* [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default @ 2021-07-27 12:47 syzbot 2021-07-27 14:43 ` Pavel Skripkin 0 siblings, 1 reply; 7+ messages in thread From: syzbot @ 2021-07-27 12:47 UTC (permalink / raw) To: davem, herbert, kuba, linux-kernel, netdev, steffen.klassert, syzkaller-bugs Hello, syzbot found the following issue on: HEAD commit: 90d856e71443 Add linux-next specific files for 20210723 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=133fd00a300000 kernel config: https://syzkaller.appspot.com/x/.config?x=298516715f6ad5cd dashboard link: https://syzkaller.appspot.com/bug?extid=9cd5837a045bbee5b810 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1263bba6300000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1066b4d4300000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+9cd5837a045bbee5b810@syzkaller.appspotmail.com netlink: 228 bytes leftover after parsing attributes in process `syz-executor669'. ================================================================================ UBSAN: shift-out-of-bounds in net/xfrm/xfrm_user.c:1969:18 shift exponent 255 is too large for 32-bit type 'int' CPU: 0 PID: 8437 Comm: syz-executor669 Not tainted 5.14.0-rc2-next-20210723-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 xfrm_set_default.cold+0x21/0x102 net/xfrm/xfrm_user.c:1969 xfrm_user_rcv_msg+0x430/0xa20 net/xfrm/xfrm_user.c:2864 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2886 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:703 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:723 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2392 ___sys_sendmsg+0xf3/0x170 net/socket.c:2446 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2475 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x43f0d9 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc71f859f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f0d9 RDX: 0000000000000000 RSI: 0000000020000740 RDI: 0000000000000003 RBP: 00000000004030c0 R08: 0000000000000000 R09: 0000000000400488 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403150 R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488 ================================================================================ --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default 2021-07-27 12:47 [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default syzbot @ 2021-07-27 14:43 ` Pavel Skripkin 2021-07-27 17:25 ` [PATCH] net: xfrm: fix shift-out-of-bounce kernel test robot ` (2 more replies) 0 siblings, 3 replies; 7+ messages in thread From: Pavel Skripkin @ 2021-07-27 14:43 UTC (permalink / raw) To: syzbot Cc: davem, herbert, kuba, linux-kernel, netdev, steffen.klassert, syzkaller-bugs [-- Attachment #1: Type: text/plain, Size: 1256 bytes --] On Tue, 27 Jul 2021 05:47:21 -0700 syzbot <syzbot+9cd5837a045bbee5b810@syzkaller.appspotmail.com> wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 90d856e71443 Add linux-next specific files for > 20210723 git tree: linux-next > console output: > https://syzkaller.appspot.com/x/log.txt?x=133fd00a300000 kernel > config: https://syzkaller.appspot.com/x/.config?x=298516715f6ad5cd > dashboard link: > https://syzkaller.appspot.com/bug?extid=9cd5837a045bbee5b810 > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU > Binutils for Debian) 2.35.1 syz repro: > https://syzkaller.appspot.com/x/repro.syz?x=1263bba6300000 C > reproducer: https://syzkaller.appspot.com/x/repro.c?x=1066b4d4300000 > > IMPORTANT: if you fix the issue, please add the following tag to the > commit: Reported-by: > syzbot+9cd5837a045bbee5b810@syzkaller.appspotmail.com > > netlink: 228 bytes leftover after parsing attributes in process > `syz-executor669'. > ================================================================================ The first thing that comes in mind is to check up->dirmask value #syz test git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master With regards, Pavel Skripkin [-- Attachment #2: 0001-net-xfrm-fix-shift-out-of-bounce.patch --] [-- Type: text/x-patch, Size: 1152 bytes --] From 30db223b1f724ca241c7fa15769d0c65eada3b66 Mon Sep 17 00:00:00 2001 From: Pavel Skripkin <paskripkin@gmail.com> Date: Tue, 27 Jul 2021 17:38:24 +0300 Subject: [PATCH] net: xfrm: fix shift-out-of-bounce We need to check up->dirmask to avoid shift-out-of-bounce bug, since up->dirmask comes from userspace. Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> --- net/xfrm/xfrm_user.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index acc3a0dab331..5f3fe2295519 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1966,9 +1966,14 @@ static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, { struct net *net = sock_net(skb->sk); struct xfrm_userpolicy_default *up = nlmsg_data(nlh); - u8 dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK; + u8 dirmask; u8 old_default = net->xfrm.policy_default; + if (up->dirmask >= sizeof(up->action) * 8) + return -EINVAL; + + dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK + net->xfrm.policy_default = (old_default & (0xff ^ dirmask)) | (up->action << up->dirmask); -- 2.32.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] net: xfrm: fix shift-out-of-bounce 2021-07-27 14:43 ` Pavel Skripkin @ 2021-07-27 17:25 ` kernel test robot 2021-07-27 17:30 ` Pavel Skripkin 2021-07-27 17:46 ` [PATCH] net: xfrm: fix shift-out-of-bounce kernel test robot 2021-07-27 23:28 ` [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default syzbot 2 siblings, 1 reply; 7+ messages in thread From: kernel test robot @ 2021-07-27 17:25 UTC (permalink / raw) To: Pavel Skripkin, syzbot Cc: clang-built-linux, kbuild-all, davem, herbert, kuba, linux-kernel, netdev, steffen.klassert, syzkaller-bugs [-- Attachment #1: Type: text/plain, Size: 7530 bytes --] Hi Pavel, Thank you for the patch! Yet something to improve: [auto build test ERROR on ipsec-next/master] [also build test ERROR on next-20210726] [cannot apply to ipsec/master net-next/master net/master sparc-next/master v5.14-rc3] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/Pavel-Skripkin/net-xfrm-fix-shift-out-of-bounce/20210727-224549 base: https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git master config: s390-randconfig-r034-20210727 (attached as .config) compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project c658b472f3e61e1818e1909bf02f3d65470018a5) reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # install s390 cross compiling tool for clang build # apt-get install binutils-s390x-linux-gnu # https://github.com/0day-ci/linux/commit/0d1cb044926e3d81c86b5add2eeaf38c7aec7f90 git remote add linux-review https://github.com/0day-ci/linux git fetch --no-tags linux-review Pavel-Skripkin/net-xfrm-fix-shift-out-of-bounce/20210727-224549 git checkout 0d1cb044926e3d81c86b5add2eeaf38c7aec7f90 # save the attached .config to linux build tree mkdir build_dir COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross O=build_dir ARCH=s390 SHELL=/bin/bash net/xfrm/ If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp@intel.com> All errors (new ones prefixed by >>): In file included from net/xfrm/xfrm_user.c:22: In file included from include/linux/skbuff.h:31: In file included from include/linux/dma-mapping.h:10: In file included from include/linux/scatterlist.h:9: In file included from arch/s390/include/asm/io.h:75: include/asm-generic/io.h:464:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] val = __raw_readb(PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:477:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr)); ~~~~~~~~~~ ^ include/uapi/linux/byteorder/big_endian.h:36:59: note: expanded from macro '__le16_to_cpu' #define __le16_to_cpu(x) __swab16((__force __u16)(__le16)(x)) ^ include/uapi/linux/swab.h:102:54: note: expanded from macro '__swab16' #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x)) ^ In file included from net/xfrm/xfrm_user.c:22: In file included from include/linux/skbuff.h:31: In file included from include/linux/dma-mapping.h:10: In file included from include/linux/scatterlist.h:9: In file included from arch/s390/include/asm/io.h:75: include/asm-generic/io.h:490:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr)); ~~~~~~~~~~ ^ include/uapi/linux/byteorder/big_endian.h:34:59: note: expanded from