All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dmitry Vyukov <dvyukov@google.com>
To: Vlad Yasevich <vyasevich@gmail.com>,
	Neil Horman <nhorman@tuxdriver.com>,
	"David S. Miller" <davem@davemloft.net>,
	linux-sctp@vger.kernel.org, netdev <netdev@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>
Cc: syzkaller <syzkaller@googlegroups.com>,
	Kostya Serebryany <kcc@google.com>,
	Alexander Potapenko <glider@google.com>,
	Sasha Levin <sasha.levin@oracle.com>,
	Eric Dumazet <edumazet@google.com>
Subject: user-controllable kmalloc size in sctp_getsockopt_local_addrs
Date: Sat, 28 Nov 2015 13:40:08 +0100	[thread overview]
Message-ID: <CACT4Y+a_V5WQZNEnYkuA3Xc5qCWmLV3oScNeNiATZm-wW5eg3Q@mail.gmail.com> (raw)

Hello,

The following program triggers WARNING in kmalloc:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/socket.h>
#include <linux/in.h>

#define SOL_SCTP        132
#define SCTP_GET_LOCAL_ADDRS    109

int main()
{
        int fd = socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP);
        char buf[256];
        int len = 0x04000000;
        getsockopt(fd, SOL_SCTP, SCTP_GET_LOCAL_ADDRS, &buf, &len);
        return 0;
}



------------[ cut here ]------------
WARNING: CPU: 0 PID: 6006 at mm/page_alloc.c:2989
__alloc_pages_nodemask+0x695/0x14e0()
Modules linked in:
CPU: 0 PID: 6006 Comm: executor Not tainted 4.4.0-rc2+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 00000000ffffffff ffff880033887720 ffffffff82719fc6 0000000000000000
 ffff8800338c2d80 ffffffff85a62a20 ffff880033887760 ffffffff81244ec9
 ffffffff8154e3e5 ffffffff85a62a20 0000000000000bad 0000000000000000
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82719fc6>] dump_stack+0x68/0x92 lib/dump_stack.c:50
 [<ffffffff81244ec9>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:460
 [<ffffffff812450f9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:493
 [<     inline     >] __alloc_pages_slowpath mm/page_alloc.c:2989
 [<ffffffff8154e3e5>] __alloc_pages_nodemask+0x695/0x14e0 mm/page_alloc.c:3235
 [<ffffffff8160ceee>] alloc_pages_current+0xee/0x340 mm/mempolicy.c:2055
 [<     inline     >] alloc_pages include/linux/gfp.h:451
 [<ffffffff81549c56>] alloc_kmem_pages+0x16/0xf0 mm/page_alloc.c:3414
 [<ffffffff81595e79>] kmalloc_order+0x19/0x60 mm/slab_common.c:1007
 [<ffffffff81595edf>] kmalloc_order_trace+0x1f/0xa0 mm/slab_common.c:1018
 [<     inline     >] kmalloc_large include/linux/slab.h:390
 [<ffffffff8161bd74>] __kmalloc+0x234/0x250 mm/slub.c:3525
 [<     inline     >] kmalloc include/linux/slab.h:463
 [<     inline     >] sctp_getsockopt_local_addrs net/sctp/socket.c:4931
 [<ffffffff854d9730>] sctp_getsockopt+0x11b0/0x3e00 net/sctp/socket.c:6007
 [<ffffffff84913ad5>] sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2604
 [<     inline     >] SYSC_getsockopt net/socket.c:1788
 [<ffffffff84911282>] SyS_getsockopt+0x142/0x230 net/socket.c:1770
 [<ffffffff859551f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
---[ end trace 42716df2ed49f73e ]---


On commit 78c4a49a69e910a162b05e4e8727b9bdbf948f13 (Nov 25).

