Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (4)

[Dmitry Vyukov]

On Thu, Feb 1, 2018 at 11:30 AM, Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:
> On Thu, Feb 1, 2018 at 9:34 AM, Steffen Klassert
> <steffen.klassert@xxxxxxxxxxx> wrote:
>> On Wed, Jan 31, 2018 at 07:58:01AM -0800, syzbot wrote:
>>> Hello,
>>>
>>> syzbot hit the following crash on upstream commit
>>> 72906f38934a49faf4d2d38ea9ae32adcf7d5d0c (Tue Jan 30 21:04:50 2018 +0000)
>>> Merge branch 'x86-hyperv-for-linus' of
>>> git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
>>>
>>> So far this crash happened 4 times on net-next, upstream.
>>> C reproducer is attached.
>>> syzkaller reproducer is attached.
>>> Raw console output is attached.
>>> compiler: gcc (GCC) 7.1.1 20170620
>>> .config is attached.
>>> user-space arch: i386
>>
>> Looks like we forgot to refuse to insert socket policies
>> when userspace is 32 bit and kernel is 64 bit. We do this
>> already for policies inserted with netlink because we don't
>> have a compat layer for xfrm. This means that userspace
>> and kernel structues don't match, leading to broken
>> configurations.
>>
>> I don't have 32 bit userspace on 64 bit machines, so I
>> can't test this myself. Can you please test this patch:
>
>
> Hi Steffen,
>
> Please see the email footer:
>
>> If you want to test a patch for this bug, please reply with:
>> #syz test: git://repo/address.git branch
>> and provide the patch inline or as an attachment.

And please add the Reported-by tag as syzbot asked:
Reported-by: syzbot+e1a1577ca8bcb47b769a@xxxxxxxxxxxxxxxxxxxxxxxxx
This is really important for overall process. In particular, syzbot
will never report bugs in xfrm_state_find again as it will think that
it's still the old bug not fixed. This is 4-th out-of-bounds in
xfrm_state_find, so you can see this is important. I guess syzbot
actually found this more than a month ago, but did not report, because
nobody told it that the previous one is fixed. It reported it now
because Eric updated the old bug with the fix yesterday.




>> Subject: [PATCH RFC] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems
>>
>> We don't have compat layer for xfrm, so userspace and kernel
>> structures have different sizes in this case. This results in
>> a broken confuguration, so refuse to configure socket policies
>> when trying to insert from 32 bit userspace as we do it already
>> with policies inserted via netlink.
>>
>> Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
>> ---
>>  net/xfrm/xfrm_state.c | 5 +++++
>>  1 file changed, 5 insertions(+)
>>
>> diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
>> index a3785f538018..25861a4ef872 100644
>> --- a/net/xfrm/xfrm_state.c
>> +++ b/net/xfrm/xfrm_state.c
>> @@ -2056,6 +2056,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen
>>         struct xfrm_mgr *km;
>>         struct xfrm_policy *pol = NULL;
>>
>> +#ifdef CONFIG_COMPAT
>> +       if (in_compat_syscall())
>> +               return -EOPNOTSUPP;
>> +#endif
>> +
>>         if (optlen <= 0 || optlen > PAGE_SIZE)
>>                 return -EMSGSIZE;
>>
>> --
>> 2.14.1
>>
>> --
>> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxxx
>> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20180201083418.rfarzrodccdy54xx%40gauss3.secunet.de.
>> For more options, visit https://groups.google.com/d/optout.