date:20220913

Re: [syzbot] linux-next test error: WARNING in set_peer

2022-09-13 Thread Kees Cook

On Tue, Sep 13, 2022 at 12:51:42PM -0700, syzbot wrote:
> memcpy: detected field-spanning write (size 28) of single field 
> "" at drivers/net/wireguard/netlink.c:446 (size 16)

This is one way to fix it:

diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c
index 0c0644e762e5..dbbeba216530 100644
--- a/drivers/net/wireguard/netlink.c
+++ b/drivers/net/wireguard/netlink.c
@@ -434,16 +434,16 @@ static int set_peer(struct wg_device *wg, struct nlattr 
**attrs)
}
 
if (attrs[WGPEER_A_ENDPOINT]) {
-   struct sockaddr *addr = nla_data(attrs[WGPEER_A_ENDPOINT]);
+   struct endpoint *raw = nla_data(attrs[WGPEER_A_ENDPOINT]);
size_t len = nla_len(attrs[WGPEER_A_ENDPOINT]);
 
if ((len == sizeof(struct sockaddr_in) &&
-addr->sa_family == AF_INET) ||
+raw->addr.sa_family == AF_INET) ||
(len == sizeof(struct sockaddr_in6) &&
-addr->sa_family == AF_INET6)) {
+raw->addr.sa_family == AF_INET6)) {
struct endpoint endpoint = { { { 0 } } };
 
-   memcpy(, addr, len);
+   memcpy(, >addrs, len);
wg_socket_set_peer_endpoint(peer, );
}
}
diff --git a/drivers/net/wireguard/peer.h b/drivers/net/wireguard/peer.h
index 76e4d3128ad4..4fbe7940828b 100644
--- a/drivers/net/wireguard/peer.h
+++ b/drivers/net/wireguard/peer.h
@@ -19,11 +19,13 @@
 struct wg_device;
 
 struct endpoint {
-   union {
-   struct sockaddr addr;
-   struct sockaddr_in addr4;
-   struct sockaddr_in6 addr6;
-   };
+   struct_group(addrs,
+   union {
+   struct sockaddr addr;
+   struct sockaddr_in addr4;
+   struct sockaddr_in6 addr6;
+   };
+   );
union {
struct {
struct in_addr src4;


diffoscope shows the bounds check gets updated to the full union size:
│ - cmp$0x11,%edx
│ + cmp$0x1d,%edx

and the field name changes in the warning:
$ strings clang/drivers/net/wireguard/netlink.o.after | grep ^field
field "" at drivers/net/wireguard/netlink.c:446


-- 
Kees Cook

[syzbot] linux-next test error: WARNING in set_peer

2022-09-13 Thread syzbot

Hello,

syzbot found the following issue on:

HEAD commit:0caac1da9949 Add linux-next specific files for 20220913
git tree:   linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=172d78d888
kernel config:  https://syzkaller.appspot.com/x/.config?x=2fd6142ea1cf631c
dashboard link: https://syzkaller.appspot.com/bug?extid=a448cda4dba2dac50de5
compiler:   gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for 
Debian) 2.35.2

Downloadable assets:
disk image: 
https://storage.googleapis.com/syzbot-assets/4916ab25f774/disk-0caac1da.raw.xz
vmlinux: 
https://storage.googleapis.com/syzbot-assets/16dace3b273b/vmlinux-0caac1da.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a448cda4dba2dac50...@syzkaller.appspotmail.com

netdevsim netdevsim0 netdevsim1: renamed from eth1
netdevsim netdevsim0 netdevsim2: renamed from eth2
netdevsim netdevsim0 netdevsim3: renamed from eth3
[ cut here ]
memcpy: detected field-spanning write (size 28) of single field 
"" at drivers/net/wireguard/netlink.c:446 (size 16)
WARNING: CPU: 0 PID: 3616 at drivers/net/wireguard/netlink.c:446 
set_peer+0x991/0x10c0 drivers/net/wireguard/netlink.c:446
Modules linked in:
CPU: 0 PID: 3616 Comm: syz-executor.0 Not tainted 
6.0.0-rc5-next-20220913-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
08/26/2022
RIP: 0010:set_peer+0x991/0x10c0 drivers/net/wireguard/netlink.c:446
Code: 00 e8 63 30 b3 fc b9 10 00 00 00 48 c7 c2 00 4c 72 8a be 1c 00 00 00 48 
c7 c7 60 4c 72 8a c6 05 d0 e7 02 09 01 e8 f1 d7 74 04 <0f> 0b e9 03 04 00 00 e8 
33 30 b3 fc 89 ee 44 89 ef e8 79 2c b3 fc
RSP: 0018:c90003d4f540 EFLAGS: 00010282
RAX:  RBX: c90003d4f6d8 RCX: 
RDX: 888072ed57c0 RSI: 81611eb8 RDI: f520007a9e9a
RBP: c90003d4f5e8 R08: 0005 R09: 
R10: 8000 R11: 7720676e696e6e6d R12: 001c
R13:  R14: 888072f1d104 R15: 888024cb0960
FS:  5616b400() GS:8880b9a0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7fa5644d32c0 CR3: 6e43c000 CR4: 003506f0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 
 wg_set_device+0x8d7/0x11b0 drivers/net/wireguard/netlink.c:589
 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:731
 genl_family_rcv_msg net/netlink/genetlink.c:778 [inline]
 genl_rcv_msg+0x3b7/0x630 net/netlink/genetlink.c:795
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2540
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:806
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:734
 __sys_sendto+0x236/0x340 net/socket.c:2117
 __do_sys_sendto net/socket.c:2129 [inline]
 __se_sys_sendto net/socket.c:2125 [inline]
 __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2125
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fa56343c18c
Code: fa fa ff ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 
24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 
89 ef 48 89 44 24 08 e8 20 fb ff ff 48 8b
RSP: 002b:7ffe4bc97580 EFLAGS: 0293 ORIG_RAX: 002c
RAX: ffda RBX: 7fa5644d4320 RCX: 7fa56343c18c
RDX: 0170 RSI: 7fa5644d4370 RDI: 0005
RBP:  R08: 7ffe4bc975d4 R09: 000c
R10:  R11: 0293 R12: 
R13: 7fa5644d4370 R14: 0005 R15: 
 


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Wireguard iOS crashes after upgrading to XCode 14

2022-09-13 Thread Houman

My existing Wireguard iOS implementation stopped working after
upgrading to Xcode 14 today.
When trying to connect to servers that support only IPv4, then it's
fine. But if the server supports both IPv6 and IPv4 then the tunnel
crashes:

This IPv6 extension in
wireguard-apple/Sources/WireGuardKit/IPAddress+AddrInfo.swift crashes
with a Fatal Error at addrInfo.ai_addr.withMemoryRebound()

The whole extension below:

extension IPv6Address {
init?(addrInfo: addrinfo) {
guard addrInfo.ai_family == AF_INET6 else { return nil }

let addressData = addrInfo.ai_addr.withMemoryRebound(to:
sockaddr_in6.self, capacity: MemoryLayout.size) { ptr ->
Data in
return Data(bytes: _addr, count:
MemoryLayout.size)
}
self.init(addressData)
}
}

Has anyone else experienced this problem?

Thanks,

Re: [syzbot] linux-next test error: WARNING in set_peer

[syzbot] linux-next test error: WARNING in set_peer

Wireguard iOS crashes after upgrading to XCode 14

3 matches

Site Navigation

Mail list logo

Footer information