From: Pavel Skripkin <paskripkin@gmail.com>
To: kbuild-all@lists.01.org
Subject: Re: [PATCH] net: xfrm: fix shift-out-of-bounce
Date: Tue, 27 Jul 2021 20:30:56 +0300 [thread overview]
Message-ID: <20210727203056.377e5758@gmail.com> (raw)
In-Reply-To: <202107280113.ykJy6Oc4-lkp@intel.com>
[-- Attachment #1: Type: text/plain, Size: 6334 bytes --]
On Wed, 28 Jul 2021 01:25:18 +0800
kernel test robot <lkp@intel.com> wrote:
> Hi Pavel,
>
> Thank you for the patch! Yet something to improve:
>
> [auto build test ERROR on ipsec-next/master]
> [also build test ERROR on next-20210726]
> [cannot apply to ipsec/master net-next/master net/master
> sparc-next/master v5.14-rc3] [If your patch is applied to the wrong
> git tree, kindly drop us a note. And when submitting patch, we
> suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch]
>
> url:
> https://github.com/0day-ci/linux/commits/Pavel-Skripkin/net-xfrm-fix-shift-out-of-bounce/20210727-224549
> base:
> https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git
> master config: s390-randconfig-r034-20210727 (attached as .config)
> compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project
> c658b472f3e61e1818e1909bf02f3d65470018a5) reproduce (this is a W=1
> build): wget
> https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross
> -O ~/bin/make.cross chmod +x ~/bin/make.cross # install s390 cross
> compiling tool for clang build # apt-get install
> binutils-s390x-linux-gnu #
> https://github.com/0day-ci/linux/commit/0d1cb044926e3d81c86b5add2eeaf38c7aec7f90
> git remote add linux-review https://github.com/0day-ci/linux git
> fetch --no-tags linux-review
> Pavel-Skripkin/net-xfrm-fix-shift-out-of-bounce/20210727-224549 git
> checkout 0d1cb044926e3d81c86b5add2eeaf38c7aec7f90 # save the attached
> .config to linux build tree mkdir build_dir
> COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross
> O=build_dir ARCH=s390 SHELL=/bin/bash net/xfrm/
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
>
> All errors (new ones prefixed by >>):
>
> In file included from net/xfrm/xfrm_user.c:22:
> In file included from include/linux/skbuff.h:31:
> In file included from include/linux/dma-mapping.h:10:
> In file included from include/linux/scatterlist.h:9:
> In file included from arch/s390/include/asm/io.h:75:
> include/asm-generic/io.h:464:31: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] val = __raw_readb(PCI_IOBASE + addr);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:477:61: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] val = __le16_to_cpu((__le16
> __force)__raw_readw(PCI_IOBASE + addr)); ~~~~~~~~~~ ^
> include/uapi/linux/byteorder/big_endian.h:36:59: note: expanded from
> macro '__le16_to_cpu' #define __le16_to_cpu(x) __swab16((__force
> __u16)(__le16)(x)) ^ include/uapi/linux/swab.h:102:54: note: expanded
> from macro '__swab16' #define __swab16(x)
> (__u16)__builtin_bswap16((__u16)(x)) ^
> In file included from net/xfrm/xfrm_user.c:22:
> In file included from include/linux/skbuff.h:31:
> In file included from include/linux/dma-mapping.h:10:
> In file included from include/linux/scatterlist.h:9:
> In file included from arch/s390/include/asm/io.h:75:
> include/asm-generic/io.h:490:61: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] val = __le32_to_cpu((__le32
> __force)__raw_readl(PCI_IOBASE + addr)); ~~~~~~~~~~ ^
> include/uapi/linux/byteorder/big_endian.h:34:59: note: expanded from
> macro '__le32_to_cpu' #define __le32_to_cpu(x) __swab32((__force
> __u32)(__le32)(x)) ^ include/uapi/linux/swab.h:115:54: note: expanded
> from macro '__swab32' #define __swab32(x)
> (__u32)__builtin_bswap32((__u32)(x)) ^
> In file included from net/xfrm/xfrm_user.c:22:
> In file included from include/linux/skbuff.h:31:
> In file included from include/linux/dma-mapping.h:10:
> In file included from include/linux/scatterlist.h:9:
> In file included from arch/s390/include/asm/io.h:75:
> include/asm-generic/io.h:501:33: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] __raw_writeb(value, PCI_IOBASE + addr);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:511:59: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] __raw_writew((u16
> __force)cpu_to_le16(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^
> include/asm-generic/io.h:521:59: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] __raw_writel((u32
> __force)cpu_to_le32(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^
> include/asm-generic/io.h:609:20: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] readsb(PCI_IOBASE + addr, buffer, count);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:617:20: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] readsw(PCI_IOBASE + addr, buffer, count);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:625:20: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] readsl(PCI_IOBASE + addr, buffer, count);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:634:21: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] writesb(PCI_IOBASE + addr, buffer,
> count); ~~~~~~~~~~ ^ include/asm-generic/io.h:643:21: warning:
> performing pointer arithmetic on a null pointer has undefined
> behavior [-Wnull-pointer-arithmetic] writesw(PCI_IOBASE + addr,
> buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:652:21:
> warning: performing pointer arithmetic on a null pointer has
> undefined behavior [-Wnull-pointer-arithmetic] writesl(PCI_IOBASE +
> addr, buffer, count); ~~~~~~~~~~ ^
> >> net/xfrm/xfrm_user.c:1975:54: error: expected ';' after expression
> dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK
> ^
> ;
Oops :) Thank you, kernel test robot.
