Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread Eric Dumazet 
On Mon, 2016-03-28 at 19:54 -0400, David Miller wrote:
> From: Eric Dumazet 
> Date: Mon, 28 Mar 2016 13:51:46 -0700
> 
> > On Mon, 2016-03-28 at 13:46 -0700, Eric Dumazet wrote:
> > 
> >> We have at least 384 bytes of padding in skb->head (this is struct
> >> skb_shared_info).
> >> 
> >> Whatever garbage we might read, current code is fine.
> >> 
> >> We have to deal with a false positive here.
> > 
> > Very similar to the one fixed in 
> > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=10ec9472f05b45c94db3c854d22581a20b97db41
> 
> I don't see them as similar.
> 
> The current options code we are talking about here never references
> past legitimate parts of the packet data.  We always check 'length',
> and we never access past the boundary it describes.
> 
> This was the entire point of my posting.
> 
> Talking about padding, rather than the logical correctness of the
> code, is therefore a distraction I think :-)

Not really, we do read one out of bound byte David.

length = 1;
...
while (length > 0) {
int opcode = *ptr++; // Note that length is still 1
switch (opcode) {
...
default:
opsize = *ptr++; // Note that length is still 1


...
length -= opsize;
}

So we do read 2 bytes, while length was 1.

opsize definitely can read garbage.
Call it padding or redzone or whatever ;)


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread David Miller 
From: Eric Dumazet 
Date: Mon, 28 Mar 2016 13:51:46 -0700

> On Mon, 2016-03-28 at 13:46 -0700, Eric Dumazet wrote:
> 
>> We have at least 384 bytes of padding in skb->head (this is struct
>> skb_shared_info).
>> 
>> Whatever garbage we might read, current code is fine.
>> 
>> We have to deal with a false positive here.
> 
> Very similar to the one fixed in 
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=10ec9472f05b45c94db3c854d22581a20b97db41

I don't see them as similar.

The current options code we are talking about here never references
past legitimate parts of the packet data.  We always check 'length',
and we never access past the boundary it describes.

This was the entire point of my posting.

Talking about padding, rather than the logical correctness of the
code, is therefore a distraction I think :-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread David Miller 
From: Jan Engelhardt 
Date: Mon, 28 Mar 2016 22:20:39 +0200 (CEST)

> 
> On Monday 2016-03-28 21:29, David Miller wrote:
 > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb,
 > >   length--;
 > >   continue;
 > >   default:
 > > +if (length < 2)
 > > +return;
 > >   opsize = *ptr++;
 > >   if (opsize < 2) /* "silly options" */
 > >   return;
>>
>>I'm trying to figure out how this can even matter.
>>If we are in the loop, length is at least one.
>>That means it is legal to read the opsize byte.
> 
> Is that because the skbuff is always padded to a multiple of (at
> least) two?

No, it's because length is at least one, so we can read one byte.

And then before we read more, we make sure length is at least opsize
which is at least two.

This has nothing to do with padding, and everything to do logically
with the code.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread Eric Dumazet 
On Mon, 2016-03-28 at 23:11 +0200, Jozsef Kadlecsik wrote:

> In net/netfilter/nf_conntrack_proto_tcp.c we copy the options into a 
> buffer with skb_header_pointer(), so it's not a false positive there and 
> the KASAN report referred to that part.
> 

Although the out of bound could be one extra byte,
if skb_header_bpointer() had to copy something (since it also might
return a pointer inside skb->head)

No arch would possibly fault here.

So reading one byte on the stack is fooling KASAN, but no ill effect
would actually happen.

If the read byte is < 2, the function would return because of

 if (opsize < 2)
return;

If the read byte is >= 2, the function would return because of
if (opsize > length)
return; /* don't parse partial options */


(Since we care here of the case where length == 1)

No big deal, it is probably better to 'fix' the code so that it pleases
dynamic checkers.






--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread Jozsef Kadlecsik 
On Mon, 28 Mar 2016, Eric Dumazet wrote:

> On Mon, 2016-03-28 at 22:20 +0200, Jan Engelhardt wrote:
> > On Monday 2016-03-28 21:29, David Miller wrote:
> > >>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff 
> > >>> > > *skb,
> > >>> > >   length--;
> > >>> > >   continue;
> > >>> > >   default:
> > >>> > > +if (length < 2)
> > >>> > > +return;
> > >>> > >   opsize = *ptr++;
> > >>> > >   if (opsize < 2) /* "silly options" */
> > >>> > >   return;
> > >
> > >I'm trying to figure out how this can even matter.
> > >If we are in the loop, length is at least one.
> > >That means it is legal to read the opsize byte.
> > 
> > Is that because the skbuff is always padded to a multiple of (at
> > least) two? Maybe such padding is explicitly foregone when ASAN is in
> > place. After all, glibc, in userspace, is likely to do padding as
> > well for malloc, and yet, ASAN catches these cases.

