Re: [Bug 217486] New: 'doubel fault' in if_nlmsg_size func by syz-executor fuzz

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: <stephen@networkplumber.org>
Cc: <bugzilla-daemon@kernel.org>, <netdev@vger.kernel.org>,
	<kuniyu@amazon.com>
Subject: Re: [Bug 217486] New: 'doubel fault' in if_nlmsg_size func by syz-executor fuzz
Date: Thu, 25 May 2023 10:56:25 -0700	[thread overview]
Message-ID: <20230525175625.6900-1-kuniyu@amazon.com> (raw)
In-Reply-To: <20230525081558.38ee5cde@hermes.local>

From: Stephen Hemminger <stephen@networkplumber.org>
Date: Thu, 25 May 2023 08:15:58 -0700
> Not much info in this bug report.
> Blaming if_nlmsg_size() is not right, something is passing bogus data.
> 
> 
> On Thu, 25 May 2023 12:40:12 +0000
> bugzilla-daemon@kernel.org wrote:
> 
> > https://bugzilla.kernel.org/show_bug.cgi?id=217486
> > 
> >             Bug ID: 217486
> >            Summary: 'doubel fault' in if_nlmsg_size func by syz-executor
> >                     fuzz
> >            Product: Networking
> >            Version: 2.5
> >           Hardware: All
> >                 OS: Linux
> >             Status: NEW
> >           Severity: normal
> >           Priority: P3
> >          Component: IPV4
> >           Assignee: stephen@networkplumber.org
> >           Reporter: 13151562558@163.com
> >         Regression: No
> > 
> > in syz-executor fuzz test, system panic in "double fault" err.
> > by the kernel log, only get one dump stack info, "if_nlmsg_size+0x4ea/0x7c0".
> > I have vmcore, but don't know how to debug "double fault"? what't first fault ?
> > 
> > if_nlmsg_size+0x4ea/0x7c0 code:
> > ```
> > static noinline size_t if_nlmsg_size(const struct net_device *dev,
> >                                      u32 ext_filter_mask)
> > {
> >         return NLMSG_ALIGN(sizeof(struct ifinfomsg))
> >                + nla_total_size(IFNAMSIZ) /* IFLA_IFNAME */
> >                + nla_total_size(IFALIASZ) /* IFLA_IFALIAS */
> > 
> >                + nla_total_size(4)  /* IFLA_MIN_MTU */
> >                + nla_total_size(4)  /* IFLA_MAX_MTU */
> >                + rtnl_prop_list_size(dev) // this
> > line;if_nlmsg_size+0x4ea/0x7c0
> >                + nla_total_size(MAX_ADDR_LEN) /* IFLA_PERM_ADDRESS */
> >                + 0;
> > }
> > ```
> > 
> > dis the code of dump stack, like this:
> > /include/linux/list.h: 
> >  <if_nlmsg_size+1325>:        mov    %rbp,%rdx
> >  <if_nlmsg_size+1328>:        shr    $0x3,%rdx
> >  <if_nlmsg_size+1332>:        cmpb   $0x0,(%rdx,%rax,1)
> >  <if_nlmsg_size+1336>:        jne    0xffffffff8a5b86a6 <if_nlmsg_size+1766>
> >  <if_nlmsg_size+1342>:        mov    0x10(%r15),%rax
> >  <if_nlmsg_size+1346>:        cmp    %rax,%rbp
> >  <if_nlmsg_size+1349>:        je     0xffffffff8a5b8659 <if_nlmsg_size+1689>
> > 
> > 
> > kernel log:
> > [ 3213.317259] CPU: 1 PID: 1830 Comm: syz-executor.6 Tainted: G      D

I'd salvage a repro candidate in the syzkaller's log like

  HH:MM:SS executing program 6:
  ....

with syz-prog2c.  Even if it does not reproduce the issue,
the syz sequences will give much more hints.


> >  5.10.0 #1
> > [ 3213.317404] RIP: 0010:if_nlmsg_size+0x53e/0x7c0
> > [ 3213.317415] Code: 00 0f 85 2e 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
> > 7b 10 49 8d 6f 10 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 a8 01 00 00 <49> 8b 47
> > 10 48 39 c5 0f 84 4e 01 00 00 e8 90 ff 1a f7 48 89 ea 48
> > [ 3213.317420] RSP: 0018:ffff88809f4ca570 EFLAGS: 00010246
> > [ 3213.317428] RAX: dffffc0000000000 RBX: ffff88803767c000 RCX:
> > ffffc90006714000
> > [ 3213.317433] RDX: 1ffff11008037c92 RSI: ffffffff8a5b84aa RDI:
> > ffff88803767c010
> > [ 3213.317439] RBP: ffff8880401be490 R08: 0000000000000cc0 R09:
> > 0000000000000000
> > [ 3213.317445] R10: ffffffff9287d2e7 R11: fffffbfff250fa5c R12:
> > 0000000000000640
> > [ 3213.317450] R13: 0000000000000950 R14: 0000000000000008 R15:
> > ffff8880401be480
> > [ 3213.317454]  ? if_nlmsg_size+0x4ea/0x7c0
> > [ 3213.317457]  </#DF>

     prev parent reply	other threads:[~2023-05-25 17:56 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <bug-217486-100@https.bugzilla.kernel.org/>
2023-05-25 15:15 ` [Bug 217486] New: 'doubel fault' in if_nlmsg_size func by syz-executor fuzz Stephen Hemminger
2023-05-25 17:56   ` Kuniyuki Iwashima [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230525175625.6900-1-kuniyu@amazon.com \
    --to=kuniyu@amazon.com \
    --cc=bugzilla-daemon@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=stephen@networkplumber.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).