#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
With regards,
Pavel Skripkin
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-net-xfrm-fix-shift-out-of-bounce.patch --]
[-- Type: text/x-patch, Size: 1153 bytes --]
From e7cf3838979bf3079a511b6809e971945f50eb25 Mon Sep 17 00:00:00 2001
From: Pavel Skripkin <paskripkin@gmail.com>
Date: Tue, 27 Jul 2021 17:38:24 +0300
Subject: [PATCH] net: xfrm: fix shift-out-of-bounce
We need to check up->dirmask to avoid shift-out-of-bounce bug,
since up->dirmask comes from userspace.
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
net/xfrm/xfrm_user.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index acc3a0dab331..4a7bb169314e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1966,9 +1966,14 @@ static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh,
{
struct net *net = sock_net(skb->sk);
struct xfrm_userpolicy_default *up = nlmsg_data(nlh);
- u8 dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK;
+ u8 dirmask;
u8 old_default = net->xfrm.policy_default;
+ if (up->dirmask >= sizeof(up->action) * 8)
+ return -EINVAL;
+
+ dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK;
+
net->xfrm.policy_default = (old_default & (0xff ^ dirmask))
| (up->action << up->dirmask);
--
2.32.0
WARNING: multiple messages have this Message-ID (diff)
From: Pavel Skripkin <paskripkin@gmail.com>
To: kernel test robot <lkp@intel.com>
Cc: syzbot <syzbot+9cd5837a045bbee5b810@syzkaller.appspotmail.com>,
clang-built-linux@googlegroups.com, kbuild-all@lists.01.org,
davem@davemloft.net, herbert@gondor.apana.org.au,
kuba@kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, steffen.klassert@secunet.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] net: xfrm: fix shift-out-of-bounce
Date: Tue, 27 Jul 2021 20:30:56 +0300 [thread overview]
Message-ID: <20210727203056.377e5758@gmail.com> (raw)
In-Reply-To: <202107280113.ykJy6Oc4-lkp@intel.com>
[-- Attachment #1: Type: text/plain, Size: 6212 bytes --]
On Wed, 28 Jul 2021 01:25:18 +0800
kernel test robot <lkp@intel.com> wrote:
> Hi Pavel,
>
> Thank you for the patch! Yet something to improve:
>
> [auto build test ERROR on ipsec-next/master]
> [also build test ERROR on next-20210726]
> [cannot apply to ipsec/master net-next/master net/master
> sparc-next/master v5.14-rc3] [If your patch is applied to the wrong
> git tree, kindly drop us a note. And when submitting patch, we
> suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch]
>
> url:
> https://github.com/0day-ci/linux/commits/Pavel-Skripkin/net-xfrm-fix-shift-out-of-bounce/20210727-224549
> base:
> https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git
> master config: s390-randconfig-r034-20210727 (attached as .config)
> compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project
> c658b472f3e61e1818e1909bf02f3d65470018a5) reproduce (this is a W=1
> build): wget
> https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross
> -O ~/bin/make.cross chmod +x ~/bin/make.cross # install s390 cross
> compiling tool for clang build # apt-get install
> binutils-s390x-linux-gnu #
> https://github.com/0day-ci/linux/commit/0d1cb044926e3d81c86b5add2eeaf38c7aec7f90
> git remote add linux-review https://github.com/0day-ci/linux git
> fetch --no-tags linux-review
> Pavel-Skripkin/net-xfrm-fix-shift-out-of-bounce/20210727-224549 git
> checkout 0d1cb044926e3d81c86b5add2eeaf38c7aec7f90 # save the attached
> .config to linux build tree mkdir build_dir
> COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross
> O=build_dir ARCH=s390 SHELL=/bin/bash net/xfrm/
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
>
> All errors (new ones prefixed by >>):
>
> In file included from net/xfrm/xfrm_user.c:22:
> In file included from include/linux/skbuff.h:31:
> In file included from include/linux/dma-mapping.h:10:
> In file included from include/linux/scatterlist.h:9:
> In file included from arch/s390/include/asm/io.h:75:
> include/asm-generic/io.h:464:31: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] val = __raw_readb(PCI_IOBASE + addr);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:477:61: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] val = __le16_to_cpu((__le16
> __force)__raw_readw(PCI_IOBASE + addr)); ~~~~~~~~~~ ^
> include/uapi/linux/byteorder/big_endian.h:36:59: note: expanded from
> macro '__le16_to_cpu' #define __le16_to_cpu(x) __swab16((__force
> __u16)(__le16)(x)) ^ include/uapi/linux/swab.h:102:54: note: expanded
> from macro '__swab16' #define __swab16(x)
> (__u16)__builtin_bswap16((__u16)(x)) ^
> In file included from net/xfrm/xfrm_user.c:22:
> In file included from include/linux/skbuff.h:31:
> In file included from include/linux/dma-mapping.h:10:
