From: Hyunwoo Kim <v4bel@theori.io>
To: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>,
Taehee Yoo <ap420073@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Dmitry Kozlov <xeb@mail.ru>, David Ahern <dsahern@kernel.org>,
tudordana@google.com, netdev@vger.kernel.org, imv4bel@gmail.com,
v4bel@theori.io
Subject: Re: [PATCH] net: Fix invalid ip_route_output_ports() call
Date: Tue, 21 Mar 2023 04:35:09 -0700 [thread overview]
Message-ID: <20230321113509.GA23276@ubuntu> (raw)
In-Reply-To: <CANn89iJVU1yfCfyyUpmMeZA7BEYLfVXYsK80H26WM=hB-1B27Q@mail.gmail.com>
On Tue, Mar 21, 2023 at 04:19:25AM -0700, Eric Dumazet wrote:
> On Tue, Mar 21, 2023 at 4:14 AM Hyunwoo Kim <v4bel@theori.io> wrote:
> >
> > I'm not sure what 'ip x p' means, as my understanding of XFRM is limited, sorry.
>
> Since your repro does not set up a private netns.
>
> Please install the iproute2 package (if not there already) and run the
> following command
>
> sudo ip x p
>
> man ip
>
> IP(8) Linux
> IP(8)
>
> NAME
> ip - show / manipulate routing, network devices, interfaces and tunnels
>
> SYNOPSIS
This is the result of creating a new netns, running repro, and then running the ip x p command:
```
src 255.1.0.0/0 dst 0.0.0.0/0
dir out priority 0
mark 0/0x6
tmpl src 0.0.0.0 dst 0.0.0.0
proto comp reqid 0 mode beet
level 16
tmpl src fc00:: dst e000:2::
proto ah reqid 0 mode tunnel
level 32
tmpl src ac14:14bb:: dst ac14:14fa::
proto route2 reqid 0 mode transport
level 3
tmpl src :: dst 2001::1
proto ah reqid 0 mode in_trigger
tmpl src ff01::1 dst 7f00:1::
proto comp reqid 0 mode transport
```
>
> >
> > Instead, here is the (dirty) code I used to trigger this:
> > ```
> > #include <endian.h>
> > #include <stdint.h>
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <string.h>
> > #include <sys/syscall.h>
> > #include <sys/types.h>
> > #include <unistd.h>
> > #include <sched.h>
> > #include <fcntl.h>
> >
> >
> > uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
> >
> > int main(void)
> > {
> > int ret;
> > intptr_t res = 0;
> >
> > syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
> > syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
> > syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
> >
> > res = syscall(__NR_socket, 0x10ul, 3ul, 0);
> > printf("socket() 1 : %ld\n", res);
> > if (res != -1)
> > r[0] = res;
> > *(uint64_t*)0x20000000 = 0;
> > *(uint32_t*)0x20000008 = 0;
> > *(uint64_t*)0x20000010 = 0x20000140;
> > *(uint64_t*)0x20000140 = 0x20000040;
> > memcpy((void*)0x20000040,
> > "\x3c\x00\x00\x00\x10\x00\x01\x04\x00\xee\xff\xff\xff\xff\xff\xff\x00"
> > "\x00\x00\x00",
> > 20);
> > *(uint32_t*)0x20000054 = -1;
> > memcpy((void*)0x20000058,
> > "\x01\x00\x00\x00\x01\x00\x00\x00\x1c\x00\x12\x00\x0c\x00\x01\x00\x62"
> > "\x72\x69\x64\x67\x65",
> > 22);
> > *(uint64_t*)0x20000148 = 0x3c;