WARNING: multiple messages have this Message-ID (diff)
From: Dmitry Vyukov <dvyukov@google.com>
To: Vlad Yasevich <vyasevich@gmail.com>,
	Neil Horman <nhorman@tuxdriver.com>,
	"David S. Miller" <davem@davemloft.net>,
	linux-sctp@vger.kernel.org, netdev <netdev@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>
Cc: syzkaller <syzkaller@googlegroups.com>,
	Kostya Serebryany <kcc@google.com>,
	Alexander Potapenko <glider@google.com>,
	Sasha Levin <sasha.levin@oracle.com>,
	Eric Dumazet <edumazet@google.com>
Subject: user-controllable kmalloc size in sctp_getsockopt_local_addrs
Date: Sat, 28 Nov 2015 12:40:08 +0000	[thread overview]
Message-ID: <CACT4Y+a_V5WQZNEnYkuA3Xc5qCWmLV3oScNeNiATZm-wW5eg3Q@mail.gmail.com> (raw)

Hello,

The following program triggers WARNING in kmalloc:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/socket.h>
#include <linux/in.h>

#define SOL_SCTP        132
#define SCTP_GET_LOCAL_ADDRS    109

int main()
{
        int fd = socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP);
        char buf[256];
        int len = 0x04000000;
        getsockopt(fd, SOL_SCTP, SCTP_GET_LOCAL_ADDRS, &buf, &len);
        return 0;
}



------------[ cut here ]------------
WARNING: CPU: 0 PID: 6006 at mm/page_alloc.c:2989
__alloc_pages_nodemask+0x695/0x14e0()
Modules linked in:
CPU: 0 PID: 6006 Comm: executor Not tainted 4.4.0-rc2+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 00000000ffffffff ffff880033887720 ffffffff82719fc6 0000000000000000
 ffff8800338c2d80 ffffffff85a62a20 ffff880033887760 ffffffff81244ec9
 ffffffff8154e3e5 ffffffff85a62a20 0000000000000bad 0000000000000000
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82719fc6>] dump_stack+0x68/0x92 lib/dump_stack.c:50
 [<ffffffff81244ec9>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:460
 [<ffffffff812450f9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:493
 [<     inline     >] __alloc_pages_slowpath mm/page_alloc.c:2989
 [<ffffffff8154e3e5>] __alloc_pages_nodemask+0x695/0x14e0 mm/page_alloc.c:3235
 [<ffffffff8160ceee>] alloc_pages_current+0xee/0x340 mm/mempolicy.c:2055
 [<     inline     >] alloc_pages include/linux/gfp.h:451
 [<ffffffff81549c56>] alloc_kmem_pages+0x16/0xf0 mm/page_alloc.c:3414
 [<ffffffff81595e79>] kmalloc_order+0x19/0x60 mm/slab_common.c:1007
 [<ffffffff81595edf>] kmalloc_order_trace+0x1f/0xa0 mm/slab_common.c:1018
 [<     inline     >] kmalloc_large include/linux/slab.h:390
 [<ffffffff8161bd74>] __kmalloc+0x234/0x250 mm/slub.c:3525
 [<     inline     >] kmalloc include/linux/slab.h:463
 [<     inline     >] sctp_getsockopt_local_addrs net/sctp/socket.c:4931
 [<ffffffff854d9730>] sctp_getsockopt+0x11b0/0x3e00 net/sctp/socket.c:6007
 [<ffffffff84913ad5>] sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2604
 [<     inline     >] SYSC_getsockopt net/socket.c:1788
 [<ffffffff84911282>] SyS_getsockopt+0x142/0x230 net/socket.c:1770
 [<ffffffff859551f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
---[ end trace 42716df2ed49f73e ]---


On commit 78c4a49a69e910a162b05e4e8727b9bdbf948f13 (Nov 25).

             reply	other threads:[~2015-11-28 12:40 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-28 12:40 Dmitry Vyukov [this message]
2015-11-28 12:40 ` user-controllable kmalloc size in sctp_getsockopt_local_addrs Dmitry Vyukov
2015-11-30 16:36 ` Marcelo Ricardo Leitner
2015-11-30 16:36   ` Marcelo Ricardo Leitner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CACT4Y+a_V5WQZNEnYkuA3Xc5qCWmLV3oScNeNiATZm-wW5eg3Q@mail.gmail.com \
    --to=dvyukov@google.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=glider@google.com \
    --cc=kcc@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-sctp@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=nhorman@tuxdriver.com \
    --cc=sasha.levin@oracle.com \
    --cc=syzkaller@googlegroups.com \
    --cc=vyasevich@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.