linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* net/netlink: another global-out-of-bounds in genl_family_rcv_msg/validate_nla
@ 2016-11-03 23:04 Andrey Konovalov
  2016-11-03 23:22 ` Cong Wang
  0 siblings, 1 reply; 3+ messages in thread
From: Andrey Konovalov @ 2016-11-03 23:04 UTC (permalink / raw)
  To: David S. Miller, Nicolas Dichtel, LKML, Matti Vaittinen,
	Tycho Andersen, stephen hemminger, Tom Herbert, Florian Westphal,
	netdev
  Cc: Dmitry Vyukov, Alexander Potapenko, Kostya Serebryany,
	Eric Dumazet, syzkaller

Hi,

I've got the following error report while running the syzkaller fuzzer:

BUG: KASAN: global-out-of-bounds in validate_nla+0x49b/0x4e0 at addr
ffffffff84452de0
Read of size 2 by task syz-executor/19055
Address belongs to variable ip_vs_cmd_policy+0x20/0x40
CPU: 1 PID: 19055 Comm: syz-executor Not tainted 4.9.0-rc3+ #350
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006b547638 ffffffff81b46934 ffff88006b5476c8 ffffffff847a361f
 ffffffff84452dc0 ffffffff84452de0 ffff88006b5476b8 ffffffff8150ac7c
 ffffffff859bdf80 ffffffff85f44280 ffff88003df282c0 0000000000000292
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81b46934>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
 [<     inline     >] print_address_description mm/kasan/report.c:204
 [<ffffffff8150ac7c>] kasan_report_error+0x49c/0x4d0 mm/kasan/report.c:283
 [<     inline     >] kasan_report mm/kasan/report.c:303
 [<ffffffff8150ad2e>] __asan_report_load2_noabort+0x3e/0x40
mm/kasan/report.c:322
 [<ffffffff81be27eb>] validate_nla+0x49b/0x4e0 lib/nlattr.c:41
 [<ffffffff81be2ab5>] nla_parse+0x115/0x280 lib/nlattr.c:195
 [<     inline     >] nlmsg_parse include/net/netlink.h:386
 [<ffffffff82dc2723>] genl_family_rcv_msg+0x543/0xc80
net/netlink/genetlink.c:613
 [<ffffffff82dc3016>] genl_rcv_msg+0x1b6/0x270 net/netlink/genetlink.c:658
 [<ffffffff82dc10a0>] netlink_rcv_skb+0x2c0/0x3b0 net/netlink/af_netlink.c:2281
 [<ffffffff82dc21c8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:669
 [<     inline     >] netlink_unicast_kernel net/netlink/af_netlink.c:1214
 [<ffffffff82dbf959>] netlink_unicast+0x5a9/0x880 net/netlink/af_netlink.c:1240
 [<ffffffff82dc05e7>] netlink_sendmsg+0x9b7/0xce0 net/netlink/af_netlink.c:1786
 [<     inline     >] sock_sendmsg_nosec net/socket.c:606
 [<ffffffff82b6f75c>] sock_sendmsg+0xcc/0x110 net/socket.c:616
 [<ffffffff82b6f9c1>] sock_write_iter+0x221/0x3b0 net/socket.c:814
 [<     inline     >] new_sync_write fs/read_write.c:499
 [<ffffffff8151bd44>] __vfs_write+0x334/0x570 fs/read_write.c:512
 [<ffffffff8151f85b>] vfs_write+0x17b/0x500 fs/read_write.c:560
 [<     inline     >] SYSC_write fs/read_write.c:607
 [<ffffffff81523184>] SyS_write+0xd4/0x1a0 fs/read_write.c:599
 [<ffffffff81006465>] do_syscall_64+0x195/0x490 arch/x86/entry/common.c:280
 [<ffffffff83fc0409>] entry_SYSCALL64_slow_path+0x25/0x25
Memory state around the buggy address:
 ffffffff84452c80: fa fa fa fa 00 00 00 00 00 00 04 fa fa fa fa fa
 ffffffff84452d00: 00 00 00 00 00 00 04 fa fa fa fa fa 00 00 00 00
>ffffffff84452d80: 04 fa fa fa fa fa fa fa 00 00 00 04 fa fa fa fa
                                                       ^
 ffffffff84452e00: 00 fa fa fa fa fa fa fa 00 00 fa fa fa fa fa fa
 ffffffff84452e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

This time the out-of-bounds is on the ip_vs_cmd_policy variable.