> > *(uint64_t*)0x20000018 = 1;
> > *(uint64_t*)0x20000020 = 0;
> > *(uint64_t*)0x20000028 = 0;
> > *(uint32_t*)0x20000030 = 0;
> > ret = syscall(__NR_sendmsg, r[0], 0x20000000ul, 0ul);
> > printf("sendmsg() 1 : %d\n", ret);
> >
> > res = syscall(__NR_socket, 0x10ul, 3ul, 6);
> > printf("socket() 2 : %ld\n", res);
> > if (res != -1)
> > r[1] = res;
> > *(uint64_t*)0x20000480 = 0;
> > *(uint32_t*)0x20000488 = 0;
> > *(uint64_t*)0x20000490 = 0x20000200;
> > *(uint64_t*)0x20000200 = 0x200004c0;
> > *(uint32_t*)0x200004c0 = 0x208;
> > *(uint16_t*)0x200004c4 = 0x19;
> > *(uint16_t*)0x200004c6 = 1;
> > *(uint32_t*)0x200004c8 = 0;
> > *(uint32_t*)0x200004cc = 0;
> > memset((void*)0x200004d0, 0, 16);
> > *(uint8_t*)0x200004e0 = -1;
> > *(uint8_t*)0x200004e1 = 1;
> > memset((void*)0x200004e2, 0, 13);
> > *(uint8_t*)0x200004ef = 1;
> > *(uint16_t*)0x200004f0 = htobe16(0);
> > *(uint16_t*)0x200004f2 = htobe16(0);
> > *(uint16_t*)0x200004f4 = htobe16(0);
> > *(uint16_t*)0x200004f6 = htobe16(0);
> > *(uint16_t*)0x200004f8 = 2;
> > *(uint8_t*)0x200004fa = 0;
> > *(uint8_t*)0x200004fb = 0;
> > *(uint8_t*)0x200004fc = 0;
> > *(uint32_t*)0x20000500 = 0;
> > *(uint32_t*)0x20000504 = -1;
> > *(uint64_t*)0x20000508 = 0;
> > *(uint64_t*)0x20000510 = 0;
> > *(uint64_t*)0x20000518 = 0;
> > *(uint64_t*)0x20000520 = 0;
> > *(uint64_t*)0x20000528 = 0;
> > *(uint64_t*)0x20000530 = 0;
> > *(uint64_t*)0x20000538 = 0;
> > *(uint64_t*)0x20000540 = 0;
> > *(uint64_t*)0x20000548 = 0;
> > *(uint64_t*)0x20000550 = 0;
> > *(uint64_t*)0x20000558 = 0;
> > *(uint64_t*)0x20000560 = 0;
> > *(uint32_t*)0x20000568 = 0;
> > *(uint32_t*)0x2000056c = 0;
> > *(uint8_t*)0x20000570 = 1;
> > *(uint8_t*)0x20000571 = 0;
> > *(uint8_t*)0x20000572 = 0;
> > *(uint8_t*)0x20000573 = 0;
> > *(uint16_t*)0x20000578 = 0xc;
> > *(uint16_t*)0x2000057a = 0x15;
> > *(uint32_t*)0x2000057c = 0;
> > *(uint32_t*)0x20000580 = 6;
> > *(uint16_t*)0x20000584 = 0x144;
> > *(uint16_t*)0x20000586 = 5;
> > memset((void*)0x20000588, 0, 16);
> > *(uint32_t*)0x20000598 = htobe32(0);
> > *(uint8_t*)0x2000059c = 0x6c;
> > *(uint16_t*)0x200005a0 = 0;
> > *(uint32_t*)0x200005a4 = htobe32(0);
> > *(uint32_t*)0x200005b4 = 0;
> > *(uint8_t*)0x200005b8 = 4;
> > *(uint8_t*)0x200005b9 = 0;
> > *(uint8_t*)0x200005ba = 0x10;
> > *(uint32_t*)0x200005bc = 0;
> > *(uint32_t*)0x200005c0 = 0;
> > *(uint32_t*)0x200005c4 = 0;
> > *(uint32_t*)0x200005c8 = htobe32(0xe0000002);
> > *(uint32_t*)0x200005d8 = htobe32(0);
> > *(uint8_t*)0x200005dc = 0x33;
> > *(uint16_t*)0x200005e0 = 0xa;
> > *(uint8_t*)0x200005e4 = 0xfc;
> > *(uint8_t*)0x200005e5 = 0;
> > memset((void*)0x200005e6, 0, 13);
> > *(uint8_t*)0x200005f3 = 0;
> > *(uint32_t*)0x200005f4 = 0;
> > *(uint8_t*)0x200005f8 = 1;
> > *(uint8_t*)0x200005f9 = 0;
> > *(uint8_t*)0x200005fa = 0x20;
> > *(uint32_t*)0x200005fc = 0;
