Re: [syzbot] linux-next test error: WARNING in set_peer
On Tue, Sep 13, 2022 at 12:51:42PM -0700, syzbot wrote: > memcpy: detected field-spanning write (size 28) of single field > "" at drivers/net/wireguard/netlink.c:446 (size 16) This is one way to fix it: diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c index 0c0644e762e5..dbbeba216530 100644 --- a/drivers/net/wireguard/netlink.c +++ b/drivers/net/wireguard/netlink.c @@ -434,16 +434,16 @@ static int set_peer(struct wg_device *wg, struct nlattr **attrs) } if (attrs[WGPEER_A_ENDPOINT]) { - struct sockaddr *addr = nla_data(attrs[WGPEER_A_ENDPOINT]); + struct endpoint *raw = nla_data(attrs[WGPEER_A_ENDPOINT]); size_t len = nla_len(attrs[WGPEER_A_ENDPOINT]); if ((len == sizeof(struct sockaddr_in) && -addr->sa_family == AF_INET) || +raw->addr.sa_family == AF_INET) || (len == sizeof(struct sockaddr_in6) && -addr->sa_family == AF_INET6)) { +raw->addr.sa_family == AF_INET6)) { struct endpoint endpoint = { { { 0 } } }; - memcpy(, addr, len); + memcpy(, >addrs, len); wg_socket_set_peer_endpoint(peer, ); } } diff --git a/drivers/net/wireguard/peer.h b/drivers/net/wireguard/peer.h index 76e4d3128ad4..4fbe7940828b 100644 --- a/drivers/net/wireguard/peer.h +++ b/drivers/net/wireguard/peer.h @@ -19,11 +19,13 @@ struct wg_device; struct endpoint { - union { - struct sockaddr addr; - struct sockaddr_in addr4; - struct sockaddr_in6 addr6; - }; + struct_group(addrs, + union { + struct sockaddr addr; + struct sockaddr_in addr4; + struct sockaddr_in6 addr6; + }; + ); union { struct { struct in_addr src4; diffoscope shows the bounds check gets updated to the full union size: │ - cmp$0x11,%edx │ + cmp$0x1d,%edx and the field name changes in the warning: $ strings clang/drivers/net/wireguard/netlink.o.after | grep ^field field "" at drivers/net/wireguard/netlink.c:446 -- Kees Cook
[syzbot] linux-next test error: WARNING in set_peer
Hello, syzbot found the following issue on: HEAD commit:0caac1da9949 Add linux-next specific files for 20220913 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=172d78d888 kernel config: https://syzkaller.appspot.com/x/.config?x=2fd6142ea1cf631c dashboard link: https://syzkaller.appspot.com/bug?extid=a448cda4dba2dac50de5 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/4916ab25f774/disk-0caac1da.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/16dace3b273b/vmlinux-0caac1da.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+a448cda4dba2dac50...@syzkaller.appspotmail.com netdevsim netdevsim0 netdevsim1: renamed from eth1 netdevsim netdevsim0 netdevsim2: renamed from eth2 netdevsim netdevsim0 netdevsim3: renamed from eth3 [ cut here ] memcpy: detected field-spanning write (size 28) of single field "" at drivers/net/wireguard/netlink.c:446 (size 16) WARNING: CPU: 0 PID: 3616 at drivers/net/wireguard/netlink.c:446 set_peer+0x991/0x10c0 drivers/net/wireguard/netlink.c:446 Modules linked in: CPU: 0 PID: 3616 Comm: syz-executor.0 Not tainted 6.0.0-rc5-next-20220913-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 RIP: 0010:set_peer+0x991/0x10c0 drivers/net/wireguard/netlink.c:446 Code: 00 e8 63 30 b3 fc b9 10 00 00 00 48 c7 c2 00 4c 72 8a be 1c 00 00 00 48 c7 c7 60 4c 72 8a c6 05 d0 e7 02 09 01 e8 f1 d7 74 04 <0f> 0b e9 03 04 00 00 e8 33 30 b3 fc 89 ee 44 89 ef e8 79 2c b3 fc RSP: 0018:c90003d4f540 EFLAGS: 00010282 RAX: RBX: c90003d4f6d8 RCX: RDX: 888072ed57c0 RSI: 81611eb8 RDI: f520007a9e9a RBP: c90003d4f5e8 R08: 0005 R09: R10: 8000 R11: 7720676e696e6e6d R12: 001c R13: R14: 888072f1d104 R15: 888024cb0960 FS: 5616b400() GS:8880b9a0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fa5644d32c0 CR3: 6e43c000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: wg_set_device+0x8d7/0x11b0 drivers/net/wireguard/netlink.c:589 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:731 genl_family_rcv_msg net/netlink/genetlink.c:778 [inline] genl_rcv_msg+0x3b7/0x630 net/netlink/genetlink.c:795 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2540 genl_rcv+0x24/0x40 net/netlink/genetlink.c:806 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734 __sys_sendto+0x236/0x340 net/socket.c:2117 __do_sys_sendto net/socket.c:2129 [inline] __se_sys_sendto net/socket.c:2125 [inline] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2125 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fa56343c18c Code: fa fa ff ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 20 fb ff ff 48 8b RSP: 002b:7ffe4bc97580 EFLAGS: 0293 ORIG_RAX: 002c RAX: ffda RBX: 7fa5644d4320 RCX: 7fa56343c18c RDX: 0170 RSI: 7fa5644d4370 RDI: 0005 RBP: R08: 7ffe4bc975d4 R09: 000c R10: R11: 0293 R12: R13: 7fa5644d4370 R14: 0005 R15: --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Wireguard iOS crashes after upgrading to XCode 14
My existing Wireguard iOS implementation stopped working after upgrading to Xcode 14 today. When trying to connect to servers that support only IPv4, then it's fine. But if the server supports both IPv6 and IPv4 then the tunnel crashes: This IPv6 extension in wireguard-apple/Sources/WireGuardKit/IPAddress+AddrInfo.swift crashes with a Fatal Error at addrInfo.ai_addr.withMemoryRebound() The whole extension below: extension IPv6Address { init?(addrInfo: addrinfo) { guard addrInfo.ai_family == AF_INET6 else { return nil } let addressData = addrInfo.ai_addr.withMemoryRebound(to: sockaddr_in6.self, capacity: MemoryLayout.size) { ptr -> Data in return Data(bytes: _addr, count: MemoryLayout.size) } self.init(addressData) } } Has anyone else experienced this problem? Thanks,