net/kcm: GPF in kcm_sendmsg

26 views
Skip to first unread message

Dmitry Vyukov

unread,
Feb 13, 2017, 10:15:01 AM2/13/17
to David Miller, Tom Herbert, Cong Wang, Alexei Starovoitov, Al Viro, Daniel Borkmann, Eric Dumazet, netdev, LKML, syzkaller
Hello,

The following program triggers GPF in kcm_sendmsg:


// autogenerated by syzkaller (http://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stddef.h>
#include <string.h>
#include <unistd.h>

int main()
{
int sock = socket(41 /*AF_KCM*/, SOCK_SEQPACKET, 0);
struct mmsghdr msg;
memset(&msg, 0, sizeof(msg));
sendmmsg(sock, &msg, 1, 0);
return 0;
}


general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 2 PID: 2935 Comm: a.out Not tainted 4.10.0-rc8+ #218
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006b506440 task.stack: ffff8800662b8000
RIP: 0010:kcm_sendmsg+0x92e/0x2240 net/kcm/kcmsock.c:1048
RSP: 0018:ffff8800662bf720 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000008 RSI: ffff88006b506c38 RDI: 0000000000000040
RBP: ffff8800662bfa00 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000000 R12: 7fffffffffffffff
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88006af12040
FS: 0000000001077880(0000) GS:ffff88006d100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004b2140 CR3: 00000000651b7000 CR4: 00000000001406e0
Call Trace:
sock_sendmsg_nosec net/socket.c:635 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:645
___sys_sendmsg+0x4a3/0x9f0 net/socket.c:1985
__sys_sendmmsg+0x25c/0x750 net/socket.c:2075
SYSC_sendmmsg net/socket.c:2106 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2101
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x436dc9
RSP: 002b:00007ffe84e1a938 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000401730 RCX: 0000000000436dc9
RDX: 0000000000000001 RSI: 00007ffe84e1a950 RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000000b R09: 0000000000000004
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004002b0
R13: 00007ffe84e1aa88 R14: 0000000000000002 R15: 0000000000000000
Code: 02 00 0f 85 d4 14 00 00 48 8b 85 c0 fd ff ff 48 8d 78 40 49 89
87 30 05 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80>
3c 02 00 0f 85 9d 14 00 00 48 8b 85 c0 fd ff ff 4c 89 70 40
RIP: kcm_sendmsg+0x92e/0x2240 net/kcm/kcmsock.c:1048 RSP: ffff8800662bf720
---[ end trace 62093774c8609871 ]---


On commit 7089db84e356562f8ba737c29e472cc42d530dbc (4.10-rc8).

Cong Wang

unread,
Feb 13, 2017, 12:07:05 PM2/13/17
to Dmitry Vyukov, David Miller, Tom Herbert, Alexei Starovoitov, Al Viro, Daniel Borkmann, Eric Dumazet, netdev, LKML, syzkaller
On Mon, Feb 13, 2017 at 7:14 AM, Dmitry Vyukov <dvy...@google.com> wrote:
> Hello,
>
> The following program triggers GPF in kcm_sendmsg:
>
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #define _GNU_SOURCE
> #include <sys/socket.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <stddef.h>
> #include <string.h>
> #include <unistd.h>
>
> int main()
> {
> int sock = socket(41 /*AF_KCM*/, SOCK_SEQPACKET, 0);
> struct mmsghdr msg;
> memset(&msg, 0, sizeof(msg));
> sendmmsg(sock, &msg, 1, 0);
> return 0;
> }
>
>
> general protection fault: 0000 [#1] SMP KASAN
> Modules linked in:
> CPU: 2 PID: 2935 Comm: a.out Not tainted 4.10.0-rc8+ #218
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff88006b506440 task.stack: ffff8800662b8000
> RIP: 0010:kcm_sendmsg+0x92e/0x2240 net/kcm/kcmsock.c:1048

Hmm, head is NULL in kcm_tx_msg(head)->last_skb = skb;,
I missed the !eor case in the previous fix.
Reply all
Reply to author
Forward
0 new messages