* UBSAN: Undefined behaviour in net/ipv4/ip_output.c
@ 2019-01-21 19:21 Kyungtae Kim
2019-01-23 21:33 ` Willem de Bruijn
0 siblings, 1 reply; 3+ messages in thread
From: Kyungtae Kim @ 2019-01-21 19:21 UTC (permalink / raw)
To: davem, kuznet, yoshfuji
Cc: Byoungyoung Lee, DaeRyong Jeong, syzkaller, netdev, linux-kernel
I'm reporting a bug in linux-5.0-rc2: "UBSAN: Undefined behaviour in
net/ipv4/ip_output.c"
kernel config: https://kt0755.github.io/etc/config-5.0-rc2
repro: https://kt0755.github.io/etc/repro.b6a11.c
Integer overflow happened in __ip_append_data() when 2 * sk->sk_sndbuf
(at line 1004)
is larger than the boundary of the destination (i.e., int).
Some sanity check code right before it would help.
=========================================
UBSAN: Undefined behaviour in net/ipv4/ip_output.c:1004:11
signed integer overflow:
1282607372 * 2 cannot be represented in type 'int'
CPU: 0 PID: 8465 Comm: syz-executor4 Not tainted 5.0.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xb1/0x118 lib/dump_stack.c:113
ubsan_epilogue+0x12/0x94 lib/ubsan.c:159
handle_overflow+0x1cf/0x21a lib/ubsan.c:190
__ubsan_handle_mul_overflow+0x2a/0x35 lib/ubsan.c:214
__ip_append_data+0x30ed/0x3350 net/ipv4/ip_output.c:1004
ip_append_data.part.18+0xf3/0x170 net/ipv4/ip_output.c:1220
ip_append_data+0x63/0x80 net/ipv4/ip_output.c:1209
raw_sendmsg+0xd99/0x2b60 net/ipv4/raw.c:670
inet_sendmsg+0xfc/0x620 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg+0xdd/0x130 net/socket.c:631
___sys_sendmsg+0x7b3/0x950 net/socket.c:2116
__sys_sendmsg+0xfc/0x1d0 net/socket.c:2154
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg net/socket.c:2161 [inline]
__x64_sys_sendmsg+0x83/0xc0 net/socket.c:2161
do_syscall_64+0xbe/0x4f0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4497b9
Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f0d0100bc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f0d0100c6cc RCX: 00000000004497b9
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000013
RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000089a0 R14: 00000000006f1a40 R15: 00007f0d0100c700
=========================================
Thanks,
Kyungtae
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: UBSAN: Undefined behaviour in net/ipv4/ip_output.c
2019-01-21 19:21 UBSAN: Undefined behaviour in net/ipv4/ip_output.c Kyungtae Kim
@ 2019-01-23 21:33 ` Willem de Bruijn
2019-01-24 13:03 ` Kyungtae Kim
0 siblings, 1 reply; 3+ messages in thread
From: Willem de Bruijn @ 2019-01-23 21:33 UTC (permalink / raw)
To: Kyungtae Kim
Cc: David Miller, Alexey Kuznetsov, Hideaki YOSHIFUJI,
Byoungyoung Lee, DaeRyong Jeong, syzkaller, Network Development,
LKML
On Mon, Jan 21, 2019 at 2:25 PM Kyungtae Kim <kt0755@gmail.com> wrote:
>
> I'm reporting a bug in linux-5.0-rc2: "UBSAN: Undefined behaviour in
> net/ipv4/ip_output.c"
>
> kernel config: https://kt0755.github.io/etc/config-5.0-rc2
> repro: https://kt0755.github.io/etc/repro.b6a11.c
Thanks for the report.
That reproducer does not seem to exercise system call sendmsg. Did you
mean to share another? Perhaps one that users SO_SNDBUFFORCE or
sysctl_wmem_max.
When constructing a reproducer, I did easily trigger an UBSAN warning
when setting SO_SNDBUFFORCE to INT_MAX - 1, so I can imagine that this
one can trigger, as well. As long as sk_sndbuf can be set to any
integer value, we'll have to be careful with any such multiplication.
> Integer overflow happened in __ip_append_data() when 2 * sk->sk_sndbuf
> (at line 1004)
> is larger than the boundary of the destination (i.e., int).
> Some sanity check code right before it would help.