> In file included from include/linux/scatterlist.h:9:
> In file included from arch/s390/include/asm/io.h:75:
> include/asm-generic/io.h:490:61: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] val = __le32_to_cpu((__le32
> __force)__raw_readl(PCI_IOBASE + addr)); ~~~~~~~~~~ ^
> include/uapi/linux/byteorder/big_endian.h:34:59: note: expanded from
> macro '__le32_to_cpu' #define __le32_to_cpu(x) __swab32((__force
> __u32)(__le32)(x)) ^ include/uapi/linux/swab.h:115:54: note: expanded
> from macro '__swab32' #define __swab32(x)
> (__u32)__builtin_bswap32((__u32)(x)) ^
> In file included from net/xfrm/xfrm_user.c:22:
> In file included from include/linux/skbuff.h:31:
> In file included from include/linux/dma-mapping.h:10:
> In file included from include/linux/scatterlist.h:9:
> In file included from arch/s390/include/asm/io.h:75:
> include/asm-generic/io.h:501:33: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] __raw_writeb(value, PCI_IOBASE + addr);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:511:59: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] __raw_writew((u16
> __force)cpu_to_le16(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^
> include/asm-generic/io.h:521:59: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] __raw_writel((u32
> __force)cpu_to_le32(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^
> include/asm-generic/io.h:609:20: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] readsb(PCI_IOBASE + addr, buffer, count);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:617:20: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] readsw(PCI_IOBASE + addr, buffer, count);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:625:20: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] readsl(PCI_IOBASE + addr, buffer, count);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:634:21: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] writesb(PCI_IOBASE + addr, buffer,
> count); ~~~~~~~~~~ ^ include/asm-generic/io.h:643:21: warning:
> performing pointer arithmetic on a null pointer has undefined
> behavior [-Wnull-pointer-arithmetic] writesw(PCI_IOBASE + addr,
> buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:652:21:
> warning: performing pointer arithmetic on a null pointer has
> undefined behavior [-Wnull-pointer-arithmetic] writesl(PCI_IOBASE +
> addr, buffer, count); ~~~~~~~~~~ ^
> >> net/xfrm/xfrm_user.c:1975:54: error: expected ';' after expression
> dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK
> ^
> ;
Oops :) Thank you, kernel test robot.
#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
With regards,
Pavel Skripkin
[-- Attachment #2: 0001-net-xfrm-fix-shift-out-of-bounce.patch --]
[-- Type: text/x-patch, Size: 1153 bytes --]
From e7cf3838979bf3079a511b6809e971945f50eb25 Mon Sep 17 00:00:00 2001
From: Pavel Skripkin <paskripkin@gmail.com>
Date: Tue, 27 Jul 2021 17:38:24 +0300
Subject: [PATCH] net: xfrm: fix shift-out-of-bounce
We need to check up->dirmask to avoid shift-out-of-bounce bug,
since up->dirmask comes from userspace.
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
net/xfrm/xfrm_user.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index acc3a0dab331..4a7bb169314e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1966,9 +1966,14 @@ static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh,
{
struct net *net = sock_net(skb->sk);
struct xfrm_userpolicy_default *up = nlmsg_data(nlh);
- u8 dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK;
+ u8 dirmask;
u8 old_default = net->xfrm.policy_default;
+ if (up->dirmask >= sizeof(up->action) * 8)
+ return -EINVAL;
+
+ dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK;
+
net->xfrm.policy_default = (old_default & (0xff ^ dirmask))
| (up->action << up->dirmask);
--
2.32.0
next prev parent reply other threads:[~2021-07-27 17:30 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-27 12:47 [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default syzbot
2021-07-27 14:43 ` Pavel Skripkin
2021-07-27 17:25 ` [PATCH] net: xfrm: fix shift-out-of-bounce kernel test robot
2021-07-27 17:25 ` kernel test robot
2021-07-27 17:30 ` Pavel Skripkin [this message]
2021-07-27 17:30 ` Pavel Skripkin
2021-07-28 0:13 ` [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default syzbot
2021-07-28 0:13 ` syzbot
2021-07-27 17:46 ` [PATCH] net: xfrm: fix shift-out-of-bounce kernel test robot
2021-07-27 17:46 ` kernel test robot
2021-07-27 23:28 ` [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210727203056.377e5758@gmail.com \
--to=paskripkin@gmail.com \
--cc=kbuild-all@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.