Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone
From: Dmitry Vyukov
Date: Mon Mar 27 2017 - 10:26:36 EST
On Mon, Mar 27, 2017 at 3:57 PM, David Ahern <dsa@xxxxxxxxxxxxxxxxxxx> wrote:
> On 3/27/17 6:42 AM, Dmitry Vyukov wrote:
>> A friendly ping. This still happens all the time for us.
>
> Haven't looked at this in a couple of weeks. I have syzkaller installed
> on a machine locally and never was able to reproduce this ipv6 problem.
> I am using a jessie rootfs; from the syzkaller files I take it you are
> using wheezy. Should not matter but as I recall there are differences in
> sysctl setttings. Regardless, can you send me the output of 'sysctl
> net.ipv6'?
Hi David,
So you have syzkaller running locally. Great!
Yes, we are using wheezy. I've attached output of sysctl net.ipv6.
We are also using "sandbox": "namespace" parameter in config, which
enables USER_NS-based sandboxing. It can be relevant as it results in
lots of network namespaces being created and destroyed. Also TUN
config can have effect as it make syzkaller create/destroy private
interfaces. Also make sure to enable CONFIG_KASAN as it detects most
of the failure modes, and CONFIG_KCOV which allows syzkaller to use
coverage guidance. I've attached my config.
Also try to bump count and procs parameters in syzkaller config.
"procs" is number of parallel test processes per VM, we usually use 8.
"count" is number of VMs to create, reasonable number depends on
amount of RAM you have. Both should increase fuzzing speed and
increase probability of hitting the crash.
We currently hit 20-40 crashes per day with 40 test VMs.
> It is spring break week here, and I am taking a couple of days off. With
> netdev next week, I realistically won't have time to come back to this
> for 2-3 weeks.
No problem. Just wanted to make sure that it's not completely
forgotten. Thanks for looking into this.
Attachment:
net.ipv6.sysctl
Description: Binary data
Attachment:
.config.syz
Description: Binary data