Re: KASAN: slab-out-of-bounds Read in bitmap_ip_add
From: Linus Torvalds
Date: Fri Jan 31 2020 - 15:57:45 EST
On Sun, Jan 26, 2020 at 8:01 PM syzbot
<syzbot+f3e96783d74ee8ea9aa3@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> syzbot has bisected this bug to:
Ok, the bisection is obviously bogus - it just points to where the
KASAN support was added to _notice_ the problem.
But is somebody looking at the actual KASAN report itself?
https://syzkaller.appspot.com/bug?extid=f3e96783d74ee8ea9aa3
It does look like nfnetlink_rcv_msg() ends up looking at a bit:
bitmap_ip_do_add net/netfilter/ipset/ip_set_bitmap_ip.c:83 [inline]
bitmap_ip_add+0xef/0xe60 net/netfilter/ipset/ip_set_bitmap_gen.h:136
bitmap_ip_uadt+0x73e/0xa10 net/netfilter/ipset/ip_set_bitmap_ip.c:186
call_ad+0x1a0/0x5a0 net/netfilter/ipset/ip_set_core.c:1716
ip_set_ad.isra.0+0x572/0xb20 net/netfilter/ipset/ip_set_core.c:1804
ip_set_uadd+0x37/0x50 net/netfilter/ipset/ip_set_core.c:1829
nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
that is past the allocation:
ip_set_alloc+0x38/0x5e net/netfilter/ipset/ip_set_core.c:255
init_map_ip net/netfilter/ipset/ip_set_bitmap_ip.c:223 [inline]
bitmap_ip_create+0x6ec/0xc20 net/netfilter/ipset/ip_set_bitmap_ip.c:327
ip_set_create+0x6f1/0x1500 net/netfilter/ipset/ip_set_core.c:1111
nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
Maybe this has already been fixed, but I'm just trying to follow-up on
the syzbot report..
Linus