netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Re: [Bug 217486] New: 'doubel fault' in if_nlmsg_size func by syz-executor fuzz
       [not found] <bug-217486-100@https.bugzilla.kernel.org/>
@ 2023-05-25 15:15 ` Stephen Hemminger
  2023-05-25 17:56   ` Kuniyuki Iwashima
  0 siblings, 1 reply; 2+ messages in thread
From: Stephen Hemminger @ 2023-05-25 15:15 UTC (permalink / raw)
  To: netdev; +Cc: bugzilla-daemon

Not much info in this bug report.
Blaming if_nlmsg_size() is not right, something is passing bogus data.


On Thu, 25 May 2023 12:40:12 +0000
bugzilla-daemon@kernel.org wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=217486
> 
>             Bug ID: 217486
>            Summary: 'doubel fault' in if_nlmsg_size func by syz-executor
>                     fuzz
>            Product: Networking
>            Version: 2.5
>           Hardware: All
>                 OS: Linux
>             Status: NEW
>           Severity: normal
>           Priority: P3
>          Component: IPV4
>           Assignee: stephen@networkplumber.org
>           Reporter: 13151562558@163.com
>         Regression: No
> 
> in syz-executor fuzz test, system panic in "double fault" err.
> by the kernel log, only get one dump stack info, "if_nlmsg_size+0x4ea/0x7c0".
> I have vmcore, but don't know how to debug "double fault"? what't first fault ?
> 
> if_nlmsg_size+0x4ea/0x7c0 code:
> ```
> static noinline size_t if_nlmsg_size(const struct net_device *dev,
>                                      u32 ext_filter_mask)
> {
>         return NLMSG_ALIGN(sizeof(struct ifinfomsg))
>                + nla_total_size(IFNAMSIZ) /* IFLA_IFNAME */
>                + nla_total_size(IFALIASZ) /* IFLA_IFALIAS */
> 
>                + nla_total_size(4)  /* IFLA_MIN_MTU */
>                + nla_total_size(4)  /* IFLA_MAX_MTU */
>                + rtnl_prop_list_size(dev) // this
> line;if_nlmsg_size+0x4ea/0x7c0
>                + nla_total_size(MAX_ADDR_LEN) /* IFLA_PERM_ADDRESS */
>                + 0;
> }
> ```
> 
> dis the code of dump stack, like this:
> /include/linux/list.h: 
>  <if_nlmsg_size+1325>:        mov    %rbp,%rdx
>  <if_nlmsg_size+1328>:        shr    $0x3,%rdx
>  <if_nlmsg_size+1332>:        cmpb   $0x0,(%rdx,%rax,1)
>  <if_nlmsg_size+1336>:        jne    0xffffffff8a5b86a6 <if_nlmsg_size+1766>
>  <if_nlmsg_size+1342>:        mov    0x10(%r15),%rax
>  <if_nlmsg_size+1346>:        cmp    %rax,%rbp
>  <if_nlmsg_size+1349>:        je     0xffffffff8a5b8659 <if_nlmsg_size+1689>
> 
> 
> kernel log:
> [ 3213.317259] CPU: 1 PID: 1830 Comm: syz-executor.6 Tainted: G      D         
>  5.10.0 #1
> [ 3213.317404] RIP: 0010:if_nlmsg_size+0x53e/0x7c0
> [ 3213.317415] Code: 00 0f 85 2e 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
> 7b 10 49 8d 6f 10 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 a8 01 00 00 <49> 8b 47
> 10 48 39 c5 0f 84 4e 01 00 00 e8 90 ff 1a f7 48 89 ea 48
> [ 3213.317420] RSP: 0018:ffff88809f4ca570 EFLAGS: 00010246
> [ 3213.317428] RAX: dffffc0000000000 RBX: ffff88803767c000 RCX:
> ffffc90006714000
> [ 3213.317433] RDX: 1ffff11008037c92 RSI: ffffffff8a5b84aa RDI:
> ffff88803767c010
> [ 3213.317439] RBP: ffff8880401be490 R08: 0000000000000cc0 R09:
> 0000000000000000
> [ 3213.317445] R10: ffffffff9287d2e7 R11: fffffbfff250fa5c R12:
> 0000000000000640
> [ 3213.317450] R13: 0000000000000950 R14: 0000000000000008 R15:
> ffff8880401be480
> [ 3213.317454]  ? if_nlmsg_size+0x4ea/0x7c0
> [ 3213.317457]  </#DF>
> 


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [Bug 217486] New: 'doubel fault' in if_nlmsg_size func by syz-executor fuzz
  2023-05-25 15:15 ` [Bug 217486] New: 'doubel fault' in if_nlmsg_size func by syz-executor fuzz Stephen Hemminger
@ 2023-05-25 17:56   ` Kuniyuki Iwashima
  0 siblings, 0 replies; 2+ messages in thread
From: Kuniyuki Iwashima @ 2023-05-25 17:56 UTC (permalink / raw)
  To: stephen; +Cc: bugzilla-daemon, netdev, kuniyu