macro '__le32_to_cpu' #define __le32_to_cpu(x) __swab32((__force __u32)(__le32)(x)) ^ include/uapi/linux/swab.h:115:54: note: expanded from macro '__swab32' #define __swab32(x) (__u32)__builtin_bswap32((__u32)(x)) ^ In file included from net/xfrm/xfrm_user.c:22: In file included from include/linux/skbuff.h:31: In file included from include/linux/dma-mapping.h:10: In file included from include/linux/scatterlist.h:9: In file included from arch/s390/include/asm/io.h:75: include/asm-generic/io.h:501:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] __raw_writeb(value, PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:511:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:521:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:609:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] readsb(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:617:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] readsw(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:625:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] readsl(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:634:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] writesb(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:643:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] writesw(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:652:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] writesl(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ >> net/xfrm/xfrm_user.c:1975:54: error: expected ';' after expression dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK ^ ; 12 warnings and 1 error generated. vim +1975 net/xfrm/xfrm_user.c 1963 1964 static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, 1965 struct nlattr **attrs) 1966 { 1967 struct net *net = sock_net(skb->sk); 1968 struct xfrm_userpolicy_default *up = nlmsg_data(nlh); 1969 u8 dirmask; 1970 u8 old_default = net->xfrm.policy_default; 1971 1972 if (up->dirmask >= sizeof(up->action) * 8) 1973 return -EINVAL; 1974 > 1975 dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK 1976 1977 net->xfrm.policy_default = (old_default & (0xff ^ dirmask)) 1978 | (up->action << up->dirmask); 1979 1980 rt_genid_bump_all(net); 1981 1982 return 0; 1983 } 1984 --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org [-- Attachment #2: .config.gz --] [-- Type: application/gzip, Size: 16790 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] net: xfrm: fix shift-out-of-bounce 2021-07-27 17:25 ` [PATCH] net: xfrm: fix shift-out-of-bounce kernel test robot @ 2021-07-27 17:30 ` Pavel Skripkin 2021-07-28 0:13 ` [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default syzbot 0 siblings, 1 reply; 7+ messages in thread From: Pavel Skripkin @ 2021-07-27 17:30 UTC (permalink / raw) To: kernel test robot Cc: syzbot, clang-built-linux, kbuild-all, davem, herbert, kuba, linux-kernel, netdev, steffen.klassert, syzkaller-bugs [-- Attachment #1: Type: text/plain, Size: 6212 bytes --] On Wed, 28 Jul 2021 01:25:18 +0800 kernel test robot <lkp@intel.com> wrote: > Hi Pavel, > > Thank you for the patch! Yet something to improve: > > [auto build test ERROR on ipsec-next/master] > [also build test ERROR on next-20210726] > [cannot apply to ipsec/master net-next/master net/master > sparc-next/master v5.14-rc3] [If your patch is applied to the wrong > git tree, kindly drop us a note. And when submitting patch, we > suggest to use '--base' as documented in > https://git-scm.com/docs/git-format-patch] > > url: > https://github.com/0day-ci/linux/commits/Pavel-Skripkin/net-xfrm-fix-shift-out-of-bounce/20210727-224549 > base: > https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git > master config: s390-randconfig-r034-20210727 (attached as .config) > compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project > c658b472f3e61e1818e1909bf02f3d65470018a5) reproduce (this is a W=1 > build): wget > https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross > -O ~/bin/make.cross chmod +x ~/bin/make.cross # install s390 cross > compiling tool for clang build # apt-get install > binutils-s390x-linux-gnu # > https://github.com/0day-ci/linux/commit/0d1cb044926e3d81c86b5add2eeaf38c7aec7f90 > git remote add linux-review https://github.com/0day-ci/linux git > fetch --no-tags linux-review > Pavel-Skripkin/net-xfrm-fix-shift-out-of-bounce/20210727-224549 git > checkout 0d1cb044926e3d81c86b5add2eeaf38c7aec7f90 # save the attached > .config to linux build tree mkdir build_dir > COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross > O=build_dir ARCH=s390 SHELL=/bin/bash net/xfrm/ > > If you fix the issue, kindly add following tag as appropriate > Reported-by: kernel test robot <lkp@intel.com> > > All errors (new ones prefixed by >>): > > In file included from net/xfrm/xfrm_user.c:22: > In file included from include/linux/skbuff.h:31: > In file included from include/linux/dma-mapping.h:10: > In file included from include/linux/scatterlist.h:9: > In file included from arch/s390/include/asm/io.h:75: > include/asm-generic/io.h:464:31: warning: performing pointer > arithmetic on a null pointer has undefined behavior > [-Wnull-pointer-arithmetic] val = __raw_readb(PCI_IOBASE + addr); > ~~~~~~~~~~ ^ include/asm-generic/io.h:477:61: warning: performing > pointer arithmetic on a null pointer has undefined behavior > [-Wnull-pointer-arithmetic] val = __le16_to_cpu((__le16 > __force)__raw_readw(PCI_IOBASE + addr)); ~~~~~~~~~~ ^ > include/uapi/linux/byteorder/big_endian.h:36:59: note: expanded from > macro '__le16_to_cpu' #define __le16_to_cpu(x) __swab16((__force > __u16)(__le16)(x)) ^ include/uapi/linux/swab.h:102:54: note: expanded > from macro '__swab16' #define __swab16(x) > (__u16)__builtin_bswap16((__u16)(x)) ^ > In file included from net/xfrm/xfrm_user.c:22: > In file included from include/linux/skbuff.h:31: > In file included from include/linux/dma-mapping.h:10: > In file included from include/linux/scatterlist.h:9: > In file included from arch/s390/include/asm/io.h:75: > include/asm-generic/io.h:490:61: warning: performing pointer > arithmetic on a null pointer has undefined behavior > [-Wnull-pointer-arithmetic] val = __le32_to_cpu((__le32 > __force)__raw_readl(PCI_IOBASE + addr)); ~~~~~~~~~~ ^ > include/uapi/linux/byteorder/big_endian.h:34:59: note: expanded from > macro '__le32_to_cpu' #define __le32_to_cpu(x) __swab32((__force > __u32)(__le32)(x)) ^ include/uapi/linux/swab.h:115:54: note: expanded > from macro '__swab32' #define __swab32(x) > (__u32)__builtin_bswap32((__u32)(x)) ^ > In file included from net/xfrm/xfrm_user.c:22: > In file included from include/linux/skbuff.h:31: > In file included from include/linux/dma-mapping.h:10: > In file included from include/linux/scatterlist.h:9: > In file included from arch/s390/include/asm/io.h:75: > include/asm-generic/io.h:501:33: warning: performing pointer > arithmetic on a null pointer has undefined behavior > [-Wnull-pointer-arithmetic] __raw_writeb(value, PCI_IOBASE + addr); > ~~~~~~~~~~ ^ include/asm-generic/io.h:511:59: warning: performing > pointer arithmetic on a null pointer has undefined behavior > [-Wnull-pointer-arithmetic] __raw_writew((u16 > __force)cpu_to_le16(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^ > include/asm-generic/io.h:521:59: warning: performing pointer > arithmetic on a null pointer has undefined behavior > [-Wnull-pointer-arithmetic] __raw_writel((u32 > __force)cpu_to_le32(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^ > include/asm-generic/io.h:609:20: warning: performing pointer > arithmetic on a null pointer has undefined behavior > [-Wnull-pointer-arithmetic] readsb(PCI_IOBASE + addr, buffer, count); > ~~~~~~~~~~ ^ include/asm-generic/io.h:617:20: warning: performing > pointer arithmetic on a null pointer has undefined behavior > [-Wnull-pointer-arithmetic] readsw(PCI_IOBASE + addr, buffer, count); > ~~~~~~~~~~ ^ include/asm-generic/io.h:625:20: warning: performing > pointer arithmetic on a null pointer has undefined behavior > [-Wnull-pointer-arithmetic] readsl(PCI_IOBASE + addr, buffer, count); > ~~~~~~~~~~ ^ include/asm-generic/io.h:634:21: warning: performing > pointer arithmetic on a null pointer has undefined behavior > [-Wnull-pointer-arithmetic] writesb(PCI_IOBASE + addr, buffer, > count); ~~~~~~~~~~ ^ include/asm-generic/io.h:643:21: warning: > performing pointer arithmetic on a null pointer has undefined > behavior [-Wnull-pointer-arithmetic] writesw(PCI_IOBASE + addr, > buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:652:21: > warning: performing pointer arithmetic on a null pointer has > undefined behavior [-Wnull-pointer-arithmetic] writesl(PCI_IOBASE + > addr, buffer, count); ~~~~~~~~~~ ^ > >> net/xfrm/xfrm_user.c:1975:54: error: expected ';' after expression > dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK > ^ > ; Oops :) Thank you, kernel test robot. #syz test git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master With regards, Pavel Skripkin [-- Attachment #2: 0001-net-xfrm-fix-shift-out-of-bounce.patch --] [-- Type: text/x-patch, Size: 1153 bytes --] From e7cf3838979bf3079a511b6809e971945f50eb25 Mon Sep 17 00:00:00 2001 From: Pavel Skripkin <paskripkin@gmail.com> Date: Tue, 27 Jul 2021 17:38:24 +0300 Subject: [PATCH] net: xfrm: fix shift-out-of-bounce We need to check up->dirmask to avoid shift-out-of-bounce bug, since up->dirmask comes from userspace. Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> --- net/xfrm/xfrm_user.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index acc3a0dab331..4a7bb169314e 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1966,9 +1966,14 @@ static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, { struct net *net = sock_net(skb->sk); struct xfrm_userpolicy_default *up = nlmsg_data(nlh); - u8 dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK; + u8 dirmask; u8 old_default = net->xfrm.policy_default; + if (up->dirmask >= sizeof(up->action) * 8) + return -EINVAL; + + dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK; + net->xfrm.policy_default = (old_default & (0xff ^ dirmask)) | (up->action << up->dirmask); -- 2.32.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default 2021-07-27 17:30 ` Pavel Skripkin @ 2021-07-28 0:13 ` syzbot 0 siblings, 0 replies; 7+ messages in thread From: syzbot @ 2021-07-28 0:13 UTC (permalink / raw) To: clang-built-linux, davem, herbert, kbuild-all, kuba, linux-kernel, lkp, netdev, paskripkin, steffen.klassert, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+9cd5837a045bbee5b810@syzkaller.appspotmail.com Tested on: commit: 42d0b5f5 Add linux-next specific files for 20210727 git tree: linux-next kernel config: https://syzkaller.appspot.com/x/.config?x=e5bd567a6f50f462 dashboard link: https://syzkaller.appspot.com/bug?extid=9cd5837a045bbee5b810 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1 patch: https://syzkaller.appspot.com/x/patch.diff?x=1204e0dc300000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] net: xfrm: fix shift-out-of-bounce 2021-07-27 14:43 ` Pavel Skripkin 2021-07-27 17:25 ` [PATCH] net: xfrm: fix shift-out-of-bounce kernel test robot @ 2021-07-27 17:46 ` kernel test robot 2021-07-27 23:28 ` [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default syzbot 2 siblings, 0 replies; 7+ messages in thread From: kernel test robot @ 2021-07-27 17:46 UTC (permalink / raw) To: Pavel Skripkin, syzbot Cc: kbuild-all, davem, herbert, kuba, linux-kernel, netdev, steffen.klassert, syzkaller-bugs [-- Attachment #1: Type: text/plain, Size: 4205 bytes --] Hi Pavel, Thank you for the patch! Yet something to improve: [auto build test ERROR on ipsec-next/master] [also build test ERROR on next-20210726] [cannot apply to ipsec/master net-next/master net/master v5.14-rc3] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/Pavel-Skripkin/net-xfrm-fix-shift-out-of-bounce/20210727-224549 base: https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git master config: sh-allmodconfig (attached as .config) compiler: sh4-linux-gcc (GCC) 10.3.