Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (3)

From: Steffen Klassert
Date: Wed Dec 13 2017 - 00:18:19 EST


On Tue, Dec 12, 2017 at 01:00:31PM -0800, Eric Biggers wrote:
> Hi Steffen,
>
> On Fri, Dec 01, 2017 at 08:27:43AM +0100, Steffen Klassert wrote:
> > On Wed, Nov 22, 2017 at 08:05:00AM -0800, syzbot wrote:
> > > syzkaller has found reproducer for the following crash on
> > > 0c86a6bd85ff0629cd2c5141027fc1c8bb6cde9c
> > > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
> > > compiler: gcc (GCC) 7.1.1 20170620
> > > .config is attached
> > > Raw console output is attached.
> > > C reproducer is attached
> > > syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> > > for information about syzkaller reproducers
> > >
> > >
> > > BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30fc/0x3230
> > > net/xfrm/xfrm_state.c:1051
> > > Read of size 4 at addr ffff8801ccaa7af8 by task syzkaller231684/3045
> >
> > The patch below should fix this. I plan to apply it to the ipsec tree
> > after some advanced testing.
> >
> > Subject: [PATCH RFC] xfrm: Fix stack-out-of-bounds with misconfigured transport
> > mode policies.
> >
>
> Are you still planning to apply this? syzbot is still hitting this bug.

It is already applied to the ipsec tree, will go upstream by the end of
this week.