From: Dmitry Vyukov <dvyukov@google.com>
To: Hangbin Liu <liuhangbin@gmail.com>
Cc: syzkaller <syzkaller@googlegroups.com>,
Paolo Abeni <pabeni@redhat.com>,
Marcelo Ricardo Leitner <mleitner@redhat.com>,
netdev <netdev@vger.kernel.org>
Subject: Re: general protection fault in qdisc_hash_add
Date: Fri, 18 May 2018 11:14:07 +0200 [thread overview]
Message-ID: <CACT4Y+a=R1G=iN2vuv1hkf9JAw3jSjp6fXd6DHrR8tPn4KFgYQ@mail.gmail.com> (raw)
In-Reply-To: <20180518083820.GM8958@leo.usersys.redhat.com>
On Fri, May 18, 2018 at 10:38 AM, Hangbin Liu <liuhangbin@gmail.com> wrote:
> Hi Dmitry,
>
> I got a kasan GPF error when run netlink sched test. The syzkaller log file
> and call trace attached.
>
> What interested me is the TCA_RED_PARMS. Here is the log
>
> r0 = socket$nl_route(0x10, 0x3, 0x0)
> ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000740)={'lo\x00', <r1=>0x0})
> sendmsg$nl_route_sched(r0, &(0x7f00000000c0)={&(0x7f0000000000)={0x10}, 0xc, &(0x7f0000000180)={&(0x7f00000002c0)=@newqdisc={0x148, 0x24, 0x421, 0x0, 0x0, {0x0, r1, {}, {0x0, 0xffff}}, [@qdisc_kind_options=@q_red={{0x8, 0x1, 'red\x00'}, {0x11c, 0x2, [@TCA_RED_PARMS={0x14, 0x1, {0x0, 0x0, 0x0, 0x1f}}, @TCA_RED_STAB={0x104, 0x2, "18ac558f2dba9315851070f6e8d2533e755bb93a10146fbf3450d1c5096ce5e8e25674655d985acf1dde6c6283858c71ba0c8c2ba63e82d8168ddaccb0e656849ad10cc603fdac12346de63f934064095e194ee7a3d129ccc57b3c15056f2c5b04584fa0986e2e284a1b4d74577f7b61c20772219d7c01a8f2164d27a074a37f6af6ea6415d6d80c578ff5e656f5bedf074b2d38a8b5b119ba1ef5e206952614d9951ef4027a8bc397208890380c6d6a1ec9994cfceef8675ab30395cc0115a850a4a327a00195903f1d6272567b734776754842f7c4d87da1b4cea9a7330329e290b1d7a7bb77f4e87640340c6c6d704655bd351f47a09af6e2f37583ea5b7e"}]}}]}, 0x148}, 0x1}, 0x0)
>
>
> From the log it sendmsg with TCA_RED_PARMS={0x14, 0x1, {0x0, 0x0, 0x0, 0x1f}}.
> But we defined tc_red_qopt like
> tc_red_qopt {
> limit int32
> qth_min int32
> qth_max int32
> Wlog int8[0:32]
> Plog int8[0:32]
> Scell_log int8[0:32]
> flag int8[0:8]
> }
>
> The items in the structer seems missmatch. Would you help explain how
> syzkaller fuzz the structer?
TCA_RED_PARMS union option is defined as:
q_red_options [
TCA_RED_PARMS nlattr[TCA_RED_PARMS, tc_red_qopt]
...
] [varlen]
and nlattr is defined as:
type nlattr[TYPE, PAYLOAD] nlattr_t[const[TYPE, int16], PAYLOAD]
type nlattr_t[TYPE, PAYLOAD] {
nla_len len[parent, int16]
nla_type TYPE
payload PAYLOAD
} [packed, align_4]
So here:
@TCA_RED_PARMS={0x14, 0x1, {0x0, 0x0, 0x0, 0x1f}}
first 2 numbers are nlattr len and type, and then the inner struct is
tc_red_qopt with truncated trailing zero values.
next prev parent reply other threads:[~2018-05-18 9:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-18 8:38 general protection fault in qdisc_hash_add Hangbin Liu
2018-05-18 9:14 ` Dmitry Vyukov [this message]
2018-05-18 10:13 ` Hangbin Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACT4Y+a=R1G=iN2vuv1hkf9JAw3jSjp6fXd6DHrR8tPn4KFgYQ@mail.gmail.com' \
--to=dvyukov@google.com \
--cc=liuhangbin@gmail.com \
--cc=mleitner@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.