[syzbot] [netfilter?] general protection fault in nf_tproxy_laddr4

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 6e7ffa180a53 net: dsa: mv88e6xxx: read cmode on mv88e6320/..
git tree: net
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13ad5e04980000
kernel config: https://syzkaller.appspot.com/x/.config?x=3714fc09f933e505
dashboard link: https://syzkaller.appspot.com/bug?extid=b94a6818504ea90d7661
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16786a6c980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12526504980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/344d515e5a83/disk-6e7ffa18.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c177dc9a5410/vmlinux-6e7ffa18.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cd11b4574661/bzImage-6e7ffa18.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b94a68...@syzkaller.appspotmail.com

netlink: 'syz-executor314': attribute type 4 has an invalid length.
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 1 PID: 5086 Comm: syz-executor314 Not tainted 6.9.0-rc6-syzkaller-00157-g6e7ffa180a53 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62
Code: 89 c5 31 ff 89 c6 e8 08 80 8d f7 85 ed 0f 84 ab 01 00 00 e8 bb 7b 8d f7 eb 05 e8 b4 7b 8d f7 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 3a 26 f2 f7 48 8b 1b e8 72 df 77
RSP: 0018:ffffc9000344eb38 EFLAGS: 00010206
RAX: 0000000000000003 RBX: 0000000000000018 RCX: ffff88802a7ada00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffffffff8a0894f8 R09: 0000000000000001
R10: 0000000000000002 R11: ffff88802a7ada00 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
FS: 000055556cd0a380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000221a6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]
nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168
expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288
nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
nf_hook_slow_list+0x1f8/0x460 net/netfilter/core.c:665
NF_HOOK_LIST include/linux/netfilter.h:350 [inline]
ip_sublist_rcv+0x9a4/0xab0 net/ipv4/ip_input.c:637
ip_list_rcv+0x42b/0x480 net/ipv4/ip_input.c:674
__netif_receive_skb_list_ptype net/core/dev.c:5587 [inline]
__netif_receive_skb_list_core+0x95a/0x980 net/core/dev.c:5635
__netif_receive_skb_list net/core/dev.c:5687 [inline]
netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5779
netif_receive_skb_list+0x55/0x4b0 net/core/dev.c:5831
xdp_recv_frames net/bpf/test_run.c:278 [inline]
xdp_test_run_batch net/bpf/test_run.c:356 [inline]
bpf_test_run_xdp_live+0x1973/0x1e90 net/bpf/test_run.c:384
bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267
bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4269
__sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5678
__do_sys_bpf kernel/bpf/syscall.c:5767 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5765 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5765
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcafe84c2b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffba9dffc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcafe84c2b9
RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a
RBP: 0000000000000000 R08: 00007fffba9dfff0 R09: 00007fffba9dfff0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62
Code: 89 c5 31 ff 89 c6 e8 08 80 8d f7 85 ed 0f 84 ab 01 00 00 e8 bb 7b 8d f7 eb 05 e8 b4 7b 8d f7 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 3a 26 f2 f7 48 8b 1b e8 72 df 77
RSP: 0018:ffffc9000344eb38 EFLAGS: 00010206
RAX: 0000000000000003 RBX: 0000000000000018 RCX: ffff88802a7ada00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffffffff8a0894f8 R09: 0000000000000001
R10: 0000000000000002 R11: ffff88802a7ada00 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
FS: 000055556cd0a380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000221a6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 c5 mov %eax,%ebp
2: 31 ff xor %edi,%edi
4: 89 c6 mov %eax,%esi
6: e8 08 80 8d f7 call 0xf78d8013
b: 85 ed test %ebp,%ebp
d: 0f 84 ab 01 00 00 je 0x1be
13: e8 bb 7b 8d f7 call 0xf78d7bd3
18: eb 05 jmp 0x1f
1a: e8 b4 7b 8d f7 call 0xf78d7bd3
1f: 48 83 c3 18 add $0x18,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 3a 26 f2 f7 call 0xf7f22673
39: 48 8b 1b mov (%rbx),%rbx
3c: e8 .byte 0xe8
3d: 72 df jb 0x1e
3f: 77 .byte 0x77


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [netfilter?] general protection fault in nf_tproxy_laddr4
Author: f...@strlen.de

syzbot <syzbot+b94a68...@syzkaller.appspotmail.com> wrote:

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/fwestphal/nf.git syz_b94a6818504ea90d7661

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b94a68...@syzkaller.appspotmail.com

Tested on:

commit: 5caed4a4 netfilter: tproxy: bail out if IP has been di..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/fwestphal/nf.git syz_b94a6818504ea90d7661
console output: https://syzkaller.appspot.com/x/log.txt?x=12dc507c980000

kernel config: https://syzkaller.appspot.com/x/.config?x=3714fc09f933e505
dashboard link: https://syzkaller.appspot.com/bug?extid=b94a6818504ea90d7661
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

[Florian Westphal]

syzbot reports:

general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]

[..]

RIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62

Call Trace:

nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]
nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168

__in_dev_get_rcu() can return NULL, so check for this.

Reported-and-tested-by: syzbot+b94a68...@syzkaller.appspotmail.com
Fixes: cc6eb4338569 ("tproxy: use the interface primary IP address as a default value for --on-ip")
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/ipv4/netfilter/nf_tproxy_ipv4.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/ipv4/netfilter/nf_tproxy_ipv4.c b/net/ipv4/netfilter/nf_tproxy_ipv4.c
index 69e331799604..73e66a088e25 100644
--- a/net/ipv4/netfilter/nf_tproxy_ipv4.c
+++ b/net/ipv4/netfilter/nf_tproxy_ipv4.c
@@ -58,6 +58,8 @@ __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr)

laddr = 0;
indev = __in_dev_get_rcu(skb->dev);
+ if (!indev)
+ return daddr;

in_dev_for_each_ifa_rcu(ifa, indev) {
if (ifa->ifa_flags & IFA_F_SECONDARY)
--
2.43.2