From: Florian Westphal <fw@strlen.de>
To: syzbot <syzbot+99d15fcdb0132a1e1a82@syzkaller.appspotmail.com>
Cc: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com,
fw@strlen.de, horms@kernel.org, kuba@kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
pabeni@redhat.com, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] WARNING in mpls_gso_segment
Date: Wed, 21 Feb 2024 14:15:46 +0100 [thread overview]
Message-ID: <20240221131546.GE15988@breakpoint.cc> (raw)
In-Reply-To: <00000000000043b1310611e388aa@google.com>
syzbot <syzbot+99d15fcdb0132a1e1a82@syzkaller.appspotmail.com> wrote:
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1536462c180000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/adbf5d8e38d7/disk-49344462.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/0f8e3fb78410/vmlinux-49344462.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/682f4814bf23/bzImage-49344462.xz
>
> The issue was bisected to:
>
> commit 219eee9c0d16f1b754a8b85275854ab17df0850a
> Author: Florian Westphal <fw@strlen.de>
> Date: Fri Feb 16 11:36:57 2024 +0000
>
> net: skbuff: add overflow debug check to pull/push helpers
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13262752180000
> final oops: https://syzkaller.appspot.com/x/report.txt?x=10a62752180000
> console output: https://syzkaller.appspot.com/x/log.txt?x=17262752180000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+99d15fcdb0132a1e1a82@syzkaller.appspotmail.com
> Fixes: 219eee9c0d16 ("net: skbuff: add overflow debug check to pull/push helpers")
>
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 5068 at include/linux/skbuff.h:2723 pskb_may_pull_reason include/linux/skbuff.h:2723 [inline]
> WARNING: CPU: 0 PID: 5068 at include/linux/skbuff.h:2723 pskb_may_pull include/linux/skbuff.h:2739 [inline]
> WARNING: CPU: 0 PID: 5068 at include/linux/skbuff.h:2723 mpls_gso_segment+0x773/0xaa0 net/mpls/mpls_gso.c:34
Two possible solutions:
1.)
diff --git a/net/mpls/mpls_gso.c b/net/mpls/mpls_gso.c
index 533d082f0701..43801b78dd64 100644
--- a/net/mpls/mpls_gso.c
+++ b/net/mpls/mpls_gso.c
@@ -25,12 +25,13 @@ static struct sk_buff *mpls_gso_segment(struct sk_buff *skb,
netdev_features_t mpls_features;
u16 mac_len = skb->mac_len;
__be16 mpls_protocol;
- unsigned int mpls_hlen;
+ int mpls_hlen;
skb_reset_network_header(skb);
mpls_hlen = skb_inner_network_header(skb) - skb_network_header(skb);
- if (unlikely(!mpls_hlen || mpls_hlen % MPLS_HLEN))
+ if (unlikely(mpls_hlen <= 0 || mpls_hlen % MPLS_HLEN))
goto out;
+
if (unlikely(!pskb_may_pull(skb, mpls_hlen)))
goto out;
(or a variation thereof).
2) revert the pskb_may_pull_reason change added in 219eee9c0d16f1b754a8 to
make it tolerant to "negative" (huge) may-pull requests again.
With above repro, skb_inner_network_header() yields 0, skb_network_header()
returns 108, so we "pskb_may_pull(skb, -108)))" which now triggers
DEBUG_NET_WARN_ON_ONCE() check.
Before blamed commit, this would make pskb_may_pull hit:
if (unlikely(len > skb->len))
return SKB_DROP_REASON_PKT_TOO_SMALL;
and mpls_gso_segment takes the 'goto out' label.
So question is really if we should fix this in mpls_gso (and possible others
that try to pull negative numbers...) or if we should legalize this, either by
adding explicit if (unlikely(len > INT_MAX)) test to pskb_may_pull_reason or
by adding a comment that negative 'len' numbers are expected to be caught by
the check vs. skb->len.
Opinions?
next prev parent reply other threads:[~2024-02-21 13:15 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-21 12:33 [syzbot] [net?] WARNING in mpls_gso_segment syzbot
2024-02-21 13:15 ` Florian Westphal [this message]
2024-02-22 8:14 ` Eric Dumazet
2024-02-22 12:23 ` Florian Westphal
2024-02-22 12:29 ` Eric Dumazet
2024-02-22 12:57 ` Florian Westphal
2024-02-22 13:27 ` Eric Dumazet
2024-02-22 14:03 ` [PATCH net v2] net: mpls: error out if inner headers are not set Florian Westphal
2024-02-23 3:33 ` Jakub Kicinski
2024-02-23 7:08 ` Florian Westphal
2024-02-24 2:10 ` patchwork-bot+netdevbpf
2024-02-22 3:15 ` [syzbot] [net?] WARNING in mpls_gso_segment Lizhi Xu
2024-02-22 3:41 ` syzbot
2024-02-22 4:00 ` [PATCH net-next] net/mpls: fix " Lizhi Xu
2024-02-22 8:11 ` Eric Dumazet
2024-02-23 3:30 ` Lizhi Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240221131546.GE15988@breakpoint.cc \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+99d15fcdb0132a1e1a82@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.