There might be a TCP option combination, which is "properly" padded but 
broken, like (wscale, wscale-value, mss) where the mss-value is missing.

> We have at least 384 bytes of padding in skb->head (this is struct
> skb_shared_info).
> 
> Whatever garbage we might read, current code is fine.
> 
> We have to deal with a false positive here.

In net/netfilter/nf_conntrack_proto_tcp.c we copy the options into a 
buffer with skb_header_pointer(), so it's not a false positive there and 
the KASAN report referred to that part.

I thought it's valid for tcp_parse_options() too, but then I'm wrong so 
at least the part from the patch for tcp_input.c can be dropped.

Best regards,
Jozsef
-
E-mail  : kad...@blackhole.kfki.hu, kadlecsik.joz...@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
  H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread Eric Dumazet 
On Mon, 2016-03-28 at 13:46 -0700, Eric Dumazet wrote:

> We have at least 384 bytes of padding in skb->head (this is struct
> skb_shared_info).
> 
> Whatever garbage we might read, current code is fine.
> 
> We have to deal with a false positive here.

Very similar to the one fixed in 
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=10ec9472f05b45c94db3c854d22581a20b97db41



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread Eric Dumazet 
On Mon, 2016-03-28 at 22:20 +0200, Jan Engelhardt wrote:
> On Monday 2016-03-28 21:29, David Miller wrote:
> >>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff 
> >>> > > *skb,
> >>> > >   length--;
> >>> > >   continue;
> >>> > >   default:
> >>> > > +if (length < 2)
> >>> > > +return;
> >>> > >   opsize = *ptr++;
> >>> > >   if (opsize < 2) /* "silly options" */
> >>> > >   return;
> >
> >I'm trying to figure out how this can even matter.
> >If we are in the loop, length is at least one.
> >That means it is legal to read the opsize byte.
> 
> Is that because the skbuff is always padded to a multiple of (at
> least) two? Maybe such padding is explicitly foregone when ASAN is in
> place. After all, glibc, in userspace, is likely to do padding as
> well for malloc, and yet, ASAN catches these cases.

We have at least 384 bytes of padding in skb->head (this is struct
skb_shared_info).

Whatever garbage we might read, current code is fine.

We have to deal with a false positive here.




--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread Jan Engelhardt 

On Monday 2016-03-28 21:29, David Miller wrote:
>>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb,
>>> > >   length--;
>>> > >   continue;
>>> > >   default:
>>> > > +if (length < 2)
>>> > > +return;
>>> > >   opsize = *ptr++;
>>> > >   if (opsize < 2) /* "silly options" */
>>> > >   return;
>
>I'm trying to figure out how this can even matter.
>If we are in the loop, length is at least one.
>That means it is legal to read the opsize byte.

Is that because the skbuff is always padded to a multiple of (at
least) two? Maybe such padding is explicitly foregone when ASAN is in
place. After all, glibc, in userspace, is likely to do padding as
well for malloc, and yet, ASAN catches these cases.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread Eric Dumazet 
On Mon, 2016-03-28 at 15:29 -0400, David Miller wrote:
> From: Jozsef Kadlecsik 
> Date: Mon, 28 Mar 2016 18:48:51 +0200 (CEST)
> 
> >> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb,
> >> > >   length--;
> >> > >   continue;
> >> > >   default:
> >> > > +if (length < 2)
> >> > > +return;
> >> > >   opsize = *ptr++;
> >> > >   if (opsize < 2) /* "silly options" */
> >> > >   return;
> 
> I'm trying to figure out how this can even matter.
> 
> If we are in the loop, length is at least one.
> 
> That means it is legal to read the opsize byte.
> 
> By the next check, opsize is at least 2.
> 
> And then the very next line in this code makes sure length >= opsize:
> 
>   if (opsize > length)
>   return; /* don't parse partial options */
> 
> Therefore no out-of-range access is possible as far as I can see.

Maybe use kasan_disable_current() and kasan_enable_current() to silence
kasan ?

Oh wait, these are not BH safe.




--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread David Miller 
From: Jozsef Kadlecsik 
Date: Mon, 28 Mar 2016 18:48:51 +0200 (CEST)

>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb,
>> > >   length--;
>> > >   continue;
>> > >   default:
>> > > +if (length < 2)
>> > > +return;
>> > >   opsize = *ptr++;
>> > >   if (opsize < 2) /* "silly options" */
>> > >   return;

I'm trying to figure out how this can even matter.

If we are in the loop, length is at least one.

That means it is legal to read the opsize byte.

By the next check, opsize is at least 2.

And then the very next line in this code makes sure length >= opsize:

if (opsize > length)
return; /* don't parse partial options */

Therefore no out-of-range access is possible as far as I can see.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread Pablo Neira Ayuso 
On Mon, Mar 28, 2016 at 06:48:51PM +0200, Jozsef Kadlecsik wrote:
> Hi David, Pablo,
> 
> David, do you agree with the patch for net/ipv4/tcp_input.c? If yes, how 
> should I proceed? Should I send the whole patch to you or is it OK to send 
> to Pablo?

Submit a formal patch and Cc: net...@vger.kernel.org and
netfilter-devel@vger.kernel.org, then we can request David to ack this
if he considers it fine or the other way around (I ack it he takes
it).

Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread Jozsef Kadlecsik 
Hi David, Pablo,

David, do you agree with the patch for net/ipv4/tcp_input.c? If yes, how 
should I proceed? Should I send the whole patch to you or is it OK to send 
to Pablo?

Best regards,
Jozsef

On Mon, 28 Mar 2016, Baozeng Ding wrote:

> 
> 
> On 2016/3/28 10:35, Baozeng Ding wrote:
> > 
> > 
> > On 2016/3/28 6:25, Jozsef Kadlecsik wrote:
> > > On Mon, 28 Mar 2016, Jozsef Kadlecsik wrote:
> > > 
> > > > On Sun, 27 Mar 2016, Baozeng Ding wrote:
> > > > 
> > > > > The following program triggers stack-out-of-bounds in tcp_packet. The
> > > > > kernel version is 4.5 (on Mar 16 commit
> > > > > 09fd671ccb2475436bd5f597f751ca4a7d177aea).
> > > > > Uncovered with syzkaller. Thanks.
> > > > > 
> > > > > ==
> > > > > BUG: KASAN: stack-out-of-bounds in tcp_packet+0x4b77/0x51c0 at addr
> > > > > 8800a45df3c8
> > > > > Read of size 1 by task 0327/11132
> > > > > page:ea00029177c0 count:0 mapcount:0 mapping: (null) index:0x0
> > > > > flags: 0x1fffc00()
> > > > > page dumped because: kasan: bad access detected
> > > > > CPU: 1 PID: 11132 Comm: 0327 Tainted: GB 4.5.0+ #12
> > > > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> > > > > rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
> > > > >   0001 8800a45df148 82945051 8800a45df1d8
> > > > >   8800a45df3c8 0027 0001 8800a45df1c8
> > > > >   81709f88 8800b4f7e3d0 0028 0286
> > > > > Call Trace:
> > > > > [< inline >] __dump_stack /kernel/lib/dump_stack.c:15
> > > > > [] dump_stack+0xb3/0x112 /kernel/lib/dump_stack.c:51
> > > > > [< inline >] print_address_description
> > > > > /kernel/mm/kasan/report.c:150
> > > > > [] kasan_report_error+0x4f8/0x530
> > > > > /kernel/mm/kasan/report.c:236
> > > > > [] ? skb_copy_bits+0x49d/0x6d0
> > > > > /kernel/net/core/skbuff.c:1675
> > > > > [< inline >] ? spin_lock_bh
> > > > > /kernel/include/linux/spinlock.h:307
> > > > > [] ? tcp_packet+0x1c9/0x51c0
> > > > > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:833
> > > > > [< inline >] kasan_report /kernel/mm/kasan/report.c:259
> > > > > [] __asan_report_load1_noabort+0x3e/0x40
> > > > > /kernel/mm/kasan/report.c:277
> > > > > [< inline >] ? tcp_sack
> > > > > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:473
> > > > > [< inline >] ? tcp_in_window
> > > > > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:527
> > > > > [] ? tcp_packet+0x4b77/0x51c0
> > > > > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1036
> > > > > [< inline >] tcp_sack
> > > > > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:473
> > > > > [< inline >] tcp_in_window
> > > > > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:527
> > > > > [] tcp_packet+0x4b77/0x51c0
> > > > > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1036
> > > > > [] ? memset+0x28/0x30 /kernel/mm/kasan/kasan.c:302
> > > > > [] ? tcp_new+0x1a4/0xc20
> > > > > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1122
> > > > > [< inline >] ? build_report /kernel/include/net/netlink.h:499
> > > > > [] ? xfrm_send_report+0x426/0x450
> > > > > /kernel/net/xfrm/xfrm_user.c:3039
> > > > > [] ? tcp_new+0xc20/0xc20
> > > > > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1169
> > > > > [] ? init_conntrack+0xca/0x9e0
> > > > > /kernel/net/netfilter/nf_conntrack_core.c:972
> > > > > [] ? nf_conntrack_alloc+0x40/0x40
> > > > > /kernel/net/netfilter/nf_conntrack_core.c:903
> > > > > [] ? tcp_init_net+0x6e0/0x6e0
> > > > > /kernel/include/net/netfilter/nf_conntrack_l4proto.h:137
> > > > > [] ? ipv4_get_l4proto+0x262/0x390
> > > > > /kernel/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:89
> > > > > [] ? nf_ct_get_tuple+0xaf/0x190
> > > > > /kernel/net/netfilter/nf_conntrack_core.c:197
> > > > > [] nf_conntrack_in+0x8ee/0x1170
> > > > > /kernel/net/netfilter/nf_conntrack_core.c:1177
> > > > > [] ? init_conntrack+0x9e0/0x9e0
> > > > > /kernel/net/netfilter/nf_conntrack_core.c:287
> > > > > [] ? ipt_do_table+0xa16/0x1260
> > > > > /kernel/net/ipv4/netfilter/ip_tables.c:423
> > > > > [] ? trace_hardirqs_on+0xd/0x10
> > > > > /kernel/kernel/locking/lockdep.c:2635
> > > > > [] ? __local_bh_enable_ip+0x6b/0xc0
> > > > > /kernel/kernel/softirq.c:175
> > > > > [] ? check_entry.isra.4+0x190/0x190
> > > > > /kernel/net/ipv6/netfilter/ip6_tables.c:594
> > > > > [] ? ip_reply_glue_bits+0xc0/0xc0
> > > > > /kernel/net/ipv4/ip_output.c:1530
> > > > > [] ipv4_conntrack_local+0x14e/0x1a0
> > > > > /kernel/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:161
> > > > > [] ? iptable_raw_hook+0x9d/0x1e0
> > > > > /kernel/net/ipv4/netfilter/iptable_raw.c:32
> > > > > [] nf_iterate+0x15d/0x230
> > > > > /kernel/net/netfilter/core.c:274
> > > > > [] ? nf_iterate+0x230/0x230
> > > > > /kernel/net/netfilter/core.c:268
> > > > > [] nf_hook_slow+0x1ad/0x310
> > > > > /kernel/net/netfilter/core.c:306
> > > > > [] ? nf_i

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread Baozeng Ding 



On 2016/3/28 10:35, Baozeng Ding wrote:



On 2016/3/28 6:25, Jozsef Kadlecsik wrote:

On Mon, 28 Mar 2016, Jozsef Kadlecsik wrote:


On Sun, 27 Mar 2016, Baozeng Ding wrote:


The following program triggers stack-out-of-bounds in tcp_packet. The
kernel version is 4.5 (on Mar 16 commit
09fd671ccb2475436bd5f597f751ca4a7d177aea).
Uncovered with syzkaller. Thanks.

==
BUG: KASAN: stack-out-of-bounds in tcp_packet+0x4b77/0x51c0 at addr
8800a45df3c8
Read of size 1 by task 0327/11132
page:ea00029177c0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x1fffc00()
page dumped because: kasan: bad access detected
CPU: 1 PID: 11132 Comm: 0327 Tainted: GB 4.5.0+ #12
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
  0001 8800a45df148 82945051 8800a45df1d8
  8800a45df3c8 0027 0001 8800a45df1c8
  81709f88 8800b4f7e3d0 0028 0286
Call Trace:
[< inline >] __dump_stack /kernel/lib/dump_stack.c:15
[] dump_stack+0xb3/0x112 /kernel/lib/dump_stack.c:51
[< inline >] print_address_description 
/kernel/mm/kasan/report.c:150

[] kasan_report_error+0x4f8/0x530
/kernel/mm/kasan/report.c:236
[] ? skb_copy_bits+0x49d/0x6d0
/kernel/net/core/skbuff.c:1675
[< inline >] ? spin_lock_bh 
/kernel/include/linux/spinlock.h:307

[] ? tcp_packet+0x1c9/0x51c0
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:833
[< inline >] kasan_report /kernel/mm/kasan/report.c:259
[] __asan_report_load1_noabort+0x3e/0x40
/kernel/mm/kasan/report.c:277
[< inline >] ? tcp_sack
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:473
[< inline >] ? tcp_in_window
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:527
[] ? tcp_packet+0x4b77/0x51c0
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:1036
[< inline >] tcp_sack
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:473
[< inline >] tcp_in_window
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:527
[] tcp_packet+0x4b77/0x51c0
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:1036
[] ? memset+0x28/0x30 /kernel/mm/kasan/kasan.c:302
[] ? tcp_new+0x1a4/0xc20
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:1122
[< inline >] ? build_report /kernel/include/net/netlink.h:499
[] ? xfrm_send_report+0x426/0x450
/kernel/net/xfrm/xfrm_user.c:3039
[] ? tcp_new+0xc20/0xc20
/kernel/net/netfilter/nf_conntrack_proto_tcp.c:1169
[] ? init_conntrack+0xca/0x9e0
/kernel/net/netfilter/nf_conntrack_core.c:972
[] ? nf_conntrack_alloc+0x40/0x40
/kernel/net/netfilter/nf_conntrack_core.c:903
[] ? tcp_init_net+0x6e0/0x6e0
/kernel/include/net/netfilter/nf_conntrack_l4proto.h:137
[] ? ipv4_get_l4proto+0x262/0x390
/kernel/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:89
[] ? nf_ct_get_tuple+0xaf/0x190
/kernel/net/netfilter/nf_conntrack_core.c:197
[] nf_conntrack_in+0x8ee/0x1170
/kernel/net/netfilter/nf_conntrack_core.c:1177
[] ? init_conntrack+0x9e0/0x9e0
/kernel/net/netfilter/nf_conntrack_core.c:287
[] ? ipt_do_table+0xa16/0x1260
/kernel/net/ipv4/netfilter/ip_tables.c:423
[] ? trace_hardirqs_on+0xd/0x10
/kernel/kernel/locking/lockdep.c:2635
[] ? __local_bh_enable_ip+0x6b/0xc0
/kernel/kernel/softirq.c:175
[] ? check_entry.isra.4+0x190/0x190
/kernel/net/ipv6/netfilter/ip6_tables.c:594
[] ? ip_reply_glue_bits+0xc0/0xc0
/kernel/net/ipv4/ip_output.c:1530
[] ipv4_conntrack_local+0x14e/0x1a0
/kernel/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:161
[] ? iptable_raw_hook+0x9d/0x1e0
/kernel/net/ipv4/netfilter/iptable_raw.c:32
[] nf_iterate+0x15d/0x230 
/kernel/net/netfilter/core.c:274
[] ? nf_iterate+0x230/0x230 
/kernel/net/netfilter/core.c:268
[] nf_hook_slow+0x1ad/0x310 
/kernel/net/netfilter/core.c:306
[] ? nf_iterate+0x230/0x230 
/kernel/net/netfilter/core.c:268
[] ? nf_iterate+0x230/0x230 
/kernel/net/netfilter/core.c:268

[] ? prandom_u32+0x24/0x30 /kernel/lib/random32.c:83
[] ? ip_idents_reserve+0x9f/0xf0
/kernel/net/ipv4/route.c:484
[< inline >] nf_hook_thresh 
/kernel/include/linux/netfilter.h:187

[< inline >] nf_hook /kernel/include/linux/netfilter.h:197
[] __ip_local_out+0x263/0x3c0
/kernel/net/ipv4/ip_output.c:104
[] ? ip_finish_output+0xd00/0xd00
/kernel/include/net/ip.h:322
[] ? __ip_flush_pending_frames.isra.45+0x2e0/0x2e0
/kernel/net/ipv4/ip_output.c:1337
[] ? __ip_make_skb+0xfe6/0x1610
/kernel/net/ipv4/ip_output.c:1436
[] ip_local_out+0x2d/0x1c0 
/kernel/net/ipv4/ip_output.c:113
[] ip_send_skb+0x3c/0xc0 
/kernel/net/ipv4/ip_output.c:1443

[] ip_push_pending_frames+0x64/0x80
/kernel/net/ipv4/ip_output.c:1463
[< inline >] rcu_read_unlock 
/kernel/include/linux/rcupdate.h:922

[] raw_sendmsg+0x17bb/0x25c0
/kernel/net/ieee802154/socket.c:53
[] ? dst_output+0x190/0x190 
/kernel/include/net/dst.h:492

[< inline >] ? trace_mm_page_alloc
/kernel/include/trace/events/kmem.h:217
[] ? __alloc_pages_nodemask+0x559/0x16b0

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-27 Thread Jozsef Kadlecsik 
On Mon, 28 Mar 2016, Jozsef Kadlecsik wrote:

> On Sun, 27 Mar 2016, Baozeng Ding wrote:
> 
> > The following program triggers stack-out-of-bounds in tcp_packet. The
> > kernel version is 4.5 (on Mar 16 commit
> > 09fd671ccb2475436bd5f597f751ca4a7d177aea).
> > Uncovered with syzkaller. Thanks.
> > 
> > ==
> > BUG: KASAN: stack-out-of-bounds in tcp_packet+0x4b77/0x51c0 at addr
> > 8800a45df3c8
> > Read of size 1 by task 0327/11132
> > page:ea00029177c0 count:0 mapcount:0 mapping:  (null) index:0x0
> > flags: 0x1fffc00()
> > page dumped because: kasan: bad access detected
> > CPU: 1 PID: 11132 Comm: 0327 Tainted: GB   4.5.0+ #12
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> > rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
> >  0001 8800a45df148 82945051 8800a45df1d8
> >  8800a45df3c8 0027 0001 8800a45df1c8
> >  81709f88 8800b4f7e3d0 0028 0286
> > Call Trace:
> > [< inline >] __dump_stack /kernel/lib/dump_stack.c:15
> > [] dump_stack+0xb3/0x112 /kernel/lib/dump_stack.c:51
> > [< inline >] print_address_description /kernel/mm/kasan/report.c:150
> > [] kasan_report_error+0x4f8/0x530
> > /kernel/mm/kasan/report.c:236
> > [] ? skb_copy_bits+0x49d/0x6d0
> > /kernel/net/core/skbuff.c:1675
> > [< inline >] ? spin_lock_bh /kernel/include/linux/spinlock.h:307
> > [] ? tcp_packet+0x1c9/0x51c0
> > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:833
> > [< inline >] kasan_report /kernel/mm/kasan/report.c:259
> > [] __asan_report_load1_noabort+0x3e/0x40
> > /kernel/mm/kasan/report.c:277
> > [< inline >] ? tcp_sack
> > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:473
> > [< inline >] ? tcp_in_window
> > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:527
> > [] ? tcp_packet+0x4b77/0x51c0
> > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1036
> > [< inline >] tcp_sack
> > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:473
> > [< inline >] tcp_in_window
> > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:527
> > [] tcp_packet+0x4b77/0x51c0
> > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1036
> > [] ? memset+0x28/0x30 /kernel/mm/kasan/kasan.c:302
> > [] ? tcp_new+0x1a4/0xc20
> > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1122
> > [< inline >] ? build_report /kernel/include/net/netlink.h:499
> > [] ? xfrm_send_report+0x426/0x450
> > /kernel/net/xfrm/xfrm_user.c:3039
> > [] ? tcp_new+0xc20/0xc20
> > /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1169
> > [] ? init_conntrack+0xca/0x9e0
> > /kernel/net/netfilter/nf_conntrack_core.c:972
> > [] ? nf_conntrack_alloc+0x40/0x40
> > /kernel/net/netfilter/nf_conntrack_core.c:903
> > [] ? tcp_init_net+0x6e0/0x6e0
> > /kernel/include/net/netfilter/nf_conntrack_l4proto.h:137
> > [] ? ipv4_get_l4proto+0x262/0x390
> > /kernel/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:89
> > [] ? nf_ct_get_tuple+0xaf/0x190
> > /kernel/net/netfilter/nf_conntrack_core.c:197
> > [] nf_conntrack_in+0x8ee/0x1170
> > /kernel/net/netfilter/nf_conntrack_core.c:1177
> > [] ? init_conntrack+0x9e0/0x9e0
> > /kernel/net/netfilter/nf_conntrack_core.c:287
> > [] ? ipt_do_table+0xa16/0x1260
> > /kernel/net/ipv4/netfilter/ip_tables.c:423
> > [] ? trace_hardirqs_on+0xd/0x10
> > /kernel/kernel/locking/lockdep.c:2635
> > [] ? __local_bh_enable_ip+0x6b/0xc0
> > /kernel/kernel/softirq.c:175
> > [] ? check_entry.isra.4+0x190/0x190
> > /kernel/net/ipv6/netfilter/ip6_tables.c:594
> > [] ? ip_reply_glue_bits+0xc0/0xc0
> > /kernel/net/ipv4/ip_output.c:1530
> > [] ipv4_conntrack_local+0x14e/0x1a0
> > /kernel/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:161
> > [] ? iptable_raw_hook+0x9d/0x1e0
> > /kernel/net/ipv4/netfilter/iptable_raw.c:32
> > [] nf_iterate+0x15d/0x230 /kernel/net/netfilter/core.c:274
> > [] ? nf_iterate+0x230/0x230 
> > /kernel/net/netfilter/core.c:268
> > [] nf_hook_slow+0x1ad/0x310 
> > /kernel/net/netfilter/core.c:306
> > [] ? nf_iterate+0x230/0x230 
> > /kernel/net/netfilter/core.c:268
> > [] ? nf_iterate+0x230/0x230 
> > /kernel/net/netfilter/core.c:268
> > [] ? prandom_u32+0x24/0x30 /kernel/lib/random32.c:83
> > [] ? ip_idents_reserve+0x9f/0xf0
> > /kernel/net/ipv4/route.c:484
> > [< inline >] nf_hook_thresh /kernel/include/linux/netfilter.h:187
> > [< inline >] nf_hook /kernel/include/linux/netfilter.h:197
> > [] __ip_local_out+0x263/0x3c0
> > /kernel/net/ipv4/ip_output.c:104
> > [] ? ip_finish_output+0xd00/0xd00
> > /kernel/include/net/ip.h:322
> > [] ? __ip_flush_pending_frames.isra.45+0x2e0/0x2e0
> > /kernel/net/ipv4/ip_output.c:1337
> > [] ? __ip_make_skb+0xfe6/0x1610
> > /kernel/net/ipv4/ip_output.c:1436
> > [] ip_local_out+0x2d/0x1c0 
> > /kernel/net/ipv4/ip_output.c:113
> > [] ip_send_skb+0x3c/0xc0 /kernel/net/ipv4/ip_output.c:1443
> > [] ip_push_pending_frames+0x64/0x80
> > /kernel/net/

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-27 Thread Jozsef Kadlecsik 
On Sun, 27 Mar 2016, Baozeng Ding wrote:

> The following program triggers stack-out-of-bounds in tcp_packet. The
> kernel version is 4.5 (on Mar 16 commit
> 09fd671ccb2475436bd5f597f751ca4a7d177aea).
> Uncovered with syzkaller. Thanks.
> 
> ==
> BUG: KASAN: stack-out-of-bounds in tcp_packet+0x4b77/0x51c0 at addr
> 8800a45df3c8
> Read of size 1 by task 0327/11132
> page:ea00029177c0 count:0 mapcount:0 mapping:  (null) index:0x0
> flags: 0x1fffc00()
> page dumped because: kasan: bad access detected
> CPU: 1 PID: 11132 Comm: 0327 Tainted: GB   4.5.0+ #12
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
>  0001 8800a45df148 82945051 8800a45df1d8
>  8800a45df3c8 0027 0001 8800a45df1c8
>  81709f88 8800b4f7e3d0 0028 0286
> Call Trace:
> [< inline >] __dump_stack /kernel/lib/dump_stack.c:15
> [] dump_stack+0xb3/0x112 /kernel/lib/dump_stack.c:51
> [< inline >] print_address_description /kernel/mm/kasan/report.c:150
> [] kasan_report_error+0x4f8/0x530
> /kernel/mm/kasan/report.c:236
> [] ? skb_copy_bits+0x49d/0x6d0
> /kernel/net/core/skbuff.c:1675
> [< inline >] ? spin_lock_bh /kernel/include/linux/spinlock.h:307
> [] ? tcp_packet+0x1c9/0x51c0
> /kernel/net/netfilter/nf_conntrack_proto_tcp.c:833
> [< inline >] kasan_report /kernel/mm/kasan/report.c:259
> [] __asan_report_load1_noabort+0x3e/0x40
> /kernel/mm/kasan/report.c:277
> [< inline >] ? tcp_sack
> /kernel/net/netfilter/nf_conntrack_proto_tcp.c:473
> [< inline >] ? tcp_in_window
> /kernel/net/netfilter/nf_conntrack_proto_tcp.c:527
> [] ? tcp_packet+0x4b77/0x51c0
> /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1036
> [< inline >] tcp_sack
> /kernel/net/netfilter/nf_conntrack_proto_tcp.c:473
> [< inline >] tcp_in_window
> /kernel/net/netfilter/nf_conntrack_proto_tcp.c:527
> [] tcp_packet+0x4b77/0x51c0
> /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1036
> [] ? memset+0x28/0x30 /kernel/mm/kasan/kasan.c:302
> [] ? tcp_new+0x1a4/0xc20
> /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1122
> [< inline >] ? build_report /kernel/include/net/netlink.h:499
> [] ? xfrm_send_report+0x426/0x450
> /kernel/net/xfrm/xfrm_user.c:3039
> [] ? tcp_new+0xc20/0xc20
> /kernel/net/netfilter/nf_conntrack_proto_tcp.c:1169
> [] ? init_conntrack+0xca/0x9e0
> /kernel/net/netfilter/nf_conntrack_core.c:972
> [] ? nf_conntrack_alloc+0x40/0x40
> /kernel/net/netfilter/nf_conntrack_core.c:903
> [] ? tcp_init_net+0x6e0/0x6e0
> /kernel/include/net/netfilter/nf_conntrack_l4proto.h:137
> [] ? ipv4_get_l4proto+0x262/0x390
> /kernel/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:89
> [] ? nf_ct_get_tuple+0xaf/0x190
> /kernel/net/netfilter/nf_conntrack_core.c:197
> [] nf_conntrack_in+0x8ee/0x1170
> /kernel/net/netfilter/nf_conntrack_core.c:1177
> [] ? init_conntrack+0x9e0/0x9e0
> /kernel/net/netfilter/nf_conntrack_core.c:287
> [] ? ipt_do_table+0xa16/0x1260
> /kernel/net/ipv4/netfilter/ip_tables.c:423
> [] ? trace_hardirqs_on+0xd/0x10
> /kernel/kernel/locking/lockdep.c:2635
> [] ? __local_bh_enable_ip+0x6b/0xc0
> /kernel/kernel/softirq.c:175
> [] ? check_entry.isra.4+0x190/0x190
> /kernel/net/ipv6/netfilter/ip6_tables.c:594
> [] ? ip_reply_glue_bits+0xc0/0xc0
> /kernel/net/ipv4/ip_output.c:1530
> [] ipv4_conntrack_local+0x14e/0x1a0
> /kernel/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:161
> [] ? iptable_raw_hook+0x9d/0x1e0
> /kernel/net/ipv4/netfilter/iptable_raw.c:32
> [] nf_iterate+0x15d/0x230 /kernel/net/netfilter/core.c:274
> [] ? nf_iterate+0x230/0x230 /kernel/net/netfilter/core.c:268
> [] nf_hook_slow+0x1ad/0x310 /kernel/net/netfilter/core.c:306
> [] ? nf_iterate+0x230/0x230 /kernel/net/netfilter/core.c:268
> [] ? nf_iterate+0x230/0x230 /kernel/net/netfilter/core.c:268
> [] ? prandom_u32+0x24/0x30 /kernel/lib/random32.c:83
> [] ? ip_idents_reserve+0x9f/0xf0
> /kernel/net/ipv4/route.c:484
> [< inline >] nf_hook_thresh /kernel/include/linux/netfilter.h:187
> [< inline >] nf_hook /kernel/include/linux/netfilter.h:197
> [] __ip_local_out+0x263/0x3c0
> /kernel/net/ipv4/ip_output.c:104
> [] ? ip_finish_output+0xd00/0xd00
> /kernel/include/net/ip.h:322
> [] ? __ip_flush_pending_frames.isra.45+0x2e0/0x2e0
> /kernel/net/ipv4/ip_output.c:1337
> [] ? __ip_make_skb+0xfe6/0x1610
> /kernel/net/ipv4/ip_output.c:1436
> [] ip_local_out+0x2d/0x1c0 /kernel/net/ipv4/ip_output.c:113
> [] ip_send_skb+0x3c/0xc0 /kernel/net/ipv4/ip_output.c:1443
> [] ip_push_pending_frames+0x64/0x80
> /kernel/net/ipv4/ip_output.c:1463
> [< inline >] rcu_read_unlock /kernel/include/linux/rcupdate.h:922
> [] raw_sendmsg+0x17bb/0x25c0
> /kernel/net/ieee802154/socket.c:53
> [] ? dst_output+0x190/0x190 /kernel/include/net/dst.h:492
> [< inline >] ? trace_mm_page_alloc
> /kerne