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/0day-ci/linux/commit/0d1cb044926e3d81c86b5add2eeaf38c7aec7f90 git remote add linux-review https://github.com/0day-ci/linux git fetch --no-tags linux-review Pavel-Skripkin/net-xfrm-fix-shift-out-of-bounce/20210727-224549 git checkout 0d1cb044926e3d81c86b5add2eeaf38c7aec7f90 # save the attached .config to linux build tree mkdir build_dir COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-10.3.0 make.cross O=build_dir ARCH=sh SHELL=/bin/bash net/xfrm/ If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp@intel.com> All error/warnings (new ones prefixed by >>): net/xfrm/xfrm_user.c: In function 'xfrm_set_default': >> net/xfrm/xfrm_user.c:1977:2: error: expected ';' before 'net' 1977 | net->xfrm.policy_default = (old_default & (0xff ^ dirmask)) | ^~~ net/xfrm/xfrm_user.c:1970:5: warning: unused variable 'old_default' [-Wunused-variable] 1970 | u8 old_default = net->xfrm.policy_default; | ^~~~~~~~~~~ >> net/xfrm/xfrm_user.c:1969:5: warning: variable 'dirmask' set but not used [-Wunused-but-set-variable] 1969 | u8 dirmask; | ^~~~~~~ Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for SND_ATMEL_SOC_PDC Depends on SOUND && !UML && SND && SND_SOC && SND_ATMEL_SOC && HAS_DMA Selected by - SND_ATMEL_SOC_SSC && SOUND && !UML && SND && SND_SOC && SND_ATMEL_SOC - SND_ATMEL_SOC_SSC_PDC && SOUND && !UML && SND && SND_SOC && SND_ATMEL_SOC && ATMEL_SSC vim +1977 net/xfrm/xfrm_user.c ^1da177e4c3f41 Linus Torvalds 2005-04-16 1963 2d151d39073aff Steffen Klassert 2021-07-18 1964 static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, 2d151d39073aff Steffen Klassert 2021-07-18 1965 struct nlattr **attrs) 2d151d39073aff Steffen Klassert 2021-07-18 1966 { 2d151d39073aff Steffen Klassert 2021-07-18 1967 struct net *net = sock_net(skb->sk); 2d151d39073aff Steffen Klassert 2021-07-18 1968 struct xfrm_userpolicy_default *up = nlmsg_data(nlh); 0d1cb044926e3d Pavel Skripkin 2021-07-27 @1969 u8 dirmask; 2d151d39073aff Steffen Klassert 2021-07-18 1970 u8 old_default = net->xfrm.policy_default; 2d151d39073aff Steffen Klassert 2021-07-18 1971 0d1cb044926e3d Pavel Skripkin 2021-07-27 1972 if (up->dirmask >= sizeof(up->action) * 8) 0d1cb044926e3d Pavel Skripkin 2021-07-27 1973 return -EINVAL; 0d1cb044926e3d Pavel Skripkin 2021-07-27 1974 0d1cb044926e3d Pavel Skripkin 2021-07-27 1975 dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK 0d1cb044926e3d Pavel Skripkin 2021-07-27 1976 2d151d39073aff Steffen Klassert 2021-07-18 @1977 net->xfrm.policy_default = (old_default & (0xff ^ dirmask)) 2d151d39073aff Steffen Klassert 2021-07-18 1978 | (up->action << up->dirmask); 2d151d39073aff Steffen Klassert 2021-07-18 1979 2d151d39073aff Steffen Klassert 2021-07-18 1980 rt_genid_bump_all(net); 2d151d39073aff Steffen Klassert 2021-07-18 1981 2d151d39073aff Steffen Klassert 2021-07-18 1982 return 0; 2d151d39073aff Steffen Klassert 2021-07-18 1983 } 2d151d39073aff Steffen Klassert 2021-07-18 1984 --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org [-- Attachment #2: .config.gz --] [-- Type: application/gzip, Size: 55006 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default 2021-07-27 14:43 ` Pavel Skripkin 2021-07-27 17:25 ` [PATCH] net: xfrm: fix shift-out-of-bounce kernel test robot 2021-07-27 17:46 ` [PATCH] net: xfrm: fix shift-out-of-bounce kernel test robot @ 2021-07-27 23:28 ` syzbot 2 siblings, 0 replies; 7+ messages in thread From: syzbot @ 2021-07-27 23:28 UTC (permalink / raw) To: davem, herbert, kuba, linux-kernel, netdev, paskripkin, steffen.klassert, syzkaller-bugs Hello, syzbot tried to test the proposed patch but the build/boot failed: net/xfrm/xfrm_user.c:1977:2: error: expected ';' before 'net' Tested on: commit: 42d0b5f5 Add linux-next specific files for 20210727 git tree: linux-next dashboard link: https://syzkaller.appspot.com/bug?extid=9cd5837a045bbee5b810 compiler: patch: https://syzkaller.appspot.com/x/patch.diff?x=147b8d0a300000 ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-07-28 0:13 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-07-27 12:47 [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default syzbot 2021-07-27 14:43 ` Pavel Skripkin 2021-07-27 17:25 ` [PATCH] net: xfrm: fix shift-out-of-bounce kernel test robot 2021-07-27 17:30 ` Pavel Skripkin 2021-07-28 0:13 ` [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default syzbot 2021-07-27 17:46 ` [PATCH] net: xfrm: fix shift-out-of-bounce kernel test robot 2021-07-27 23:28 ` [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).