* [PATCH net] net: sit: fix UBSAN Undefined behaviour in check_6rd
@ 2019-03-11 8:29 linmiaohe
2019-03-11 17:29 ` David Miller
0 siblings, 1 reply; 5+ messages in thread
From: linmiaohe @ 2019-03-11 8:29 UTC (permalink / raw)
To: davem, kuznet, yoshfuji, netdev, linux-kernel; +Cc: Mingfangsen
From: Miaohe Lin <linmiaohe@huawei.com>
In func check_6rd,tunnel->ip6rd.relay_prefixlen may equal to
32,so UBSAN complain about it.
UBSAN: Undefined behaviour in net/ipv6/sit.c:781:47
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 6 PID: 20036 Comm: syz-executor.0 Not tainted 4.19.27 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
ubsan_epilogue+0xe/0x81 lib/ubsan.c:159
__ubsan_handle_shift_out_of_bounds+0x293/0x2e8 lib/ubsan.c:425
check_6rd.constprop.9+0x433/0x4e0 net/ipv6/sit.c:781
try_6rd net/ipv6/sit.c:806 [inline]
ipip6_tunnel_xmit net/ipv6/sit.c:866 [inline]
sit_tunnel_xmit+0x141c/0x2720 net/ipv6/sit.c:1033
__netdev_start_xmit include/linux/netdevice.h:4300 [inline]
netdev_start_xmit include/linux/netdevice.h:4309 [inline]
xmit_one net/core/dev.c:3243 [inline]
dev_hard_start_xmit+0x17c/0x780 net/core/dev.c:3259
__dev_queue_xmit+0x1656/0x2500 net/core/dev.c:3829
neigh_output include/net/neighbour.h:501 [inline]
ip6_finish_output2+0xa36/0x2290 net/ipv6/ip6_output.c:120
ip6_finish_output+0x3e7/0xa20 net/ipv6/ip6_output.c:154
NF_HOOK_COND include/linux/netfilter.h:278 [inline]
ip6_output+0x1e2/0x720 net/ipv6/ip6_output.c:171
dst_output include/net/dst.h:444 [inline]
ip6_local_out+0x99/0x170 net/ipv6/output_core.c:176
ip6_send_skb+0x9d/0x2f0 net/ipv6/ip6_output.c:1697
ip6_push_pending_frames+0xc0/0x100 net/ipv6/ip6_output.c:1717
rawv6_push_pending_frames net/ipv6/raw.c:616 [inline]
rawv6_sendmsg+0x2435/0x3530 net/ipv6/raw.c:946
inet_sendmsg+0xf8/0x5c0 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg+0xc8/0x110 net/socket.c:631
___sys_sendmsg+0x6cf/0x890 net/socket.c:2114
__sys_sendmsg+0xf0/0x1b0 net/socket.c:2152
do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Signed-off-by: linmiaohe <linmiaohe@huawei.com>
---
net/ipv6/sit.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 09e440e8dfae..07e21a82ce4c 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -778,8 +778,9 @@ static bool check_6rd(struct ip_tunnel *tunnel, const struct in6_addr *v6dst,
pbw0 = tunnel->ip6rd.prefixlen >> 5;
pbi0 = tunnel->ip6rd.prefixlen & 0x1f;
- d = (ntohl(v6dst->s6_addr32[pbw0]) << pbi0) >>
- tunnel->ip6rd.relay_prefixlen;
+ d = tunnel->ip6rd.relay_prefixlen < 32 ?
+ (ntohl(v6dst->s6_addr32[pbw0]) << pbi0) >>
+ tunnel->ip6rd.relay_prefixlen : 0;
pbi1 = pbi0 - tunnel->ip6rd.relay_prefixlen;
if (pbi1 > 0)
--
2.16.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net] net: sit: fix UBSAN Undefined behaviour in check_6rd
2019-03-11 8:29 [PATCH net] net: sit: fix UBSAN Undefined behaviour in check_6rd linmiaohe
@ 2019-03-11 17:29 ` David Miller
2019-03-11 17:30 ` David Miller
0 siblings, 1 reply; 5+ messages in thread
From: David Miller @ 2019-03-11 17:29 UTC (permalink / raw)
To: linmiaohe; +Cc: kuznet, yoshfuji, netdev, linux-kernel, mingfangsen
From: linmiaohe <linmiaohe@huawei.com>
Date: Mon, 11 Mar 2019 16:29:32 +0800
> @@ -778,8 +778,9 @@ static bool check_6rd(struct ip_tunnel *tunnel, const struct in6_addr *v6dst,
> pbw0 = tunnel->ip6rd.prefixlen >> 5;
> pbi0 = tunnel->ip6rd.prefixlen & 0x1f;
>
> - d = (ntohl(v6dst->s6_addr32[pbw0]) << pbi0) >>
> - tunnel->ip6rd.relay_prefixlen;
> + d = tunnel->ip6rd.relay_prefixlen < 32 ?
> + (ntohl(v6dst->s6_addr32[pbw0]) << pbi0) >>
> + tunnel->ip6rd.relay_prefixlen : 0;
>
I hate the fact that we have to guard against something which the rest
of the code makes sure NEVER EVER happens.
Every assignment of ->relay_prefixlen is guarded by a check against 32.
I don't like this at all, and I have to put my foot down somehow.
