Re: Any idea to fix the recursive call in tls_setsockopt?

Re: Any idea to fix the recursive call in tls_setsockopt?

[Pavel Skripkin]

On 10/2/21 11:38, Dongliang Mu wrote:

[ +CC netdev, LKML ]

> BUG: stack guard page was hit at ffffc90000b87ff8 (stack is
> ffffc90000b88000..ffffc90000b8bfff)
> kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP
> RIP: 0010:tls_setsockopt+0xe/0x650 net/tls/tls_main.c:617
> Call Trace:
>   tls_setsockopt+0x6a/0x650 net/tls/tls_main.c:621
> ......
>   tls_setsockopt+0x6a/0x650 net/tls/tls_main.c:621
>   tls_setsockopt+0x6a/0x650 net/tls/tls_main.c:621
>   __sys_setsockopt+0x1b0/0x360 net/socket.c:2176
>   __do_sys_setsockopt net/socket.c:2187 [inline]
>   __se_sys_setsockopt net/socket.c:2184 [inline]
>   __x64_sys_setsockopt+0x22/0x30 net/socket.c:2184
>   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>   do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>   entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> My local syzkaller instance finds this bug, however, I am not sure how
> to fix it. So I post the bug report here to seek help. The
> implementation of tls_setsockopt is as follows:
> 
> static int tls_setsockopt(struct sock *sk, int level, int optname,
>                            sockptr_t optval, unsigned int optlen)
> {
>          struct tls_context *ctx = tls_get_ctx(sk);
> 
>          if (level != SOL_TLS)
>                  return ctx->sk_proto->setsockopt(sk, level, optname, optval,
>                                                   optlen);
> 
>          return do_tls_setsockopt(sk, optname, optval, optlen);
> }
> 
> Since I am not familiar with this part code, the fix in my mind is to
> do a sanity check on "ctx->sk_proto->setsockopt" and make sure it is
> not tls_setsockopt.
> 
> Any comment here?
> 
> --
> My best regards to you.
> 
>       No System Is Safe!
>       Dongliang Mu
> 


With regards,
Pavel Skripkin