On Thu, Feb 1, 2018 at 11:30 AM, Dmitry Vyukov <dvyu...@google.com> wrote: > On Thu, Feb 1, 2018 at 9:34 AM, Steffen Klassert > <steffen.klass...@secunet.com> wrote: >> On Wed, Jan 31, 2018 at 07:58:01AM -0800, syzbot wrote: >>> Hello, >>> >>> syzbot hit the following crash on upstream commit >>> 72906f38934a49faf4d2d38ea9ae32adcf7d5d0c (Tue Jan 30 21:04:50 2018 +0000) >>> Merge branch 'x86-hyperv-for-linus' of >>> git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip >>> >>> So far this crash happened 4 times on net-next, upstream. >>> C reproducer is attached. >>> syzkaller reproducer is attached. >>> Raw console output is attached. >>> compiler: gcc (GCC) 7.1.1 20170620 >>> .config is attached. >>> user-space arch: i386 >> >> Looks like we forgot to refuse to insert socket policies >> when userspace is 32 bit and kernel is 64 bit. We do this >> already for policies inserted with netlink because we don't >> have a compat layer for xfrm. This means that userspace >> and kernel structues don't match, leading to broken >> configurations. >> >> I don't have 32 bit userspace on 64 bit machines, so I >> can't test this myself. Can you please test this patch: > > > Hi Steffen, > > Please see the email footer: > >> If you want to test a patch for this bug, please reply with: >> #syz test: git://repo/address.git branch >> and provide the patch inline or as an attachment.
And please add the Reported-by tag as syzbot asked: Reported-by: syzbot+e1a1577ca8bcb47b7...@syzkaller.appspotmail.com This is really important for overall process. In particular, syzbot will never report bugs in xfrm_state_find again as it will think that it's still the old bug not fixed. This is 4-th out-of-bounds in xfrm_state_find, so you can see this is important. I guess syzbot actually found this more than a month ago, but did not report, because nobody told it that the previous one is fixed. It reported it now because Eric updated the old bug with the fix yesterday. >> Subject: [PATCH RFC] xfrm: Refuse to insert 32 bit userspace socket policies >> on 64 bit systems >> >> We don't have compat layer for xfrm, so userspace and kernel >> structures have different sizes in this case. This results in >> a broken confuguration, so refuse to configure socket policies >> when trying to insert from 32 bit userspace as we do it already >> with policies inserted via netlink. >> >> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> >> --- >> net/xfrm/xfrm_state.c | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c >> index a3785f538018..25861a4ef872 100644 >> --- a/net/xfrm/xfrm_state.c >> +++ b/net/xfrm/xfrm_state.c >> @@ -2056,6 +2056,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 >> __user *optval, int optlen >> struct xfrm_mgr *km; >> struct xfrm_policy *pol = NULL; >> >> +#ifdef CONFIG_COMPAT >> + if (in_compat_syscall()) >> + return -EOPNOTSUPP; >> +#endif >> + >> if (optlen <= 0 || optlen > PAGE_SIZE) >> return -EMSGSIZE; >> >> -- >> 2.14.1 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "syzkaller-bugs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to syzkaller-bugs+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/syzkaller-bugs/20180201083418.rfarzrodccdy54xx%40gauss3.secunet.de. >> For more options, visit https://groups.google.com/d/optout.