On commit 0c183d92b20b5c84ca655b45ef57b3318b83eb9e (Oct 31).

Thanks!

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: net/netlink: another global-out-of-bounds in genl_family_rcv_msg/validate_nla
  2016-11-03 23:04 net/netlink: another global-out-of-bounds in genl_family_rcv_msg/validate_nla Andrey Konovalov
@ 2016-11-03 23:22 ` Cong Wang
  2016-11-03 23:34   ` Andrey Konovalov
  0 siblings, 1 reply; 3+ messages in thread
From: Cong Wang @ 2016-11-03 23:22 UTC (permalink / raw)
  To: Andrey Konovalov
  Cc: David S. Miller, Nicolas Dichtel, LKML, Matti Vaittinen,
	Tycho Andersen, stephen hemminger, Tom Herbert, Florian Westphal,
	netdev, Dmitry Vyukov, Alexander Potapenko, Kostya Serebryany,
	Eric Dumazet, syzkaller

On Thu, Nov 3, 2016 at 4:04 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> Hi,
>
> I've got the following error report while running the syzkaller fuzzer:
>
> BUG: KASAN: global-out-of-bounds in validate_nla+0x49b/0x4e0 at addr
> ffffffff84452de0
> Read of size 2 by task syz-executor/19055
> Address belongs to variable ip_vs_cmd_policy+0x20/0x40

LOL, seems a typo

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index c3c809b..a6e44ef 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2845,7 +2845,7 @@ static struct genl_family ip_vs_genl_family = {
        .hdrsize        = 0,
        .name           = IPVS_GENL_NAME,
        .version        = IPVS_GENL_VERSION,
-       .maxattr        = IPVS_CMD_MAX,
+       .maxattr        = IPVS_CMD_ATTR_MAX,
        .netnsok        = true,         /* Make ipvsadm to work on netns */
 };

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: net/netlink: another global-out-of-bounds in genl_family_rcv_msg/validate_nla
  2016-11-03 23:22 ` Cong Wang
@ 2016-11-03 23:34   ` Andrey Konovalov
  0 siblings, 0 replies; 3+ messages in thread
From: Andrey Konovalov @ 2016-11-03 23:34 UTC (permalink / raw)
  To: Cong Wang
  Cc: David S. Miller, Nicolas Dichtel, LKML, Matti Vaittinen,
	Tycho Andersen, stephen hemminger, Tom Herbert, Florian Westphal,
	netdev, Dmitry Vyukov, Alexander Potapenko, Kostya Serebryany,
	Eric Dumazet, syzkaller

On Fri, Nov 4, 2016 at 12:22 AM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
> On Thu, Nov 3, 2016 at 4:04 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
>> Hi,
>>
>> I've got the following error report while running the syzkaller fuzzer:
>>
>> BUG: KASAN: global-out-of-bounds in validate_nla+0x49b/0x4e0 at addr
>> ffffffff84452de0
>> Read of size 2 by task syz-executor/19055
>> Address belongs to variable ip_vs_cmd_policy+0x20/0x40
>
> LOL, seems a typo
>
> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index c3c809b..a6e44ef 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> @@ -2845,7 +2845,7 @@ static struct genl_family ip_vs_genl_family = {
>         .hdrsize        = 0,
>         .name           = IPVS_GENL_NAME,
>         .version        = IPVS_GENL_VERSION,
> -       .maxattr        = IPVS_CMD_MAX,
> +       .maxattr        = IPVS_CMD_ATTR_MAX,
>         .netnsok        = true,         /* Make ipvsadm to work on netns */
>  };

This fixes the issue for me.

Tested-by: Andrey Konovalov <andreyknvl@google.com>

Thanks again!

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-11-03 23:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-03 23:04 net/netlink: another global-out-of-bounds in genl_family_rcv_msg/validate_nla Andrey Konovalov
2016-11-03 23:22 ` Cong Wang
2016-11-03 23:34   ` Andrey Konovalov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).