From: Catalin Marinas <catalin.marinas@arm.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Mark Rutland <mark.rutland@arm.com>,
Kees Cook <keescook@chromium.org>,
Netdev <netdev@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
LKML <linux-kernel@vger.kernel.org>,
Mark Brown <broonie@kernel.org>,
syzbot <syzbot+95c862be69e37145543f@syzkaller.appspotmail.com>,
mbenes@suse.cz, Will Deacon <will@kernel.org>,
Ard Biesheuvel <ardb@kernel.org>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>
Subject: Re: KASAN: invalid-access Write in enqueue_timer
Date: Tue, 16 Feb 2021 18:01:44 +0000 [thread overview]
Message-ID: <20210216180143.GB14978@arm.com> (raw)
In-Reply-To: <CAHmME9ob9g-pcsKU2=n2SOzjNwyGh9+dL-WGpQn4Da+DD4dPzA@mail.gmail.com>
On Tue, Feb 16, 2021 at 06:50:20PM +0100, Jason A. Donenfeld wrote:
> On Tue, Feb 16, 2021 at 6:46 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> > On Tue, Feb 16, 2021 at 6:28 PM Catalin Marinas <catalin.marinas@arm.com> wrote:
> > > > hlist_add_head include/linux/list.h:883 [inline]
> > > > enqueue_timer+0x18/0xc0 kernel/time/timer.c:581
> > > > mod_timer+0x14/0x20 kernel/time/timer.c:1106
> > > > mod_peer_timer drivers/net/wireguard/timers.c:37 [inline]
> > > > wg_timers_any_authenticated_packet_traversal+0x68/0x90 drivers/net/wireguard/timers.c:215
> >
> > The line of hlist_add_head that it's hitting is:
> >
> > static inline void hlist_add_head(struct hlist_node *n, struct hlist_head *h)
> > {
> > struct hlist_node *first = h->first;
> > WRITE_ONCE(n->next, first);
> > if (first)
> >
> > So that means it's the dereferencing of h that's a problem. That comes from:
> >
> > static void enqueue_timer(struct timer_base *base, struct timer_list *timer,
> > unsigned int idx, unsigned long bucket_expiry)
> > {
> >
> > hlist_add_head(&timer->entry, base->vectors + idx);
> >
> > That means it concerns base->vectors + idx, not the timer_list object
> > that wireguard manages. That's confusing. Could that imply that the
> > bug is in freeing a previous timer without removing it from the timer
> > lists, so that it winds up being in base->vectors?
Good point, it's indeed likely that the timer list is messed up already,
just an unlucky encounter in the wireguard code.
> Digging around on syzkaller, it looks like there's a similar bug on
> jbd2, concerning iptunnels's allocation:
>
> https://syzkaller.appspot.com/text?tag=CrashReport&x=13afb19cd00000
[...]
> It might not actually be a wireguard bug?
I wonder whether syzbot reported similar issues with
CONFIG_KASAN_SW_TAGS. It shouldn't be that different from the HW_TAGS
but at least we can rule out qemu bugs with the MTE emulation.
--
Catalin
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Netdev <netdev@vger.kernel.org>,
syzbot <syzbot+95c862be69e37145543f@syzkaller.appspotmail.com>,
Mark Brown <broonie@kernel.org>,
Kees Cook <keescook@chromium.org>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
LKML <linux-kernel@vger.kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
mbenes@suse.cz, syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
Will Deacon <will@kernel.org>, Ard Biesheuvel <ardb@kernel.org>
Subject: Re: KASAN: invalid-access Write in enqueue_timer
Date: Tue, 16 Feb 2021 18:01:44 +0000 [thread overview]
Message-ID: <20210216180143.GB14978@arm.com> (raw)
In-Reply-To: <CAHmME9ob9g-pcsKU2=n2SOzjNwyGh9+dL-WGpQn4Da+DD4dPzA@mail.gmail.com>
On Tue, Feb 16, 2021 at 06:50:20PM +0100, Jason A. Donenfeld wrote:
> On Tue, Feb 16, 2021 at 6:46 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> > On Tue, Feb 16, 2021 at 6:28 PM Catalin Marinas <catalin.marinas@arm.com> wrote:
> > > > hlist_add_head include/linux/list.h:883 [inline]
> > > > enqueue_timer+0x18/0xc0 kernel/time/timer.c:581
> > > > mod_timer+0x14/0x20 kernel/time/timer.c:1106
> > > > mod_peer_timer drivers/net/wireguard/timers.c:37 [inline]
> > > > wg_timers_any_authenticated_packet_traversal+0x68/0x90 drivers/net/wireguard/timers.c:215
> >
> > The line of hlist_add_head that it's hitting is:
> >
> > static inline void hlist_add_head(struct hlist_node *n, struct hlist_head *h)
> > {
> > struct hlist_node *first = h->first;
> > WRITE_ONCE(n->next, first);
> > if (first)
> >
> > So that means it's the dereferencing of h that's a problem. That comes from:
> >
> > static void enqueue_timer(struct timer_base *base, struct timer_list *timer,
> > unsigned int idx, unsigned long bucket_expiry)
> > {
> >
> > hlist_add_head(&timer->entry, base->vectors + idx);
> >
> > That means it concerns base->vectors + idx, not the timer_list object
> > that wireguard manages. That's confusing. Could that imply that the
> > bug is in freeing a previous timer without removing it from the timer
> > lists, so that it winds up being in base->vectors?
Good point, it's indeed likely that the timer list is messed up already,
just an unlucky encounter in the wireguard code.
> Digging around on syzkaller, it looks like there's a similar bug on
> jbd2, concerning iptunnels's allocation:
>
> https://syzkaller.appspot.com/text?tag=CrashReport&x=13afb19cd00000
[...]
> It might not actually be a wireguard bug?
I wonder whether syzbot reported similar issues with
CONFIG_KASAN_SW_TAGS. It shouldn't be that different from the HW_TAGS
but at least we can rule out qemu bugs with the MTE emulation.
--
Catalin
next prev parent reply other threads:[~2021-02-16 18:03 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-16 0:06 KASAN: invalid-access Write in enqueue_timer syzbot
2021-02-16 0:06 ` syzbot
2021-02-16 17:28 ` Catalin Marinas
2021-02-16 17:28 ` Catalin Marinas
2021-02-16 17:46 ` Jason A. Donenfeld
2021-02-16 17:46 ` Jason A. Donenfeld
2021-02-16 17:50 ` Jason A. Donenfeld
2021-02-16 17:50 ` Jason A. Donenfeld
2021-02-16 18:01 ` Catalin Marinas [this message]
2021-02-16 18:01 ` Catalin Marinas
2021-02-16 18:15 ` Dmitry Vyukov
2021-02-16 18:15 ` Dmitry Vyukov
2021-02-17 6:37 ` Dmitry Vyukov
2021-02-17 6:37 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210216180143.GB14978@arm.com \
--to=catalin.marinas@arm.com \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=broonie@kernel.org \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mbenes@suse.cz \
--cc=netdev@vger.kernel.org \
--cc=syzbot+95c862be69e37145543f@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.