* [syzbot] UBSAN: shift-out-of-bounds in tcf_pedit_init
@ 2022-05-12 21:18 syzbot
2022-05-12 21:19 ` Eric Dumazet
2022-05-13 1:13 ` syzbot
0 siblings, 2 replies; 6+ messages in thread
From: syzbot @ 2022-05-12 21:18 UTC (permalink / raw)
To: davem, edumazet, jhs, jiri, kuba, linux-kernel, netdev, pabeni,
syzkaller-bugs, xiyou.wangcong
Hello,
syzbot found the following issue on:
HEAD commit: 810c2f0a3f86 mlxsw: Avoid warning during ip6gre device rem..
git tree: net
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1448a599f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=331feb185f8828e0
dashboard link: https://syzkaller.appspot.com/bug?extid=8ed8fc4c57e9dcf23ca6
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=104e9749f00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15f913b9f00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8ed8fc4c57e9dcf23ca6@syzkaller.appspotmail.com
netlink: 28 bytes leftover after parsing attributes in process `syz-executor151'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor151'.
================================================================================
UBSAN: shift-out-of-bounds in net/sched/act_pedit.c:238:43
shift exponent 1400735974 is too large for 32-bit type 'unsigned int'
CPU: 0 PID: 3606 Comm: syz-executor151 Not tainted 5.18.0-rc5-syzkaller-00165-g810c2f0a3f86 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
ubsan_epilogue+0xb/0x50 lib/ubsan.c:151
__ubsan_handle_shift_out_of_bounds.cold+0xb1/0x187 lib/ubsan.c:322
tcf_pedit_init.cold+0x1a/0x1f net/sched/act_pedit.c:238
tcf_action_init_1+0x414/0x690 net/sched/act_api.c:1367
tcf_action_init+0x530/0x8d0 net/sched/act_api.c:1432
tcf_action_add+0xf9/0x480 net/sched/act_api.c:1956
tc_ctl_action+0x346/0x470 net/sched/act_api.c:2015
rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5993
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/socket.c:705 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:725
____sys_sendmsg+0x6e2/0x800 net/socket.c:2413
___sys_sendmsg+0xf3/0x170 net/socket.c:2467
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2496
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fe36e9e1b59
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffef796fe88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe36e9e1b59
RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003
RBP: 00007fe36e9a5d00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe36e9a5d90
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
================================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] UBSAN: shift-out-of-bounds in tcf_pedit_init
2022-05-12 21:18 [syzbot] UBSAN: shift-out-of-bounds in tcf_pedit_init syzbot
@ 2022-05-12 21:19 ` Eric Dumazet
2022-05-12 22:51 ` Jakub Kicinski
2022-05-13 1:13 ` syzbot
1 sibling, 1 reply; 6+ messages in thread
From: Eric Dumazet @ 2022-05-12 21:19 UTC (permalink / raw)
To: syzbot
Cc: David Miller, Jamal Hadi Salim, Jiri Pirko, Jakub Kicinski, LKML,
netdev, Paolo Abeni, syzkaller-bugs, Cong Wang
On Thu, May 12, 2022 at 2:18 PM syzbot
<syzbot+8ed8fc4c57e9dcf23ca6@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 810c2f0a3f86 mlxsw: Avoid warning during ip6gre device rem..
> git tree: net
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1448a599f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=331feb185f8828e0
> dashboard link: https://syzkaller.appspot.com/bug?extid=8ed8fc4c57e9dcf23ca6
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=104e9749f00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15f913b9f00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8ed8fc4c57e9dcf23ca6@syzkaller.appspotmail.com
>
> netlink: 28 bytes leftover after parsing attributes in process `syz-executor151'.
> netlink: 28 bytes leftover after parsing attributes in process `syz-executor151'.