> > *(uint32_t*)0x20000600 = 0;
> > *(uint32_t*)0x20000604 = 0;
> > *(uint8_t*)0x20000608 = 0xac;
> > *(uint8_t*)0x20000609 = 0x14;
> > *(uint8_t*)0x2000060a = 0x14;
> > *(uint8_t*)0x2000060b = 0xfa;
> > *(uint32_t*)0x20000618 = htobe32(0);
> > *(uint8_t*)0x2000061c = 0x2b;
> > *(uint16_t*)0x20000620 = 0xa;
> > *(uint8_t*)0x20000624 = 0xac;
> > *(uint8_t*)0x20000625 = 0x14;
> > *(uint8_t*)0x20000626 = 0x14;
> > *(uint8_t*)0x20000627 = 0xbb;
> > *(uint32_t*)0x20000634 = 0;
> > *(uint8_t*)0x20000638 = 0;
> > *(uint8_t*)0x20000639 = 0;
> > *(uint8_t*)0x2000063a = 3;
> > *(uint32_t*)0x2000063c = 0;
> > *(uint32_t*)0x20000640 = 0;
> > *(uint32_t*)0x20000644 = 0;
> > memcpy((void*)0x20000648,
> > " \001\000\000\000\000\000\000\000\000\000\000\000\000\000\001", 16);
> > *(uint32_t*)0x20000658 = htobe32(0);
> > *(uint8_t*)0x2000065c = 0x33;
> > *(uint16_t*)0x20000660 = 0xa;
> > *(uint32_t*)0x20000664 = htobe32(0);
> > *(uint32_t*)0x20000674 = 0;
> > *(uint8_t*)0x20000678 = 3;
> > *(uint8_t*)0x20000679 = 0;
> > *(uint8_t*)0x2000067a = 0;
> > *(uint32_t*)0x2000067c = 0;
> > *(uint32_t*)0x20000680 = 0;
> > *(uint32_t*)0x20000684 = 0;
> > *(uint32_t*)0x20000688 = htobe32(0x7f000001);
> > *(uint32_t*)0x20000698 = htobe32(0);
> > *(uint8_t*)0x2000069c = 0x6c;
> > *(uint16_t*)0x200006a0 = 0xa;
> > *(uint8_t*)0x200006a4 = -1;
> > *(uint8_t*)0x200006a5 = 1;
> > memset((void*)0x200006a6, 0, 13);
> > *(uint8_t*)0x200006b3 = 1;
> > *(uint32_t*)0x200006b4 = 0;
> > *(uint8_t*)0x200006b8 = 0;
> > *(uint8_t*)0x200006b9 = 0;
> > *(uint8_t*)0x200006ba = 0;
> > *(uint32_t*)0x200006bc = 0;
> > *(uint32_t*)0x200006c0 = 0;
> > *(uint32_t*)0x200006c4 = -1;
> > *(uint64_t*)0x20000208 = 0x208;
> > *(uint64_t*)0x20000498 = 1;
> > *(uint64_t*)0x200004a0 = 0;
> > *(uint64_t*)0x200004a8 = 0;
> > *(uint32_t*)0x200004b0 = 0;
> > ret = syscall(__NR_sendmsg, r[1], 0x20000480ul, 0ul);
> > printf("sendmsg() 2 : %d\n", ret);
> > return 0;
> > }
> > ```
next prev parent reply other threads:[~2023-03-21 11:35 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-21 2:49 [PATCH] net: Fix invalid ip_route_output_ports() call Hyunwoo Kim
2023-03-21 3:17 ` Eric Dumazet
2023-03-21 5:08 ` Hyunwoo Kim
2023-03-21 5:19 ` Eric Dumazet
2023-03-21 10:52 ` Steffen Klassert
2023-03-21 11:14 ` Hyunwoo Kim
2023-03-21 11:19 ` Eric Dumazet
2023-03-21 11:35 ` Hyunwoo Kim [this message]
2023-03-24 9:57 ` Steffen Klassert
2023-03-30 7:42 ` Tudor Ambarus
2023-03-30 7:56 ` Steffen Klassert
2023-03-21 11:36 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230321113509.GA23276@ubuntu \
--to=v4bel@theori.io \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=imv4bel@gmail.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=steffen.klassert@secunet.com \
--cc=tudordana@google.com \
--cc=xeb@mail.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.