linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pavel Skripkin <paskripkin@gmail.com>
To: kernel test robot <lkp@intel.com>
Cc: syzbot <syzbot+9cd5837a045bbee5b810@syzkaller.appspotmail.com>,
	clang-built-linux@googlegroups.com, kbuild-all@lists.01.org,
	davem@davemloft.net, herbert@gondor.apana.org.au,
	kuba@kernel.org, linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org, steffen.klassert@secunet.com,
	syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] net: xfrm: fix shift-out-of-bounce
Date: Tue, 27 Jul 2021 20:30:56 +0300	[thread overview]
Message-ID: <20210727203056.377e5758@gmail.com> (raw)
In-Reply-To: <202107280113.ykJy6Oc4-lkp@intel.com>

[-- Attachment #1: Type: text/plain, Size: 6212 bytes --]

On Wed, 28 Jul 2021 01:25:18 +0800
kernel test robot <lkp@intel.com> wrote:

> Hi Pavel,
> 
> Thank you for the patch! Yet something to improve:
> 
> [auto build test ERROR on ipsec-next/master]
> [also build test ERROR on next-20210726]
> [cannot apply to ipsec/master net-next/master net/master
> sparc-next/master v5.14-rc3] [If your patch is applied to the wrong
> git tree, kindly drop us a note. And when submitting patch, we
> suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch]
> 
> url:
> https://github.com/0day-ci/linux/commits/Pavel-Skripkin/net-xfrm-fix-shift-out-of-bounce/20210727-224549
> base:
> https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git
> master config: s390-randconfig-r034-20210727 (attached as .config)
> compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project
> c658b472f3e61e1818e1909bf02f3d65470018a5) reproduce (this is a W=1
> build): wget
> https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross
> -O ~/bin/make.cross chmod +x ~/bin/make.cross # install s390 cross
> compiling tool for clang build # apt-get install
> binutils-s390x-linux-gnu #
> https://github.com/0day-ci/linux/commit/0d1cb044926e3d81c86b5add2eeaf38c7aec7f90
> git remote add linux-review https://github.com/0day-ci/linux git
> fetch --no-tags linux-review
> Pavel-Skripkin/net-xfrm-fix-shift-out-of-bounce/20210727-224549 git
> checkout 0d1cb044926e3d81c86b5add2eeaf38c7aec7f90 # save the attached
> .config to linux build tree mkdir build_dir
> COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross
> O=build_dir ARCH=s390 SHELL=/bin/bash net/xfrm/
> 
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
> 
> All errors (new ones prefixed by >>):
> 
>    In file included from net/xfrm/xfrm_user.c:22:
>    In file included from include/linux/skbuff.h:31:
>    In file included from include/linux/dma-mapping.h:10:
>    In file included from include/linux/scatterlist.h:9:
>    In file included from arch/s390/include/asm/io.h:75:
>    include/asm-generic/io.h:464:31: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] val = __raw_readb(PCI_IOBASE + addr);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:477:61: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] val = __le16_to_cpu((__le16
> __force)__raw_readw(PCI_IOBASE + addr)); ~~~~~~~~~~ ^
> include/uapi/linux/byteorder/big_endian.h:36:59: note: expanded from
> macro '__le16_to_cpu' #define __le16_to_cpu(x) __swab16((__force
> __u16)(__le16)(x)) ^ include/uapi/linux/swab.h:102:54: note: expanded
> from macro '__swab16' #define __swab16(x)
> (__u16)__builtin_bswap16((__u16)(x)) ^
>    In file included from net/xfrm/xfrm_user.c:22:
>    In file included from include/linux/skbuff.h:31:
>    In file included from include/linux/dma-mapping.h:10:
>    In file included from include/linux/scatterlist.h:9:
>    In file included from arch/s390/include/asm/io.h:75:
>    include/asm-generic/io.h:490:61: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] val = __le32_to_cpu((__le32
> __force)__raw_readl(PCI_IOBASE + addr)); ~~~~~~~~~~ ^
> include/uapi/linux/byteorder/big_endian.h:34:59: note: expanded from
> macro '__le32_to_cpu' #define __le32_to_cpu(x) __swab32((__force
> __u32)(__le32)(x)) ^ include/uapi/linux/swab.h:115:54: note: expanded
> from macro '__swab32' #define __swab32(x)
> (__u32)__builtin_bswap32((__u32)(x)) ^
>    In file included from net/xfrm/xfrm_user.c:22:
>    In file included from include/linux/skbuff.h:31:
>    In file included from include/linux/dma-mapping.h:10:
>    In file included from include/linux/scatterlist.h:9:
>    In file included from arch/s390/include/asm/io.h:75:
>    include/asm-generic/io.h:501:33: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] __raw_writeb(value, PCI_IOBASE + addr);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:511:59: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] __raw_writew((u16
> __force)cpu_to_le16(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^
> include/asm-generic/io.h:521:59: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] __raw_writel((u32
> __force)cpu_to_le32(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^
> include/asm-generic/io.h:609:20: warning: performing pointer
> arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] readsb(PCI_IOBASE + addr, buffer, count);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:617:20: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] readsw(PCI_IOBASE + addr, buffer, count);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:625:20: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] readsl(PCI_IOBASE + addr, buffer, count);
> ~~~~~~~~~~ ^ include/asm-generic/io.h:634:21: warning: performing
> pointer arithmetic on a null pointer has undefined behavior
> [-Wnull-pointer-arithmetic] writesb(PCI_IOBASE + addr, buffer,
> count); ~~~~~~~~~~ ^ include/asm-generic/io.h:643:21: warning:
> performing pointer arithmetic on a null pointer has undefined
> behavior [-Wnull-pointer-arithmetic] writesw(PCI_IOBASE + addr,
> buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:652:21:
> warning: performing pointer arithmetic on a null pointer has
> undefined behavior [-Wnull-pointer-arithmetic] writesl(PCI_IOBASE +
> addr, buffer, count); ~~~~~~~~~~ ^
> >> net/xfrm/xfrm_user.c:1975:54: error: expected ';' after expression
>            dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK
>                                                                ^
>                                                                ;

