linux-sctp.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* "general protection fault in sctp_ulpevent_notify_peer_addr_change" and "general protection fault in sctp_ulpevent_nofity_peer_addr_change" should share the same root cause
@ 2021-01-12  2:18 慕冬亮
  2021-01-12  3:27 ` Marcelo Ricardo Leitner
  0 siblings, 1 reply; 3+ messages in thread
From: 慕冬亮 @ 2021-01-12  2:18 UTC (permalink / raw)
  To: davem, kuba, linux-kernel, linux-sctp, marcelo.leitner, netdev,
	nhorman, vyasevich, rkovhaev, syzkaller-bugs

Dear developers,

I find that "general protection fault in l2cap_sock_getsockopt" and
"general protection fault in sco_sock_getsockopt" may be duplicated
bugs from the same root cause.

First, by comparing the PoC similarity after own minimization, we find
they share the same PoC. Second, the stack traces for both bug reports
are the same except for the last function. And the different last
functions are due to a function name change (typo fix) from
"sctp_ulpevent_nofity_peer_addr_change" to
"sctp_ulpevent_notify_peer_addr_change"

--
My best regards to you.

     No System Is Safe!
     Dongliang Mu

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: "general protection fault in sctp_ulpevent_notify_peer_addr_change" and "general protection fault in sctp_ulpevent_nofity_peer_addr_change" should share the same root cause
  2021-01-12  2:18 "general protection fault in sctp_ulpevent_notify_peer_addr_change" and "general protection fault in sctp_ulpevent_nofity_peer_addr_change" should share the same root cause 慕冬亮
@ 2021-01-12  3:27 ` Marcelo Ricardo Leitner
  2021-01-12  4:39   ` 慕冬亮
  0 siblings, 1 reply; 3+ messages in thread
From: Marcelo Ricardo Leitner @ 2021-01-12  3:27 UTC (permalink / raw)
  To: 慕冬亮
  Cc: davem, kuba, linux-kernel, linux-sctp, netdev, nhorman,
	vyasevich, rkovhaev, syzkaller-bugs

On Tue, Jan 12, 2021 at 10:18:00AM +0800, 慕冬亮 wrote:
> Dear developers,
> 
> I find that "general protection fault in l2cap_sock_getsockopt" and
> "general protection fault in sco_sock_getsockopt" may be duplicated
> bugs from the same root cause.
> 
> First, by comparing the PoC similarity after own minimization, we find
> they share the same PoC. Second, the stack traces for both bug reports
> are the same except for the last function. And the different last
> functions are due to a function name change (typo fix) from
> "sctp_ulpevent_nofity_peer_addr_change" to
> "sctp_ulpevent_notify_peer_addr_change"

Not sure where you saw stack traces with this sctp function in it, but
the syzkaller reports from 17 Feb 2020 are not related to SCTP.

The one on sco_sock_getsockopt() seems to be lack of parameter
validation: it doesn't check if optval is big enough when handling
BT_PHY (which has the same value as SCTP_STATUS). It seems also miss a
check on if level != SOL_BLUETOOTH, but I may be wrong here.

l2cap_sock_getsockopt also lacks checking optlen.

  Marcelo

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: "general protection fault in sctp_ulpevent_notify_peer_addr_change" and "general protection fault in sctp_ulpevent_nofity_peer_addr_change" should share the same root cause
  2021-01-12  3:27 ` Marcelo Ricardo Leitner
@ 2021-01-12  4:39   ` 慕冬亮
  0 siblings, 0 replies; 3+ messages in thread
From: 慕冬亮 @ 2021-01-12  4:39 UTC (permalink / raw)
  To: Marcelo Ricardo Leitner
  Cc: davem, kuba, linux-kernel, linux-sctp, netdev, nhorman,
	vyasevich, rkovhaev, syzkaller-bugs

On Tue, Jan 12, 2021 at 11:27 AM Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
>
> On Tue, Jan 12, 2021 at 10:18:00AM +0800, 慕冬亮 wrote:
> > Dear developers,
> >
> > I find that "general protection fault in l2cap_sock_getsockopt" and
> > "general protection fault in sco_sock_getsockopt" may be duplicated
> > bugs from the same root cause.
> >

I am sorry that the above description is for another bug group -
https://groups.google.com/g/syzkaller-bugs/c/csbAcYWGd2I. I forget to
modify this paragraph. Embarrassing :(

The correct description here should be, "I find that general
protection fault in sctp_ulpevent_notify_peer_addr_change" and
"general protection fault in sctp_ulpevent_nofity_peer_addr_change"
should share the same root cause, like the title.

> > First, by comparing the PoC similarity after own minimization, we find
> > they share the same PoC. Second, the stack traces for both bug reports
> > are the same except for the last function. And the different last
> > functions are due to a function name change (typo fix) from
> > "sctp_ulpevent_nofity_peer_addr_change" to
> > "sctp_ulpevent_notify_peer_addr_change"
>
> Not sure where you saw stack traces with this sctp function in it, but
> the syzkaller reports from 17 Feb 2020 are not related to SCTP.
>
> The one on sco_sock_getsockopt() seems to be lack of parameter
> validation: it doesn't check if optval is big enough when handling
> BT_PHY (which has the same value as SCTP_STATUS). It seems also miss a
> check on if level != SOL_BLUETOOTH, but I may be wrong here.
>
> l2cap_sock_getsockopt also lacks checking optlen.
>

Please ignore my mistake, and discuss the issue of
sco/l2tp_sock_getsockopt in the thread - "general protection fault in
l2cap_sock_getsockopt" and "general protection fault in
sco_sock_getsockopt" may share the same root cause
(https://groups.google.com/g/syzkaller-bugs/c/csbAcYWGd2I)


>   Marcelo

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-01-12  4:40 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-12  2:18 "general protection fault in sctp_ulpevent_notify_peer_addr_change" and "general protection fault in sctp_ulpevent_nofity_peer_addr_change" should share the same root cause 慕冬亮
2021-01-12  3:27 ` Marcelo Ricardo Leitner
2021-01-12  4:39   ` 慕冬亮

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).