From: Zhu Yanjun <yanjun.zhu@linux.dev>
To: Chenyuan Yang <chenyuan0y@gmail.com>,
santosh.shilimkar@oracle.com, netdev@vger.kernel.org,
linux-rdma@vger.kernel.org, rds-devel@oss.oracle.com,
linux-kernel@vger.kernel.org
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com,
"syzkaller@googlegroups.com" <syzkaller@googlegroups.com>,
Zijie Zhao <zzjas98@gmail.com>
Subject: Re: [Linux Kernel Bug] UBSAN: array-index-out-of-bounds in rds_cmsg_recv
Date: Sun, 21 Jan 2024 16:34:58 +0800 [thread overview]
Message-ID: <27319d3d-61dd-41e3-be6c-ccc08b9b3688@linux.dev> (raw)
In-Reply-To: <CALGdzuoVdq-wtQ4Az9iottBqC5cv9ZhcE5q8N7LfYFvkRsOVcw@mail.gmail.com>
在 2024/1/19 22:29, Chenyuan Yang 写道:
> Dear Linux Kernel Developers for Network RDS,
>
> We encountered "UBSAN: array-index-out-of-bounds in rds_cmsg_recv"
> when testing the RDS with our generated specifications. The C
> reproduce program and logs for this crash are attached.
>
> This crash happens when RDS receives messages by using
> `rds_cmsg_recv`, which reads the `j+1` index of the array
> `inc->i_rx_lat_trace`
> (https://elixir.bootlin.com/linux/v6.7/source/net/rds/recv.c#L585).
> The length of `inc->i_rx_lat_trace` array is 4 (defined by
> `RDS_RX_MAX_TRACES`,
> https://elixir.bootlin.com/linux/v6.7/source/net/rds/rds.h#L289) while
> `j` is the value stored in another array `rs->rs_rx_trace`
> (https://elixir.bootlin.com/linux/v6.7/source/net/rds/recv.c#L583),
> which is sent from others and could be arbitrary value.
I recommend to use the latest rds to make tests. The rds in linux kernel
upstream is too old. The rds in oracle linux is newer.
Zhu Yanjun
>
> This crash might be exploited to read the value out-of-bound from the
> array by setting arbitrary values for the array `rs->rs_rx_trace`.
>
> If you have any questions or require more information, please feel
> free to contact us.
>
> Best,
> Chenyuan
next prev parent reply other threads:[~2024-01-21 8:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-19 14:29 [Linux Kernel Bug] UBSAN: array-index-out-of-bounds in rds_cmsg_recv Chenyuan Yang
2024-01-21 8:34 ` Zhu Yanjun [this message]
2024-01-22 5:48 ` Randy Dunlap
2024-01-22 8:49 ` Zhu Yanjun
2024-01-27 0:00 ` Allison Henderson
2024-01-27 16:18 ` Randy Dunlap
2024-01-28 3:53 ` Zhu Yanjun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=27319d3d-61dd-41e3-be6c-ccc08b9b3688@linux.dev \
--to=yanjun.zhu@linux.dev \
--cc=chenyuan0y@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rds-devel@oss.oracle.com \
--cc=santosh.shilimkar@oracle.com \
--cc=syzkaller@googlegroups.com \
--cc=zzjas98@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.