From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steffen Klassert Subject: Re: net/xfrm: stack out-of-bounds in xfrm_flowi_sport Date: Tue, 14 Feb 2017 10:08:16 +0100 Message-ID: <20170214090816.GJ30338@gauss.secunet.com> References: <20170214070854.GH30338@gauss.secunet.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: Herbert Xu , David Miller , Eric Dumazet , netdev , LKML , syzkaller To: Dmitry Vyukov Return-path: Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On Tue, Feb 14, 2017 at 09:41:35AM +0100, Dmitry Vyukov wrote: > On Tue, Feb 14, 2017 at 8:08 AM, Steffen Klassert > wrote: > > On Mon, Feb 13, 2017 at 03:46:56PM +0100, Dmitry Vyukov wrote: > >> > >> On commit 7089db84e356562f8ba737c29e472cc42d530dbc. > >> > >> > >> struct flowi4 fl4_stack allocated on stack in udp_sendmsg is being > >> casted to larger struct flowi and then accessed. > > > > Looks like the problem is when using IPv4-mapped IPv6 addresses. > > > > Does the patch below help? > > > Steffen, can you please run the reproducer I provided? > I specifically spent time to supply you with a simple, reliable > reproducer. I am not even saying about adding a test case for the bug. > Kernel development practices seem to encourage developers to not > bother with tests. But at least testing a patch that you are sending > looks like a reasonable thing to do. I tested this with my socket policy testcases of course. I dont have a IPv4-mapped IPv6 addresses testcase and changing userspace in my test setup means to rebuild the system iso image. Asking for a test is not so uncommon. You have the testcase, why not running it again?