> ================================================================================
> UBSAN: shift-out-of-bounds in net/sched/act_pedit.c:238:43
> shift exponent 1400735974 is too large for 32-bit type 'unsigned int'
> CPU: 0 PID: 3606 Comm: syz-executor151 Not tainted 5.18.0-rc5-syzkaller-00165-g810c2f0a3f86 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
> ubsan_epilogue+0xb/0x50 lib/ubsan.c:151
> __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x187 lib/ubsan.c:322
> tcf_pedit_init.cold+0x1a/0x1f net/sched/act_pedit.c:238
> tcf_action_init_1+0x414/0x690 net/sched/act_api.c:1367
> tcf_action_init+0x530/0x8d0 net/sched/act_api.c:1432
> tcf_action_add+0xf9/0x480 net/sched/act_api.c:1956
> tc_ctl_action+0x346/0x470 net/sched/act_api.c:2015
> rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5993
> netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
> netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
> netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
> netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1921
> sock_sendmsg_nosec net/socket.c:705 [inline]
> sock_sendmsg+0xcf/0x120 net/socket.c:725
> ____sys_sendmsg+0x6e2/0x800 net/socket.c:2413
> ___sys_sendmsg+0xf3/0x170 net/socket.c:2467
> __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x7fe36e9e1b59
> Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffef796fe88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe36e9e1b59
> RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003
> RBP: 00007fe36e9a5d00 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe36e9a5d90
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> </TASK>
> ================================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches
As mentioned earlier, this came with
commit 8b796475fd7882663a870456466a4fb315cc1bd6
Author: Paolo Abeni <pabeni@redhat.com>
Date: Tue May 10 16:57:34 2022 +0200
net/sched: act_pedit: really ensure the skb is writable
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] UBSAN: shift-out-of-bounds in tcf_pedit_init
2022-05-12 21:19 ` Eric Dumazet
@ 2022-05-12 22:51 ` Jakub Kicinski
2022-05-12 23:53 ` Eric Dumazet
0 siblings, 1 reply; 6+ messages in thread
From: Jakub Kicinski @ 2022-05-12 22:51 UTC (permalink / raw)
To: Eric Dumazet
Cc: syzbot, David Miller, Jamal Hadi Salim, Jiri Pirko, LKML, netdev,
Paolo Abeni, syzkaller-bugs, Cong Wang
On Thu, 12 May 2022 14:19:51 -0700 Eric Dumazet wrote:
> On Thu, May 12, 2022 at 2:18 PM syzbot
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > syzbot can test patches for this issue, for details see:
> > https://goo.gl/tpsmEJ#testing-patches
>
> As mentioned earlier, this came with
>
> commit 8b796475fd7882663a870456466a4fb315cc1bd6
> Author: Paolo Abeni <pabeni@redhat.com>
> Date: Tue May 10 16:57:34 2022 +0200
>
> net/sched: act_pedit: really ensure the skb is writable
Came in as in new stack trace for an old/existing bug, right?
Nothing checks the shift so it'd have already tripped UBSAN
later on in tcf_pedit_act(), anyway.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] UBSAN: shift-out-of-bounds in tcf_pedit_init
2022-05-12 22:51 ` Jakub Kicinski
@ 2022-05-12 23:53 ` Eric Dumazet
2022-05-13 9:36 ` Paolo Abeni
0 siblings, 1 reply; 6+ messages in thread
From: Eric Dumazet @ 2022-05-12 23:53 UTC (permalink / raw)
To: Jakub Kicinski
Cc: syzbot, David Miller, Jamal Hadi Salim, Jiri Pirko, LKML, netdev,
Paolo Abeni, syzkaller-bugs, Cong Wang
On Thu, May 12, 2022 at 3:51 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Thu, 12 May 2022 14:19:51 -0700 Eric Dumazet wrote:
> > On Thu, May 12, 2022 at 2:18 PM syzbot
> > > This report is generated by a bot. It may contain errors.
> > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > >
> > > syzbot will keep track of this issue. See:
> > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > > syzbot can test patches for this issue, for details see:
> > > https://goo.gl/tpsmEJ#testing-patches
> >
> > As mentioned earlier, this came with
> >
> > commit 8b796475fd7882663a870456466a4fb315cc1bd6
> > Author: Paolo Abeni <pabeni@redhat.com>
> > Date: Tue May 10 16:57:34 2022 +0200
> >
> > net/sched: act_pedit: really ensure the skb is writable
>
> Came in as in new stack trace for an old/existing bug, right?
