Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (4)

From: Steffen Klassert
Date: Fri Feb 02 2018 - 02:22:47 EST

Next message: Sakari Ailus: "Re: [RFC PATCH 1/9] media: add request API core and UAPI"
Previous message: Ram Pai: "Re: [PATCH v11 3/3] mm, x86: display pkey in smaps only if arch supports pkeys"
In reply to: Dmitry Vyukov: "Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (4)"
Next in thread: syzbot: "KASAN: stack-out-of-bounds Read in xfrm_state_find (4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 01, 2018 at 11:30:00AM +0100, Dmitry Vyukov wrote:
> On Thu, Feb 1, 2018 at 9:34 AM, Steffen Klassert
>
> Hi Steffen,
>
> Please see the email footer:
>
> > If you want to test a patch for this bug, please reply with:
> > #syz test: git://repo/address.git branch
> > and provide the patch inline or as an attachment.

Thanks for the hint, I've overlooked this. This is very usefull
for the case that I can not reproduce the bug, but I think I know
how to fix it.

There are two more cases that come to my mind where syzbot could
help.

1. I can not reproduce the bug and I don't know how to fix it,
but some debug output would be helpfull:

syz test-debug-patch-and-send-dmesg-output: git://repo/address.git branch

2. I can not reproduce the bug and I have absolutely no idea what it
could be:

syz bisect: git://repo/address.git branch commit a commit b

I don't know if this is possible, but it would bring the bugfixing
process a bit coser to the case where a real user does a bug report.

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Subject: [PATCH RFC] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems

We don't have compat layer for xfrm, so userspace and kernel
structures have different sizes in this case. This results in
a broken confuguration, so refuse to configure socket policies
when trying to insert from 32 bit userspace as we do it already
with policies inserted via netlink.

Reported-by: syzbot+e1a1577ca8bcb47b769a@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
---
net/xfrm/xfrm_state.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index a3785f538018..25861a4ef872 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2056,6 +2056,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen
struct xfrm_mgr *km;
struct xfrm_policy *pol = NULL;

+#ifdef CONFIG_COMPAT
+ if (in_compat_syscall())
+ return -EOPNOTSUPP;
+#endif
+
if (optlen <= 0 || optlen > PAGE_SIZE)
return -EMSGSIZE;

--
2.14.1

Next message: Sakari Ailus: "Re: [RFC PATCH 1/9] media: add request API core and UAPI"
Previous message: Ram Pai: "Re: [PATCH v11 3/3] mm, x86: display pkey in smaps only if arch supports pkeys"
In reply to: Dmitry Vyukov: "Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (4)"
Next in thread: syzbot: "KASAN: stack-out-of-bounds Read in xfrm_state_find (4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]