Re: Any idea to fix the recursive call in tls_setsockopt?
From: Pavel Skripkin
Date: Sat Oct 02 2021 - 08:53:05 EST
On 10/2/21 11:38, Dongliang Mu wrote:
[ +CC netdev, LKML ]
BUG: stack guard page was hit at ffffc90000b87ff8 (stack is
ffffc90000b88000..ffffc90000b8bfff)
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP
RIP: 0010:tls_setsockopt+0xe/0x650 net/tls/tls_main.c:617
Call Trace:
tls_setsockopt+0x6a/0x650 net/tls/tls_main.c:621
......
tls_setsockopt+0x6a/0x650 net/tls/tls_main.c:621
tls_setsockopt+0x6a/0x650 net/tls/tls_main.c:621
__sys_setsockopt+0x1b0/0x360 net/socket.c:2176
__do_sys_setsockopt net/socket.c:2187 [inline]
__se_sys_setsockopt net/socket.c:2184 [inline]
__x64_sys_setsockopt+0x22/0x30 net/socket.c:2184
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
My local syzkaller instance finds this bug, however, I am not sure how
to fix it. So I post the bug report here to seek help. The
implementation of tls_setsockopt is as follows:
static int tls_setsockopt(struct sock *sk, int level, int optname,
sockptr_t optval, unsigned int optlen)
{
struct tls_context *ctx = tls_get_ctx(sk);
if (level != SOL_TLS)
return ctx->sk_proto->setsockopt(sk, level, optname, optval,
optlen);
return do_tls_setsockopt(sk, optname, optval, optlen);
}
Since I am not familiar with this part code, the fix in my mind is to
do a sanity check on "ctx->sk_proto->setsockopt" and make sure it is
not tls_setsockopt.
Any comment here?
--
My best regards to you.
No System Is Safe!
Dongliang Mu
With regards,
Pavel Skripkin