From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephen Hemminger Subject: Fw: [Bug 200033] New: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h Date: Tue, 12 Jun 2018 10:38:40 -0700 Message-ID: <20180612103840.3293dfb0@xeon-e3> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit To: netdev@vger.kernel.org Return-path: Received: from mail-pl0-f51.google.com ([209.85.160.51]:41839 "EHLO mail-pl0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754223AbeFLRio (ORCPT ); Tue, 12 Jun 2018 13:38:44 -0400 Received: by mail-pl0-f51.google.com with SMTP id az12-v6so14760884plb.8 for ; Tue, 12 Jun 2018 10:38:43 -0700 (PDT) Received: from xeon-e3 (204-195-35-107.wavecable.com. [204.195.35.107]) by smtp.gmail.com with ESMTPSA id h124-v6sm1081714pfc.100.2018.06.12.10.38.42 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 12 Jun 2018 10:38:42 -0700 (PDT) Sender: netdev-owner@vger.kernel.org List-ID: Begin forwarded message: Date: Tue, 12 Jun 2018 01:44:36 +0000 From: bugzilla-daemon@bugzilla.kernel.org To: stephen@networkplumber.org Subject: [Bug 200033] New: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h https://bugzilla.kernel.org/show_bug.cgi?id=200033 Bug ID: 200033 Summary: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h Product: Networking Version: 2.5 Kernel Version: v4.17 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: Other Assignee: stephen@networkplumber.org Reporter: icytxw@gmail.com Regression: No Created attachment 276483 --> https://bugzilla.kernel.org/attachment.cgi?id=276483&action=edit Found this bug with modified syzkaller ================================================================== BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:96 [inline] BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:61 [inline] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x24ab/0x26e0 net/xfrm/xfrm_state.c:953 Read of size 4 at addr ffff880054b17b70 by task syz-executor0/13697 CPU: 0 PID: 13697 Comm: syz-executor0 Not tainted 4.17.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: The buggy address belongs to the page: page:ffffea000152c5c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x100000000000000() raw: 0100000000000000 0000000000000000 ffffea000152c5c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880054b17a00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 ffff880054b17a80: f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 >ffff880054b17b00: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 ^ ffff880054b17b80: f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 ffff880054b17c00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 13697 Comm: syz-executor0 Tainted: G B 4.17.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. -- You are receiving this mail because: You are the assignee for the bug.