Oops :) Thank you, kernel test robot.

#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master


With regards,
Pavel Skripkin



[-- Attachment #2: 0001-net-xfrm-fix-shift-out-of-bounce.patch --]
[-- Type: text/x-patch, Size: 1153 bytes --]

From e7cf3838979bf3079a511b6809e971945f50eb25 Mon Sep 17 00:00:00 2001
From: Pavel Skripkin <paskripkin@gmail.com>
Date: Tue, 27 Jul 2021 17:38:24 +0300
Subject: [PATCH] net: xfrm: fix shift-out-of-bounce

We need to check up->dirmask to avoid shift-out-of-bounce bug,
since up->dirmask comes from userspace.

Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
 net/xfrm/xfrm_user.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index acc3a0dab331..4a7bb169314e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1966,9 +1966,14 @@ static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh,
 {
 	struct net *net = sock_net(skb->sk);
 	struct xfrm_userpolicy_default *up = nlmsg_data(nlh);
-	u8 dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK;
+	u8 dirmask;
 	u8 old_default = net->xfrm.policy_default;
 
+	if (up->dirmask >= sizeof(up->action) * 8)
+		return -EINVAL;
+
+	dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK;
+
 	net->xfrm.policy_default = (old_default & (0xff ^ dirmask))
 				    | (up->action << up->dirmask);
 
-- 
2.32.0


  reply	other threads:[~2021-07-27 17:31 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-27 12:47 [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default syzbot
2021-07-27 14:43 ` Pavel Skripkin
2021-07-27 17:25   ` [PATCH] net: xfrm: fix shift-out-of-bounce kernel test robot
2021-07-27 17:30     ` Pavel Skripkin [this message]
2021-07-28  0:13       ` [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default syzbot
2021-07-27 17:46   ` [PATCH] net: xfrm: fix shift-out-of-bounce kernel test robot
2021-07-27 23:28   ` [syzbot] UBSAN: shift-out-of-bounds in xfrm_set_default syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210727203056.377e5758@gmail.com \
    --to=paskripkin@gmail.com \
    --cc=clang-built-linux@googlegroups.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=kbuild-all@lists.01.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lkp@intel.com \
    --cc=netdev@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    --cc=syzbot+9cd5837a045bbee5b810@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --subject='Re: [PATCH] net: xfrm: fix shift-out-of-bounce' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).