From mboxrd@z Thu Jan 1 00:00:00 1970 From: Hannes Frederic Sowa Subject: Re: Potential out-of-bounds access in ip6_finish_output2 Date: Sat, 21 Sep 2013 17:14:57 +0200 Message-ID: <20130921151457.GA5748@order.stressinduktion.org> References: <20130917224851.GB8947@order.stressinduktion.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 To: Dmitry Vyukov , yoshfuji@linux-ipv6.org, netdev@vger.kernel.org, Paul Turner , Andrey Konovalov , Kostya Serebryany , Tom Herbert Return-path: Received: from order.stressinduktion.org ([87.106.68.36]:42125 "EHLO order.stressinduktion.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752482Ab3IUPO7 (ORCPT ); Sat, 21 Sep 2013 11:14:59 -0400 Content-Disposition: inline In-Reply-To: <20130917224851.GB8947@order.stressinduktion.org> Sender: netdev-owner@vger.kernel.org List-ID: On Wed, Sep 18, 2013 at 12:48:51AM +0200, Hannes Frederic Sowa wrote: > On Mon, Sep 16, 2013 at 10:13:10PM -0700, Dmitry Vyukov wrote: > > I am working on AddressSanitizer -- a tool that detects use-after-free > > and out-of-bounds bugs > > (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel). > > > > I've got a dozen of reports in ip6_finish_output2. Below are 2 of > > them. They are always followed by kernel crash. Unfortunately I don't > > have a reproducer because I am using trinity fuzzer. I would > > appreciate if somebody familiar with the code look at sources and > > maybe spot the bug. > > Thanks for the report! > > I tried reproducing the bug and hit some other bugs nearby. I'll try to fix > them, but this could take some time. I fixed the first bug I encountered with trinity here: http://patchwork.ozlabs.org/patch/276835/ The main cause of this bug has nothing to do with raw sockets, so I first thought they are not related. But I left my machine run trinity while I was sleeping and did not see any other splats (I added some manually range checks in ip6_append_data). So maybe your bug happend because the premature exit in the dontfrag check without resetting cork->length. Maybe you could give this patch a try? I'll have a second look later today. Thanks, Hannes