From: Dmitry Vyukov <dvyukov@google.com>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
syzbot <syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com>,
David Miller <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
LKML <linux-kernel@vger.kernel.org>,
linux-sctp@vger.kernel.org, Xin Long <lucien.xin@gmail.com>,
mvohra@vmware.com, netdev <netdev@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
William Tu <u9012063@gmail.com>,
Vladislav Yasevich <vyasevich@gmail.com>,
websitedesignservices4u@gmail.com,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Subject: Re: kernel BUG at net/core/skbuff.c:LINE! (3)
Date: Wed, 4 Dec 2019 09:52:13 +0100 [thread overview]
Message-ID: <CACT4Y+aRwLG2nHfzmeN=KMY6f+ihj-c73v-pdznjgz0eDDQOZg@mail.gmail.com> (raw)
In-Reply-To: <20191203115616.GA4707@hmswarspite.think-freely.org>
On Tue, Dec 3, 2019 at 12:56 PM Neil Horman <nhorman@tuxdriver.com> wrote:
>
> On Tue, Dec 03, 2019 at 09:42:14AM +0100, Dmitry Vyukov wrote:
> > On Mon, Dec 2, 2019 at 7:39 PM Marcelo Ricardo Leitner
> > <marcelo.leitner@gmail.com> wrote:
> > >
> > > On Sat, Nov 30, 2019 at 04:37:56PM +0100, Dmitry Vyukov wrote:
> > > > On Sat, Nov 30, 2019 at 3:50 PM syzbot
> > > > <syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com> wrote:
> > > > >
> > > > > syzbot has bisected this bug to:
> > > > >
> > > > > commit 84e54fe0a5eaed696dee4019c396f8396f5a908b
> > > > > Author: William Tu <u9012063@gmail.com>
> > > > > Date: Tue Aug 22 16:40:28 2017 +0000
> > > > >
> > > > > gre: introduce native tunnel support for ERSPAN
> > > > >
> > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=158a2f86e00000
> > > > > start commit: f9f1e414 Merge tag 'for-linus-4.16-rc1-tag' of git://git.k..
> > > > > git tree: upstream
> > > > > final crash: https://syzkaller.appspot.com/x/report.txt?x=178a2f86e00000
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=138a2f86e00000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=34a80ee1ac29767b
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=b2bf2652983d23734c5c
> > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=147bfebd800000
> > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d8d543800000
> > > > >
> > > > > Reported-by: syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com
> > > > > Fixes: 84e54fe0a5ea ("gre: introduce native tunnel support for ERSPAN")
> > > > >
> > > > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> > > >
> > > > Humm... the repro contains syz_emit_ethernet, wonder if it's
> > > > remote-triggerable...
> > >
> > > The call trace is still from the tx path. Packet never left the system
> > > in this case.
> >
> > My understanding is that this does not necessarily mean that the
> > remote side is not involved. There is enough state on the host for L4
> > protocols, so that the remote side can mess things and then the bad
> > thing will happen with local trigger. But that local trigger can be
> > just anything trivial that everybody does.
> >
> But thats not really helpful. Unless you see an explicit path from the receive
> side to ip6_append_data, Theres no real way for a received packet to reach this
> code, so we can't really call it remotely triggerable.
>
> My guess is, since this is coming from the rawv6_sendmsg path, that the raw
> protocol is somehow not marshaling its data in a way that ip6_append_data
> expects.
If it's in the local send path and does not use any remotely
controllable data, then this should be good enough estimation of not
being a remote attack vector.
