From: Stefano Brivio <sbrivio@redhat.com>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
syzbot <syzbot+4ad25edc7a33e4ab91e0@syzkaller.appspotmail.com>,
David Miller <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
linux-kernel <linux-kernel@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Subject: Re: kernel panic: stack is corrupted in udp4_lib_lookup2
Date: Fri, 4 Jan 2019 18:50:29 +0100 [thread overview]
Message-ID: <20190104185029.759430e2@redhat.com> (raw)
In-Reply-To: <CAF=yD-LdShBqHz1amBAAAA4w==0O+HfeWutfLi5K6LmWhK_x6Q@mail.gmail.com>
On Fri, 4 Jan 2019 12:24:18 -0500
Willem de Bruijn <willemdebruijn.kernel@gmail.com> wrote:
> On Fri, Jan 4, 2019 at 12:14 PM Stefano Brivio <sbrivio@redhat.com> wrote:
> >
> > On Fri, 4 Jan 2019 12:05:04 +0100
> > Dmitry Vyukov <dvyukov@google.com> wrote:
> >
> > > On Fri, Jan 4, 2019 at 11:54 AM Stefano Brivio <sbrivio@redhat.com> wrote:
> > > >
> > > > On Fri, 4 Jan 2019 11:32:12 +0100
> > > > Dmitry Vyukov <dvyukov@google.com> wrote:
> > > >
> > > > > On Thu, Jan 3, 2019 at 10:54 PM Stefano Brivio <sbrivio@redhat.com> wrote:
> > > > > >
> > > > > > On Thu, 3 Jan 2019 15:15:06 -0600
> > > > > > Willem de Bruijn <willemdebruijn.kernel@gmail.com> wrote:
> > > > > >
> > > > > > > syzbot generated stack traces with
> > > > > > >
> > > > > > > [ 183.517380] udpv6_err+0x46/0x60
> > > > > > > [ 183.520739] ? __udp6_lib_err+0x1890/0x1890
> > > > > > > [ 183.525054] gue6_err_proto_handler+0x199/0x280
> > > > > >
> > > > > > Where? I can't find that in any logs linked from the dashboard at
> > > > > > https://syzkaller.appspot.com/bug?extid=4ad25edc7a33e4ab91e0 :(
> > > > >
> > > > > Stefano, there are these 4 bugs reported that have similarly looking
> > > > > reproducers involving udp sockets and that crash modes that looks like
> > > > > stack corruption/overflow:
> > > > >
> > > > > https://syzkaller.appspot.com/bug?extid=14005fa30c9a07192934
> > > > > https://syzkaller.appspot.com/bug?extid=d14090007dc9ba5fa9b7
> > > > > https://syzkaller.appspot.com/bug?extid=137ed32ec9a6d5b0d5fe
> > > > > https://syzkaller.appspot.com/bug?id=d5bc3e0c66d200d72216ab343a67c4327e4a3452
> > > > >
> > > > > Are these the same bug as this?
> > > >
> > > > Judging from the reproducers for the first three, they seem to be.
> > >
> > > OK, then I will mark them as dups of this one.
> >
> > syzbot just finished the tests I requested and couldn't reproduce the
> > first three issues with the fix I posted (fou6: Prevent unbounded
> > recursion in GUE error handler).
>
> Thanks for preparing the fixes so quickly, Stefano.
>
> I also noticed one trace that seemingly goes through an ip6erspan
> tunnel as well as gue6.
>
> [ 760.618683] ? __udp6_lib_err+0xcb/0x640
> [ 760.622716] ? udplitev6_err+0x46/0x60
> [ 760.626573] ? gue6_err+0x105/0x270
> [ 760.630170] ? udp_lib_close+0x20/0x20
> [ 760.634027] ? ip6erspan_tunnel_xmit+0xdc0/0xdc0
>
> Without knowing the err_handler code too well: is it possible that
> packets with an intermediate IPIP or other tunnel still bypass the
> checks (which check for strictly UDP in GUE)?
Yes, I also noticed that, and concluded it's not an issue, but thanks
for pointing that out.
Recursion can't happen there because other handlers don't forward the
exception to the exception handler of the inner layer. For ERSPAN, e.g.,
see ip6gre_err(): it "simply" looks up the tunnel and calls
ip6_update_pmtu() and ip6_redirect().
For FoU and GUE this is not possible as we don't maintain enough state
to be reasonably sure the exception is legitimate.
--
Stefano
next prev parent reply other threads:[~2019-01-04 17:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-03 13:07 kernel panic: stack is corrupted in udp4_lib_lookup2 syzbot
2019-01-03 19:39 ` Willem de Bruijn
2019-01-03 19:41 ` Willem de Bruijn
2019-01-03 20:00 ` Stefano Brivio
2019-01-03 20:01 ` Eric Dumazet
2019-01-03 20:07 ` Stefano Brivio
2019-01-03 21:15 ` Willem de Bruijn
2019-01-03 21:54 ` Stefano Brivio
2019-01-04 10:32 ` Dmitry Vyukov
2019-01-04 10:34 ` Dmitry Vyukov
2019-01-04 10:54 ` Stefano Brivio
2019-01-04 11:05 ` Dmitry Vyukov
2019-01-04 17:14 ` Stefano Brivio
2019-01-04 17:24 ` Willem de Bruijn
2019-01-04 17:50 ` Stefano Brivio [this message]
2019-01-04 17:26 ` Dmitry Vyukov
2019-01-04 18:05 ` Stefano Brivio
2019-01-07 9:04 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190104185029.759430e2@redhat.com \
--to=sbrivio@redhat.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=eric.dumazet@gmail.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+4ad25edc7a33e4ab91e0@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).