> Nothing checks the shift so it'd have already tripped UBSAN
> later on in tcf_pedit_act(), anyway.
Maybe a prior syzbot was reported, and nobody cared.
Or maybe syzbot got its way into this path only recently.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] UBSAN: shift-out-of-bounds in tcf_pedit_init
2022-05-12 21:18 [syzbot] UBSAN: shift-out-of-bounds in tcf_pedit_init syzbot
2022-05-12 21:19 ` Eric Dumazet
@ 2022-05-13 1:13 ` syzbot
1 sibling, 0 replies; 6+ messages in thread
From: syzbot @ 2022-05-13 1:13 UTC (permalink / raw)
To: davem, edumazet, geliang.tang, jhs, jiri, kuba, linux-kernel,
mathew.j.martineau, netdev, pabeni, syzkaller-bugs,
xiyou.wangcong
syzbot has bisected this issue to:
commit 8b796475fd7882663a870456466a4fb315cc1bd6
Author: Paolo Abeni <pabeni@redhat.com>
Date: Tue May 10 14:57:34 2022 +0000
net/sched: act_pedit: really ensure the skb is writable
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=158d3969f00000
start commit: 810c2f0a3f86 mlxsw: Avoid warning during ip6gre device rem..
git tree: net
final oops: https://syzkaller.appspot.com/x/report.txt?x=178d3969f00000
console output: https://syzkaller.appspot.com/x/log.txt?x=138d3969f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=331feb185f8828e0
dashboard link: https://syzkaller.appspot.com/bug?extid=8ed8fc4c57e9dcf23ca6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=104e9749f00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15f913b9f00000
Reported-by: syzbot+8ed8fc4c57e9dcf23ca6@syzkaller.appspotmail.com
Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] UBSAN: shift-out-of-bounds in tcf_pedit_init
2022-05-12 23:53 ` Eric Dumazet
@ 2022-05-13 9:36 ` Paolo Abeni
0 siblings, 0 replies; 6+ messages in thread
From: Paolo Abeni @ 2022-05-13 9:36 UTC (permalink / raw)
To: Eric Dumazet, Jakub Kicinski
Cc: syzbot, David Miller, Jamal Hadi Salim, Jiri Pirko, LKML, netdev,
syzkaller-bugs, Cong Wang
On Thu, 2022-05-12 at 16:53 -0700, Eric Dumazet wrote:
> On Thu, May 12, 2022 at 3:51 PM Jakub Kicinski <kuba@kernel.org> wrote:
> >
> > On Thu, 12 May 2022 14:19:51 -0700 Eric Dumazet wrote:
> > > On Thu, May 12, 2022 at 2:18 PM syzbot
> > > > This report is generated by a bot. It may contain errors.
> > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > >
> > > > syzbot will keep track of this issue. See:
> > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > > > syzbot can test patches for this issue, for details see:
> > > > https://goo.gl/tpsmEJ#testing-patches
> > >
> > > As mentioned earlier, this came with
> > >
> > > commit 8b796475fd7882663a870456466a4fb315cc1bd6
> > > Author: Paolo Abeni <pabeni@redhat.com>
> > > Date: Tue May 10 16:57:34 2022 +0200
> > >
> > > net/sched: act_pedit: really ensure the skb is writable
> >
> > Came in as in new stack trace for an old/existing bug, right?
> > Nothing checks the shift so it'd have already tripped UBSAN
> > later on in tcf_pedit_act(), anyway.
>
> Maybe a prior syzbot was reported, and nobody cared.
>
> Or maybe syzbot got its way into this path only recently.
I'm reasonably sure the issue predates the bisected commit. Possibly
syzbot was unable to catch it before such commit because is much harder
to achive complete coverage of the data path, I think.
I've sent a patch, thanks for the report.
Paolo
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-05-13 9:36 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-12 21:18 [syzbot] UBSAN: shift-out-of-bounds in tcf_pedit_init syzbot
2022-05-12 21:19 ` Eric Dumazet
2022-05-12 22:51 ` Jakub Kicinski
2022-05-12 23:53 ` Eric Dumazet
2022-05-13 9:36 ` Paolo Abeni
2022-05-13 1:13 ` syzbot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.