>
> =========================================
> UBSAN: Undefined behaviour in net/ipv4/ip_output.c:1004:11
> signed integer overflow:
> 1282607372 * 2 cannot be represented in type 'int'
> CPU: 0 PID: 8465 Comm: syz-executor4 Not tainted 5.0.0-rc2 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xb1/0x118 lib/dump_stack.c:113
> ubsan_epilogue+0x12/0x94 lib/ubsan.c:159
> handle_overflow+0x1cf/0x21a lib/ubsan.c:190
> __ubsan_handle_mul_overflow+0x2a/0x35 lib/ubsan.c:214
> __ip_append_data+0x30ed/0x3350 net/ipv4/ip_output.c:1004
> ip_append_data.part.18+0xf3/0x170 net/ipv4/ip_output.c:1220
> ip_append_data+0x63/0x80 net/ipv4/ip_output.c:1209
> raw_sendmsg+0xd99/0x2b60 net/ipv4/raw.c:670
> inet_sendmsg+0xfc/0x620 net/ipv4/af_inet.c:798
> sock_sendmsg_nosec net/socket.c:621 [inline]
> sock_sendmsg+0xdd/0x130 net/socket.c:631
> ___sys_sendmsg+0x7b3/0x950 net/socket.c:2116
> __sys_sendmsg+0xfc/0x1d0 net/socket.c:2154
> __do_sys_sendmsg net/socket.c:2163 [inline]
> __se_sys_sendmsg net/socket.c:2161 [inline]
> __x64_sys_sendmsg+0x83/0xc0 net/socket.c:2161
> do_syscall_64+0xbe/0x4f0 arch/x86/entry/common.c:290
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4497b9
> Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f0d0100bc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 00007f0d0100c6cc RCX: 00000000004497b9
> RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000013
> RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
> R13: 00000000000089a0 R14: 00000000006f1a40 R15: 00007f0d0100c700
> =========================================
>
> Thanks,
> Kyungtae
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: UBSAN: Undefined behaviour in net/ipv4/ip_output.c
2019-01-23 21:33 ` Willem de Bruijn
@ 2019-01-24 13:03 ` Kyungtae Kim
0 siblings, 0 replies; 3+ messages in thread
From: Kyungtae Kim @ 2019-01-24 13:03 UTC (permalink / raw)
To: Willem de Bruijn
Cc: David Miller, Alexey Kuznetsov, Hideaki YOSHIFUJI,
Byoungyoung Lee, DaeRyong Jeong, syzkaller, Network Development,
LKML
That's my bad. Thank you for your comment and effort.
Regards,
Kyungtae Kim
On Wed, Jan 23, 2019 at 4:34 PM Willem de Bruijn
<willemdebruijn.kernel@gmail.com> wrote:
>
> On Mon, Jan 21, 2019 at 2:25 PM Kyungtae Kim <kt0755@gmail.com> wrote:
> >
> > I'm reporting a bug in linux-5.0-rc2: "UBSAN: Undefined behaviour in
> > net/ipv4/ip_output.c"
> >
> > kernel config: https://kt0755.github.io/etc/config-5.0-rc2
> > repro: https://kt0755.github.io/etc/repro.b6a11.c
>
> Thanks for the report.
>
> That reproducer does not seem to exercise system call sendmsg. Did you
> mean to share another? Perhaps one that users SO_SNDBUFFORCE or
> sysctl_wmem_max.
>
> When constructing a reproducer, I did easily trigger an UBSAN warning
> when setting SO_SNDBUFFORCE to INT_MAX - 1, so I can imagine that this
> one can trigger, as well. As long as sk_sndbuf can be set to any
> integer value, we'll have to be careful with any such multiplication.
>
> > Integer overflow happened in __ip_append_data() when 2 * sk->sk_sndbuf
> > (at line 1004)
> > is larger than the boundary of the destination (i.e., int).
> > Some sanity check code right before it would help.
> >
> > =========================================
> > UBSAN: Undefined behaviour in net/ipv4/ip_output.c:1004:11
> > signed integer overflow:
> > 1282607372 * 2 cannot be represented in type 'int'
> > CPU: 0 PID: 8465 Comm: syz-executor4 Not tainted 5.0.0-rc2 #1
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0xb1/0x118 lib/dump_stack.c:113
> > ubsan_epilogue+0x12/0x94 lib/ubsan.c:159
> > handle_overflow+0x1cf/0x21a lib/ubsan.c:190
> > __ubsan_handle_mul_overflow+0x2a/0x35 lib/ubsan.c:214
> > __ip_append_data+0x30ed/0x3350 net/ipv4/ip_output.c:1004
> > ip_append_data.part.18+0xf3/0x170 net/ipv4/ip_output.c:1220
> > ip_append_data+0x63/0x80 net/ipv4/ip_output.c:1209
> > raw_sendmsg+0xd99/0x2b60 net/ipv4/raw.c:670
> > inet_sendmsg+0xfc/0x620 net/ipv4/af_inet.c:798
> > sock_sendmsg_nosec net/socket.c:621 [inline]
> > sock_sendmsg+0xdd/0x130 net/socket.c:631
> > ___sys_sendmsg+0x7b3/0x950 net/socket.c:2116
> > __sys_sendmsg+0xfc/0x1d0 net/socket.c:2154
> > __do_sys_sendmsg net/socket.c:2163 [inline]
> > __se_sys_sendmsg net/socket.c:2161 [inline]
> > __x64_sys_sendmsg+0x83/0xc0 net/socket.c:2161
> > do_syscall_64+0xbe/0x4f0 arch/x86/entry/common.c:290
> > entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > RIP: 0033:0x4497b9
> > Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48
> > 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> > 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00
> > RSP: 002b:00007f0d0100bc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> > RAX: ffffffffffffffda RBX: 00007f0d0100c6cc RCX: 00000000004497b9
> > RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000013
> > RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
> > R13: 00000000000089a0 R14: 00000000006f1a40 R15: 00007f0d0100c700
> > =========================================
> >
> > Thanks,
> > Kyungtae
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-01-24 13:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-21 19:21 UBSAN: Undefined behaviour in net/ipv4/ip_output.c Kyungtae Kim
2019-01-23 21:33 ` Willem de Bruijn
2019-01-24 13:03 ` Kyungtae Kim
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).