So I'm not applying this, sorry.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net] net: sit: fix UBSAN Undefined behaviour in check_6rd
2019-03-11 17:29 ` David Miller
@ 2019-03-11 17:30 ` David Miller
2019-03-12 6:01 ` linmiaohe
2019-03-12 6:08 ` linmiaohe
0 siblings, 2 replies; 5+ messages in thread
From: David Miller @ 2019-03-11 17:30 UTC (permalink / raw)
To: linmiaohe; +Cc: kuznet, yoshfuji, netdev, linux-kernel, mingfangsen
From: David Miller <davem@davemloft.net>
Date: Mon, 11 Mar 2019 10:29:37 -0700 (PDT)
> From: linmiaohe <linmiaohe@huawei.com>
> Date: Mon, 11 Mar 2019 16:29:32 +0800
>
>> @@ -778,8 +778,9 @@ static bool check_6rd(struct ip_tunnel *tunnel, const struct in6_addr *v6dst,
>> pbw0 = tunnel->ip6rd.prefixlen >> 5;
>> pbi0 = tunnel->ip6rd.prefixlen & 0x1f;
>>
>> - d = (ntohl(v6dst->s6_addr32[pbw0]) << pbi0) >>
>> - tunnel->ip6rd.relay_prefixlen;
>> + d = tunnel->ip6rd.relay_prefixlen < 32 ?
>> + (ntohl(v6dst->s6_addr32[pbw0]) << pbi0) >>
>> + tunnel->ip6rd.relay_prefixlen : 0;
>>
>
> I hate the fact that we have to guard against something which the rest
> of the code makes sure NEVER EVER happens.
>
> Every assignment of ->relay_prefixlen is guarded by a check against 32.
Sorry, I now understand, it can equal 32.
I'll apply this, thank you.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net] net: sit: fix UBSAN Undefined behaviour in check_6rd
2019-03-11 17:30 ` David Miller
@ 2019-03-12 6:01 ` linmiaohe
2019-03-12 6:08 ` linmiaohe
1 sibling, 0 replies; 5+ messages in thread
From: linmiaohe @ 2019-03-12 6:01 UTC (permalink / raw)
To: David Miller; +Cc: kuznet, yoshfuji, netdev, linux-kernel, mingfangsen
That's very nice of you. Thank you very much.
On 2019/3/12 1:30, David Miller wrote:
> From: David Miller <davem@davemloft.net>
> Date: Mon, 11 Mar 2019 10:29:37 -0700 (PDT)
>
>> From: linmiaohe <linmiaohe@huawei.com>
>> Date: Mon, 11 Mar 2019 16:29:32 +0800
>>
>>> @@ -778,8 +778,9 @@ static bool check_6rd(struct ip_tunnel *tunnel, const struct in6_addr *v6dst,
>>> pbw0 = tunnel->ip6rd.prefixlen >> 5;
>>> pbi0 = tunnel->ip6rd.prefixlen & 0x1f;
>>>
>>> - d = (ntohl(v6dst->s6_addr32[pbw0]) << pbi0) >>
>>> - tunnel->ip6rd.relay_prefixlen;
>>> + d = tunnel->ip6rd.relay_prefixlen < 32 ?
>>> + (ntohl(v6dst->s6_addr32[pbw0]) << pbi0) >>
>>> + tunnel->ip6rd.relay_prefixlen : 0;
>>>
>>
>> I hate the fact that we have to guard against something which the rest
>> of the code makes sure NEVER EVER happens.
>>
>> Every assignment of ->relay_prefixlen is guarded by a check against 32.
>
> Sorry, I now understand, it can equal 32.
>
> I'll apply this, thank you.
>
> .
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net] net: sit: fix UBSAN Undefined behaviour in check_6rd
2019-03-11 17:30 ` David Miller
2019-03-12 6:01 ` linmiaohe
@ 2019-03-12 6:08 ` linmiaohe
1 sibling, 0 replies; 5+ messages in thread
From: linmiaohe @ 2019-03-12 6:08 UTC (permalink / raw)
To: David Miller; +Cc: kuznet, yoshfuji, netdev, linux-kernel, mingfangsen
On 2019/3/12 1:30, David Miller wrote:
> From: David Miller <davem@davemloft.net>
> Date: Mon, 11 Mar 2019 10:29:37 -0700 (PDT)
>
>> From: linmiaohe <linmiaohe@huawei.com>
>> Date: Mon, 11 Mar 2019 16:29:32 +0800
>>
>>> @@ -778,8 +778,9 @@ static bool check_6rd(struct ip_tunnel *tunnel, const struct in6_addr *v6dst,
>>> pbw0 = tunnel->ip6rd.prefixlen >> 5;
>>> pbi0 = tunnel->ip6rd.prefixlen & 0x1f;
>>>
>>> - d = (ntohl(v6dst->s6_addr32[pbw0]) << pbi0) >>
>>> - tunnel->ip6rd.relay_prefixlen;
>>> + d = tunnel->ip6rd.relay_prefixlen < 32 ?
>>> + (ntohl(v6dst->s6_addr32[pbw0]) << pbi0) >>
>>> + tunnel->ip6rd.relay_prefixlen : 0;
>>>
>>
>> I hate the fact that we have to guard against something which the rest
>> of the code makes sure NEVER EVER happens.
>>
>> Every assignment of ->relay_prefixlen is guarded by a check against 32.
>
> Sorry, I now understand, it can equal 32.
>
> I'll apply this, thank you.
>
> .
>
That's very nice of you. Thank you very much. I'am sorry for topping my reply in the previous email.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-03-12 6:09 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-11 8:29 [PATCH net] net: sit: fix UBSAN Undefined behaviour in check_6rd linmiaohe
2019-03-11 17:29 ` David Miller
2019-03-11 17:30 ` David Miller
2019-03-12 6:01 ` linmiaohe
2019-03-12 6:08 ` linmiaohe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).