Re: [syzbot] UBSAN: shift-out-of-bounds in xfrm_selector_match

From: Dmitry Vyukov
Date: Tue Jun 15 2021 - 01:52:07 EST

Next message: Greg Kroah-Hartman: "Re: [PATCH 5.10 000/130] 5.10.44-rc2 review"
Previous message: ChunyouTang: "[PATCH 2/2] drm/panfrost:report the full raw fault information instead"
In reply to: Herbert Xu: "Re: [syzbot] UBSAN: shift-out-of-bounds in xfrm_selector_match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 15, 2021 at 7:32 AM Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On Thu, Jun 10, 2021 at 12:19:26PM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 13c62f53 net/sched: act_ct: handle DNAT tuple collision
> > git tree: net
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16635470300000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=770708ea7cfd4916
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e4c1dd36fc6b98c50859
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+e4c1dd36fc6b98c50859@xxxxxxxxxxxxxxxxxxxxxxxxx
> >
> > UBSAN: shift-out-of-bounds in ./include/net/xfrm.h:838:23
> > shift exponent -64 is negative
> > CPU: 0 PID: 12625 Comm: syz-executor.1 Not tainted 5.13.0-rc3-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:79 [inline]
> > dump_stack+0x141/0x1d7 lib/dump_stack.c:120
> > ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
> > __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
> > addr4_match include/net/xfrm.h:838 [inline]
> > __xfrm4_selector_match net/xfrm/xfrm_policy.c:201 [inline]
> > xfrm_selector_match.cold+0x35/0x3a net/xfrm/xfrm_policy.c:227
> > xfrm_state_look_at+0x16d/0x440 net/xfrm/xfrm_state.c:1022
>
> This appears to be an xfrm_state object with an IPv4 selector
> that somehow has a prefixlen (d or s) of 96.
>
> AFAICS this is not possible through xfrm_user. OTOH it is not
> obvious that af_key is entirely consistent in how it verifies
> the prefix length, in particular, it seems to be possible for
> two addresses with conflicting families to be provided as src/dst.
>
> Can you confirm that this is indeed using af_key (a quick read
> of the syzbot log seems to indicate that this is the case)?

Hi Herbert,

This was triggered by this program and, yes, it creates an AF_KEY socket:

18:01:48 executing program 1:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
socket$key(0xf, 0x3, 0x2)
bind$inet(r0, &(0x7f00000001c0)={0x2, 0x0, @local}, 0x10)
socketpair$tipc(0x1e, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff,
<r1=>0xffffffffffffffff})
ioctl$TUNSETLINK(r1, 0x8912, 0x400308)
connect$inet(r0, &(0x7f0000000480)={0x2, 0x0, @multicast2}, 0x10)
setsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11,
&(0x7f0000000080)={{{@in6=@ipv4={'\x00', '\xff\xff', @dev},
@in6=@private0, 0x0, 0xfffc, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0,
0xee01}, {0x2}, {}, 0x0, 0x0, 0x1}, {{@in, 0x0, 0x32}, 0x0,
@in6=@loopback, 0x0, 0x0, 0x0, 0xb7}}, 0xe8)
socket$key(0xf, 0x3, 0x2)
sendmmsg(r0, &(0x7f0000007fc0), 0x800001d, 0x0)

Next message: Greg Kroah-Hartman: "Re: [PATCH 5.10 000/130] 5.10.44-rc2 review"
Previous message: ChunyouTang: "[PATCH 2/2] drm/panfrost:report the full raw fault information instead"
In reply to: Herbert Xu: "Re: [syzbot] UBSAN: shift-out-of-bounds in xfrm_selector_match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]