WARNING: multiple messages have this Message-ID (diff)
From: Dmitry Vyukov <dvyukov@google.com>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
syzbot <syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com>,
David Miller <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
LKML <linux-kernel@vger.kernel.org>,
linux-sctp@vger.kernel.org, Xin Long <lucien.xin@gmail.com>,
mvohra@vmware.com, netdev <netdev@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
William Tu <u9012063@gmail.com>,
Vladislav Yasevich <vyasevich@gmail.com>,
websitedesignservices4u@gmail.com,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Subject: Re: kernel BUG at net/core/skbuff.c:LINE! (3)
Date: Wed, 04 Dec 2019 08:52:13 +0000 [thread overview]
Message-ID: <CACT4Y+aRwLG2nHfzmeN=KMY6f+ihj-c73v-pdznjgz0eDDQOZg@mail.gmail.com> (raw)
In-Reply-To: <20191203115616.GA4707@hmswarspite.think-freely.org>
On Tue, Dec 3, 2019 at 12:56 PM Neil Horman <nhorman@tuxdriver.com> wrote:
>
> On Tue, Dec 03, 2019 at 09:42:14AM +0100, Dmitry Vyukov wrote:
> > On Mon, Dec 2, 2019 at 7:39 PM Marcelo Ricardo Leitner
> > <marcelo.leitner@gmail.com> wrote:
> > >
> > > On Sat, Nov 30, 2019 at 04:37:56PM +0100, Dmitry Vyukov wrote:
> > > > On Sat, Nov 30, 2019 at 3:50 PM syzbot
> > > > <syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com> wrote:
> > > > >
> > > > > syzbot has bisected this bug to:
> > > > >
> > > > > commit 84e54fe0a5eaed696dee4019c396f8396f5a908b
> > > > > Author: William Tu <u9012063@gmail.com>
> > > > > Date: Tue Aug 22 16:40:28 2017 +0000
> > > > >
> > > > > gre: introduce native tunnel support for ERSPAN
> > > > >
> > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x\x158a2f86e00000
> > > > > start commit: f9f1e414 Merge tag 'for-linus-4.16-rc1-tag' of git://git.k..
> > > > > git tree: upstream
> > > > > final crash: https://syzkaller.appspot.com/x/report.txt?x\x178a2f86e00000
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x\x138a2f86e00000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x4a80ee1ac29767b
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid²bf2652983d23734c5c
> > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x147bfebd800000
> > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x13d8d543800000
> > > > >
> > > > > Reported-by: syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com
> > > > > Fixes: 84e54fe0a5ea ("gre: introduce native tunnel support for ERSPAN")
> > > > >
> > > > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> > > >
> > > > Humm... the repro contains syz_emit_ethernet, wonder if it's
> > > > remote-triggerable...
> > >
> > > The call trace is still from the tx path. Packet never left the system
> > > in this case.
> >
> > My understanding is that this does not necessarily mean that the
> > remote side is not involved. There is enough state on the host for L4
> > protocols, so that the remote side can mess things and then the bad
> > thing will happen with local trigger. But that local trigger can be
> > just anything trivial that everybody does.
> >
> But thats not really helpful. Unless you see an explicit path from the receive
> side to ip6_append_data, Theres no real way for a received packet to reach this
> code, so we can't really call it remotely triggerable.
>
> My guess is, since this is coming from the rawv6_sendmsg path, that the raw
> protocol is somehow not marshaling its data in a way that ip6_append_data
> expects.
If it's in the local send path and does not use any remotely
controllable data, then this should be good enough estimation of not
being a remote attack vector.
next prev parent reply other threads:[~2019-12-04 8:52 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-01 19:21 kernel BUG at net/core/skbuff.c:LINE! (3) syzbot
2018-02-10 5:23 ` syzbot
2018-02-10 11:17 ` Xin Long
2018-02-10 11:17 ` Xin Long
2018-05-10 9:51 ` Dmitry Vyukov
2018-05-10 9:51 ` Dmitry Vyukov
2019-11-30 14:50 ` syzbot
2019-11-30 14:50 ` syzbot
2019-11-30 15:37 ` Dmitry Vyukov
2019-11-30 15:37 ` Dmitry Vyukov
2019-12-02 18:39 ` Marcelo Ricardo Leitner
2019-12-02 18:39 ` Marcelo Ricardo Leitner
2019-12-03 8:42 ` Dmitry Vyukov
2019-12-03 8:42 ` Dmitry Vyukov
2019-12-03 11:56 ` Neil Horman
2019-12-03 11:56 ` Neil Horman
2019-12-04 8:52 ` Dmitry Vyukov [this message]
2019-12-04 8:52 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACT4Y+aRwLG2nHfzmeN=KMY6f+ihj-c73v-pdznjgz0eDDQOZg@mail.gmail.com' \
--to=dvyukov@google.com \
--cc=davem@davemloft.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=marcelo.leitner@gmail.com \
--cc=mvohra@vmware.com \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=u9012063@gmail.com \
--cc=vyasevich@gmail.com \
--cc=websitedesignservices4u@gmail.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.