c7e48cb59 ("netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options") Message-ID: <20190312211049.GA108422@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org Hello, Syzkaller has triggered a stack OOB read when fuzzing a 4.4 kernel with the following stacktrace. Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:192 [inline] [] kasan_report_error mm/kasan/report.c:278 [inline] [] kasan_report.part.2+0x44d/0x540 mm/kasan/report.c:303 [] kasan_report mm/kasan/report.c:321 [inline] [] __asan_report_load1_noabort+0x2e/0x30 mm/kasan/report.c:321 [] tcp_options.isra.16+0x44b/0x490 net/netfilter/nf_conntrack_proto_tcp.c:413 [] tcp_new+0x554/0x960 net/netfilter/nf_conntrack_proto_tcp.c:1138 [] init_conntrack+0xed2/0x14d0 net/netfilter/nf_conntrack_core.c:951 [] resolve_normal_ct net/netfilter/nf_conntrack_core.c:1049 [inline] [] nf_conntrack_in+0xe40/0x13c0 net/netfilter/nf_conntrack_core.c:1138 [] ipv4_conntrack_in+0x66/0x90 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:150 [] nf_iterate+0x158/0x230 net/netfilter/core.c:276 [] nf_hook_slow+0x1b5/0x320 net/netfilter/core.c:308 [] nf_hook_thresh include/linux/netfilter.h:187 [inline] [] NF_HOOK_THRESH include/linux/netfilter.h:224 [inline] [] NF_HOOK include/linux/netfilter.h:249 [inline] [] ip_rcv+0xe29/0x1380 net/ipv4/ip_input.c:455 [] __netif_receive_skb_core+0xa6e/0x27c0 net/core/dev.c:4000 [] __netif_receive_skb+0x60/0x1c0 net/core/dev.c:4035 [] netif_receive_skb_internal+0xfe/0x380 net/core/dev.c:4063 [] netif_receive_skb+0xa0/0x300 net/core/dev.c:4087 [] tun_get_user+0xc93/0x2370 drivers/net/tun.c:1269 [] tun_chr_write_iter+0xda/0x190 drivers/net/tun.c:1292 [] new_sync_write fs/read_write.c:478 [inline] [] __vfs_write+0x32e/0x440 fs/read_write.c:491 [] vfs_write+0x16c/0x4a0 fs/read_write.c:538 [] SYSC_write fs/read_write.c:585 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:577 [] entry_SYSCALL_64_fastpath+0x12/0x8d Could the following patch be applied v4.4.y? This patch is present in v4.9.y. * 644c7e48cb59 ("netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options") Tests run: * Chrome OS tryjobs * Syzkaller reproducer Thanks, - Zubin