From: Sven Schnelle <svens@linux.ibm.com>
To: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: AF_UNIX crash in bind() triggered by strace test
Date: Thu, 20 Jul 2023 13:00:23 +0200 [thread overview]
Message-ID: <yt9dedl2rgoo.fsf@linux.ibm.com> (raw)
Hi,
the following crash was reported in our CI on s390x with
debug_defconfig, which enables FORTIFY_SOURCE:
detected buffer overflow in __fortify_strlen
------------[ cut here ]------------
kernel BUG at lib/string_helpers.c:1031!
monitor event: 0040 ilc:2 [#1] PREEMPT SMP
Modules linked in: [..]
CPU: 0 PID: 243755 Comm: net-accept-conn Not tainted 6.5.0-20230719.rc2.git1.f1311c9e1695.300.fc38.s390x+debug #1
Call Trace:
[<000000003465b7a2>] fortify_panic+0x2a/0x30
([<000000003465b79e>] fortify_panic+0x26/0x30)
[<0000000034a3a77e>] unix_bind_bsd+0x86/0x390
[<00000000348839d0>] __sys_bind+0xe0/0xe8
[<0000000034926270>] __do_compat_sys_socketcall+0x260/0x4d0
[<0000000034be3b66>] __do_syscall+0x1de/0x208
[<0000000034bfaf38>] system_call+0x70/0x98
INFO: lockdep is turned off.
Last Breaking-Event-Address:
[<0000000034774880>] __s390_indirect_jump_r14+0x0/0x10
Kernel panic - not syncing: Fatal exception: panic_on_oops
This is caused by a test case who sends an unterminated sun_path
to the kernel in a bind() system call from the strace test suite.
As a test i made the following quick fix, which "fixed" the issue:
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 123b35ddfd71..c505edd74d8c 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1206,11 +1206,13 @@ static int unix_bind_bsd(struct sock *sk, struct sockaddr_un *sunaddr,
struct unix_address *addr;
struct dentry *dentry;
struct path parent;
- int err;
+ int pathlen, err;
unix_mkname_bsd(sunaddr, addr_len);
- addr_len = strlen(sunaddr->sun_path) +
- offsetof(struct sockaddr_un, sun_path) + 1;
+ pathlen = strnlen(sunaddr->sun_path, UNIX_PATH_MAX);
+ if (pathlen == UNIX_PATH_MAX)
+ return -EINVAL;
+ addr_len = pathlen + offsetof(struct sockaddr_un, sun_path) + 1;
addr = unix_create_addr(sunaddr, addr_len);
if (!addr)
However, unix(7) says "The pathname in sun_path *should* be
null-terminated." So this change might break userspace. I'm not sure
whether we should return -EINVAL, or just truncate the name to
UNIX_PATH_MAX. From a quick read, it looks like connect() would trigger
the same problem. Any thoughts?
next reply other threads:[~2023-07-20 11:00 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-20 11:00 Sven Schnelle [this message]
2023-07-20 11:03 ` AF_UNIX crash in bind() triggered by strace test Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=yt9dedl2rgoo.fsf@linux.ibm.com \
--to=svens@linux.ibm.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox