Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On Mon, 2016-03-28 at 19:54 -0400, David Miller wrote: > From: Eric Dumazet > Date: Mon, 28 Mar 2016 13:51:46 -0700 > > > On Mon, 2016-03-28 at 13:46 -0700, Eric Dumazet wrote: > > > >> We have at least 384 bytes of padding in skb->head (this is struct > >> skb_shared_info). > >> > >> Whatever

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

From: Eric Dumazet Date: Mon, 28 Mar 2016 13:51:46 -0700 > On Mon, 2016-03-28 at 13:46 -0700, Eric Dumazet wrote: > >> We have at least 384 bytes of padding in skb->head (this is struct >> skb_shared_info). >> >> Whatever garbage we might read, current code is fine. >> >> We have to deal with

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

From: Jan Engelhardt Date: Mon, 28 Mar 2016 22:20:39 +0200 (CEST) > > On Monday 2016-03-28 21:29, David Miller wrote: > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb, > > length--; > > continue; > > default: >>>

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On Mon, 2016-03-28 at 23:11 +0200, Jozsef Kadlecsik wrote: > In net/netfilter/nf_conntrack_proto_tcp.c we copy the options into a > buffer with skb_header_pointer(), so it's not a false positive there and > the KASAN report referred to that part. > Although the out of bound could be one extra

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On Mon, 28 Mar 2016, Eric Dumazet wrote: > On Mon, 2016-03-28 at 22:20 +0200, Jan Engelhardt wrote: > > On Monday 2016-03-28 21:29, David Miller wrote: > > >>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff > > >>> > > *skb, > > >>> > > length--; > > >>> > >

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On Mon, 2016-03-28 at 13:46 -0700, Eric Dumazet wrote: > We have at least 384 bytes of padding in skb->head (this is struct > skb_shared_info). > > Whatever garbage we might read, current code is fine. > > We have to deal with a false positive here. Very similar to the one fixed in https://git

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On Mon, 2016-03-28 at 22:20 +0200, Jan Engelhardt wrote: > On Monday 2016-03-28 21:29, David Miller wrote: > >>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff > >>> > > *skb, > >>> > > length--; > >>> > > continue; > >>> > > default: >

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On Monday 2016-03-28 21:29, David Miller wrote: >>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb, >>> > > length--; >>> > > continue; >>> > > default: >>> > > +if (length < 2) >>> > > +return; >>> > >

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On Mon, 2016-03-28 at 15:29 -0400, David Miller wrote: > From: Jozsef Kadlecsik > Date: Mon, 28 Mar 2016 18:48:51 +0200 (CEST) > > >> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb, > >> > > length--; > >> > > continue; > >> > > de

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

From: Jozsef Kadlecsik Date: Mon, 28 Mar 2016 18:48:51 +0200 (CEST) >> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb, >> > > length--; >> > > continue; >> > > default: >> > > +if (length < 2) >> > > +re

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On Mon, Mar 28, 2016 at 06:48:51PM +0200, Jozsef Kadlecsik wrote: > Hi David, Pablo, > > David, do you agree with the patch for net/ipv4/tcp_input.c? If yes, how > should I proceed? Should I send the whole patch to you or is it OK to send > to Pablo? Submit a formal patch and Cc: netdev@vger.ke

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

Hi David, Pablo, David, do you agree with the patch for net/ipv4/tcp_input.c? If yes, how should I proceed? Should I send the whole patch to you or is it OK to send to Pablo? Best regards, Jozsef On Mon, 28 Mar 2016, Baozeng Ding wrote: > > > On 2016/3/28 10:35, Baozeng Ding wrote: > > > >

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On 2016/3/28 10:35, Baozeng Ding wrote: On 2016/3/28 6:25, Jozsef Kadlecsik wrote: On Mon, 28 Mar 2016, Jozsef Kadlecsik wrote: On Sun, 27 Mar 2016, Baozeng Ding wrote: The following program triggers stack-out-of-bounds in tcp_packet. The kernel version is 4.5 (on Mar 16 commit 09fd671cc

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On Mon, 28 Mar 2016, Jozsef Kadlecsik wrote: > On Sun, 27 Mar 2016, Baozeng Ding wrote: > > > The following program triggers stack-out-of-bounds in tcp_packet. The > > kernel version is 4.5 (on Mar 16 commit > > 09fd671ccb2475436bd5f597f751ca4a7d177aea). > > Uncovered with syzkaller. Thanks. > >

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On Sun, 27 Mar 2016, Baozeng Ding wrote: > The following program triggers stack-out-of-bounds in tcp_packet. The > kernel version is 4.5 (on Mar 16 commit > 09fd671ccb2475436bd5f597f751ca4a7d177aea). > Uncovered with syzkaller. Thanks. > > =

BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

Hi all, The following program triggers stack-out-of-bounds in tcp_packet. The kernel version is 4.5 (on Mar 16 commit 09fd671ccb2475436bd5f597f751ca4a7d177aea). Uncovered with syzkaller. Thanks. == BUG: KASAN: stack-out-of-bounds in