From: Stephen Hemminger <stephen@networkplumber.org>
Date: Thu, 25 May 2023 08:15:58 -0700
> Not much info in this bug report.
> Blaming if_nlmsg_size() is not right, something is passing bogus data.
> 
> 
> On Thu, 25 May 2023 12:40:12 +0000
> bugzilla-daemon@kernel.org wrote:
> 
> > https://bugzilla.kernel.org/show_bug.cgi?id=217486
> > 
> >             Bug ID: 217486
> >            Summary: 'doubel fault' in if_nlmsg_size func by syz-executor
> >                     fuzz
> >            Product: Networking
> >            Version: 2.5
> >           Hardware: All
> >                 OS: Linux
> >             Status: NEW
> >           Severity: normal
> >           Priority: P3
> >          Component: IPV4
> >           Assignee: stephen@networkplumber.org
> >           Reporter: 13151562558@163.com
> >         Regression: No
> > 
> > in syz-executor fuzz test, system panic in "double fault" err.
> > by the kernel log, only get one dump stack info, "if_nlmsg_size+0x4ea/0x7c0".
> > I have vmcore, but don't know how to debug "double fault"? what't first fault ?
> > 
> > if_nlmsg_size+0x4ea/0x7c0 code:
> > ```
> > static noinline size_t if_nlmsg_size(const struct net_device *dev,
> >                                      u32 ext_filter_mask)
> > {
> >         return NLMSG_ALIGN(sizeof(struct ifinfomsg))
> >                + nla_total_size(IFNAMSIZ) /* IFLA_IFNAME */
> >                + nla_total_size(IFALIASZ) /* IFLA_IFALIAS */
> > 
> >                + nla_total_size(4)  /* IFLA_MIN_MTU */
> >                + nla_total_size(4)  /* IFLA_MAX_MTU */
> >                + rtnl_prop_list_size(dev) // this
> > line;if_nlmsg_size+0x4ea/0x7c0
> >                + nla_total_size(MAX_ADDR_LEN) /* IFLA_PERM_ADDRESS */
> >                + 0;
> > }
> > ```
> > 
> > dis the code of dump stack, like this:
> > /include/linux/list.h: 
> >  <if_nlmsg_size+1325>:        mov    %rbp,%rdx
> >  <if_nlmsg_size+1328>:        shr    $0x3,%rdx
> >  <if_nlmsg_size+1332>:        cmpb   $0x0,(%rdx,%rax,1)
> >  <if_nlmsg_size+1336>:        jne    0xffffffff8a5b86a6 <if_nlmsg_size+1766>
> >  <if_nlmsg_size+1342>:        mov    0x10(%r15),%rax
> >  <if_nlmsg_size+1346>:        cmp    %rax,%rbp
> >  <if_nlmsg_size+1349>:        je     0xffffffff8a5b8659 <if_nlmsg_size+1689>
> > 
> > 
> > kernel log:
> > [ 3213.317259] CPU: 1 PID: 1830 Comm: syz-executor.6 Tainted: G      D

I'd salvage a repro candidate in the syzkaller's log like

  HH:MM:SS executing program 6:
  ....

with syz-prog2c.  Even if it does not reproduce the issue,
the syz sequences will give much more hints.


> >  5.10.0 #1
> > [ 3213.317404] RIP: 0010:if_nlmsg_size+0x53e/0x7c0
> > [ 3213.317415] Code: 00 0f 85 2e 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
> > 7b 10 49 8d 6f 10 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 a8 01 00 00 <49> 8b 47
> > 10 48 39 c5 0f 84 4e 01 00 00 e8 90 ff 1a f7 48 89 ea 48
> > [ 3213.317420] RSP: 0018:ffff88809f4ca570 EFLAGS: 00010246
> > [ 3213.317428] RAX: dffffc0000000000 RBX: ffff88803767c000 RCX:
> > ffffc90006714000
> > [ 3213.317433] RDX: 1ffff11008037c92 RSI: ffffffff8a5b84aa RDI:
> > ffff88803767c010
> > [ 3213.317439] RBP: ffff8880401be490 R08: 0000000000000cc0 R09:
> > 0000000000000000
> > [ 3213.317445] R10: ffffffff9287d2e7 R11: fffffbfff250fa5c R12:
> > 0000000000000640
> > [ 3213.317450] R13: 0000000000000950 R14: 0000000000000008 R15:
> > ffff8880401be480
> > [ 3213.317454]  ? if_nlmsg_size+0x4ea/0x7c0
> > [ 3213.317457]  </#DF>


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-05-25 17:56 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <bug-217486-100@https.bugzilla.kernel.org/>
2023-05-25 15:15 ` [Bug 217486] New: 'doubel fault' in if_nlmsg_size func by syz-executor fuzz Stephen Hemminger
2023-05-25 17:56   ` Kuniyuki Iwashima

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).