Re: [BUGREPORT] slab-out-of-bounds in do_csum

[Bagas Sanjaya <bagasdotme@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 5938 bytes --]

On Tue, Aug 22, 2023 at 01:57:53AM +0000, mengkanglai wrote:
> Hello:
>   I am doing some fuzz test for kernel, the following bug was triggered.
>   My kernel version is 5.10.0.Have you encountered similar problems?
>   If there is a fix, please let me know. 
>   Thank you very much.

What fuzz test?

> 
> ----------------------------------------------
> BUG: KASAN: slab-out-of-bounds in do_csum+0x3e9/0x400 usr/src/kernels/linux-5.10.0-136.12.0.86/arch/x86/lib/csum-partial_64.c:103
> Read of size 4 at addr ffff88801f183aa0 by task syz-executor.2/19784
> 
> CPU: 0 PID: 19784 Comm: syz-executor.2 Tainted: G        W  OE     5.10.0-136.12.0.86.x86_64 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
>  __dump_stack usr/src/kernels/linux-5.10.0-136.12.0.86/lib/dump_stack.c:77 [inline]
>  dump_stack+0xbe/0xfd usr/src/kernels/linux-5.10.0-136.12.0.86/lib/dump_stack.c:118
>  print_address_description.constprop.0+0x19/0x170 usr/src/kernels/linux-5.10.0-136.12.0.86/mm/kasan/report.c:382
>  __kasan_report.cold+0x6c/0x84 usr/src/kernels/linux-5.10.0-136.12.0.86/mm/kasan/report.c:542
>  kasan_report+0x3a/0x50 usr/src/kernels/linux-5.10.0-136.12.0.86/mm/kasan/report.c:559
>  do_csum+0x3e9/0x400 usr/src/kernels/linux-5.10.0-136.12.0.86/arch/x86/lib/csum-partial_64.c:103
>  csum_partial+0x21/0x30 usr/src/kernels/linux-5.10.0-136.12.0.86/arch/x86/lib/csum-partial_64.c:136
>  gso_make_checksum usr/src/kernels/linux-5.10.0-136.12.0.86/./include/linux/skbuff.h:4527 [inline]
>  __skb_udp_tunnel_segment+0xcd9/0x1710 usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv4/udp_offload.c:135
>  skb_udp_tunnel_segment+0x192/0x240 usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv4/udp_offload.c:177
>  udp6_ufo_fragment+0x9a5/0xd20 usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/udp_offload.c:37
>  ipv6_gso_segment+0x485/0xfc0 usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_offload.c:115
>  skb_mac_gso_segment+0x22e/0x400 usr/src/kernels/linux-5.10.0-136.12.0.86/net/core/dev.c:3348
>  __skb_gso_segment+0x331/0x6f0 usr/src/kernels/linux-5.10.0-136.12.0.86/net/core/dev.c:3445
>  skb_gso_segment usr/src/kernels/linux-5.10.0-136.12.0.86/./include/linux/netdevice.h:4799 [inline]
>  ip6_finish_output_gso_slowpath_drop.constprop.0+0x3f/0x170 usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_output.c:169
>  __ip6_finish_output.part.0+0x6a5/0x7c0 usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_output.c:203
>  __ip6_finish_output usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_output.c:225 [inline]
>  ip6_finish_output+0x25c/0x310 usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_output.c:220
>  NF_HOOK_COND usr/src/kernels/linux-5.10.0-136.12.0.86/./include/linux/netfilter.h:293 [inline]
>  ip6_output+0x1f3/0x3f0 usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_output.c:243
>  dst_output usr/src/kernels/linux-5.10.0-136.12.0.86/./include/net/dst.h:453 [inline]
>  ip6_local_out+0x94/0xc0 usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/output_core.c:161
>  ip6tunnel_xmit usr/src/kernels/linux-5.10.0-136.12.0.86/./include/net/ip6_tunnel.h:160 [inline]
>  udp_tunnel6_xmit_skb+0x695/0xa90 usr/src/kernels/linux-5.10.0-136.12.0.86/net/ipv6/ip6_udp_tunnel.c:109
>  geneve6_xmit_skb+0xaf8/0x1b50 usr/src/kernels/linux-5.10.0-136.12.0.86/drivers/net/geneve.c:1051
>  geneve_xmit+0x2f5/0x4f0 usr/src/kernels/linux-5.10.0-136.12.0.86/drivers/net/geneve.c:1080
>  __netdev_start_xmit usr/src/kernels/linux-5.10.0-136.12.0.86/./include/linux/netdevice.h:4849 [inline]
>  netdev_start_xmit usr/src/kernels/linux-5.10.0-136.12.0.86/./include/linux/netdevice.h:4863 [inline]
>  xmit_one.constprop.0+0x142/0x490 usr/src/kernels/linux-5.10.0-136.12.0.86/net/core/dev.c:3615
>  dev_hard_start_xmit+0x8e/0x1b0 usr/src/kernels/linux-5.10.0-136.12.0.86/net/core/dev.c:3631
>  __dev_queue_xmit+0x1935/0x2100 usr/src/kernels/linux-5.10.0-136.12.0.86/net/core/dev.c:4198
>  packet_snd+0x1992/0x2a40 usr/src/kernels/linux-5.10.0-136.12.0.86/net/packet/af_packet.c:3031
>  packet_sendmsg+0x9f/0xd0 usr/src/kernels/linux-5.10.0-136.12.0.86/net/packet/af_packet.c:3063
>  sock_sendmsg_nosec usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:658 [inline]
>  sock_sendmsg usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:678 [inline]
>  sock_sendmsg+0x165/0x1a0 usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:673
>  __sys_sendto+0x21b/0x320 usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:1993
>  __do_sys_sendto usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:2005 [inline]
>  __se_sys_sendto usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:2001 [inline]
>  __x64_sys_sendto+0xe2/0x1c0 usr/src/kernels/linux-5.10.0-136.12.0.86/net/socket.c:2001
>  do_syscall_64+0x33/0x40 usr/src/kernels/linux-5.10.0-136.12.0.86/arch/x86/entry/common.c:46
>  entry_SYSCALL_64_after_hwframe+0x61/0xc6
> RIP: 0033:0x7f6bf67ac74d
> Code: c3 e8 17 32 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f6bf4d19bf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
> RAX: ffffffffffffffda RBX: 00007f6bf68e7f80 RCX: 00007f6bf67ac74d
> RDX: 0000000000002378 RSI: 0000000020000080 RDI: 0000000000000003
> RBP: 00007f6bf681ad95 R08: 0000000000000000 R09: 00000000000002ff
> R10: 0000000004000002 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007ffe99543bff R14: 00007ffe99543da0 R15: 00007f6bf4d19d80

Can you reproduce above on latest mainline (currently v6.5-rc7)? Also,
it seems like you have external modules installed, hence your kernel is
tainted. Please try vanilla (untainted) kernel instead, preferably by
building kernel from kernel.org sources.

Thanks.

-- 
An old man doll... just what I always wanted! - Clara

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]