WARNING in compat_do_ebt_get_ctl
17 views
Skip to first unread message
syzbot
Aug 6, 2020, 10:26:28 PM8/6/20
to bri...@lists.linux-foundation.org, core...@netfilter.org, da...@davemloft.net, f...@strlen.de, kad...@netfilter.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, netfilt...@vger.kernel.org, nik...@cumulusnetworks.com, pa...@netfilter.org, ro...@cumulusnetworks.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 47ec5303 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17e92e76900000
kernel config: https://syzkaller.appspot.com/x/.config?x=7c06047f622c5724
dashboard link: https://syzkaller.appspot.com/bug?extid=5accb5c62faa1d346480
compiler: gcc (GCC) 10.1.0-syz 20200507
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5accb5...@syzkaller.appspotmail.com
WARNING: CPU: 0 PID: 783 at include/linux/thread_info.h:134 copy_overflow include/linux/thread_info.h:134 [inline]
WARNING: CPU: 0 PID: 783 at include/linux/thread_info.h:134 check_copy_size include/linux/thread_info.h:143 [inline]
WARNING: CPU: 0 PID: 783 at include/linux/thread_info.h:134 copy_to_user include/linux/uaccess.h:151 [inline]
WARNING: CPU: 0 PID: 783 at include/linux/thread_info.h:134 compat_do_ebt_get_ctl+0x47e/0x500 net/bridge/netfilter/ebtables.c:2270
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 783 Comm: syz-executor.2 Not tainted 5.8.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
panic+0x2e3/0x75c kernel/panic.c:231
__warn.cold+0x20/0x45 kernel/panic.c:600
report_bug+0x1bd/0x210 lib/bug.c:198
handle_bug+0x38/0x90 arch/x86/kernel/traps.c:235
exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:255
asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
RIP: 0010:copy_overflow include/linux/thread_info.h:134 [inline]
RIP: 0010:check_copy_size include/linux/thread_info.h:143 [inline]
RIP: 0010:copy_to_user include/linux/uaccess.h:151 [inline]
RIP: 0010:compat_do_ebt_get_ctl+0x47e/0x500 net/bridge/netfilter/ebtables.c:2270
Code: ba fd ff ff 4c 89 f7 e8 a0 11 a4 fa e9 ad fd ff ff e8 06 0f 64 fa 4c 89 e2 be 50 00 00 00 48 c7 c7 00 4e 0e 89 e8 64 20 35 fa <0f> 0b e9 dc fd ff ff 41 bc f2 ff ff ff e9 4f fe ff ff e8 7b 11 a4
RSP: 0018:ffffc900047b7ae8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 1ffff920008f6f5e RCX: 0000000000000000
RDX: 0000000000040000 RSI: ffffffff815d8eb7 RDI: fffff520008f6f4f
RBP: ffffffff8a8f3460 R08: 0000000000000001 R09: ffff88802ce31927
R10: 0000000000000000 R11: 0000000033383754 R12: 000000000000ffab
R13: 0000000020000100 R14: ffffc900047b7d80 R15: ffffc900047b7b20
do_ebt_get_ctl+0x2b4/0x790 net/bridge/netfilter/ebtables.c:2317
nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
ip_getsockopt net/ipv4/ip_sockglue.c:1778 [inline]
ip_getsockopt+0x164/0x1c0 net/ipv4/ip_sockglue.c:1757
raw_getsockopt+0x1a1/0x1d0 net/ipv4/raw.c:876
__sys_getsockopt+0x219/0x4c0 net/socket.c:2179
__do_sys_getsockopt net/socket.c:2194 [inline]
__se_sys_getsockopt net/socket.c:2191 [inline]
__ia32_sys_getsockopt+0xb9/0x150 net/socket.c:2191
do_syscall_32_irqs_on arch/x86/entry/common.c:84 [inline]
__do_fast_syscall_32+0x57/0x80 arch/x86/entry/common.c:126
do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
RIP: 0023:0xf7f24569
Code: c4 01 10 03 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f551e0bc EFLAGS: 00000296 ORIG_RAX: 000000000000016d
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000082 RSI: 0000000020000100 RDI: 0000000020000180
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 47ec5303 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17e92e76900000
kernel config: https://syzkaller.appspot.com/x/.config?x=7c06047f622c5724
dashboard link: https://syzkaller.appspot.com/bug?extid=5accb5c62faa1d346480
compiler: gcc (GCC) 10.1.0-syz 20200507
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5accb5...@syzkaller.appspotmail.com
WARNING: CPU: 0 PID: 783 at include/linux/thread_info.h:134 copy_overflow include/linux/thread_info.h:134 [inline]
WARNING: CPU: 0 PID: 783 at include/linux/thread_info.h:134 check_copy_size include/linux/thread_info.h:143 [inline]
WARNING: CPU: 0 PID: 783 at include/linux/thread_info.h:134 copy_to_user include/linux/uaccess.h:151 [inline]
WARNING: CPU: 0 PID: 783 at include/linux/thread_info.h:134 compat_do_ebt_get_ctl+0x47e/0x500 net/bridge/netfilter/ebtables.c:2270
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 783 Comm: syz-executor.2 Not tainted 5.8.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
panic+0x2e3/0x75c kernel/panic.c:231
__warn.cold+0x20/0x45 kernel/panic.c:600
report_bug+0x1bd/0x210 lib/bug.c:198
handle_bug+0x38/0x90 arch/x86/kernel/traps.c:235
exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:255
asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
RIP: 0010:copy_overflow include/linux/thread_info.h:134 [inline]
RIP: 0010:check_copy_size include/linux/thread_info.h:143 [inline]
RIP: 0010:copy_to_user include/linux/uaccess.h:151 [inline]
RIP: 0010:compat_do_ebt_get_ctl+0x47e/0x500 net/bridge/netfilter/ebtables.c:2270
Code: ba fd ff ff 4c 89 f7 e8 a0 11 a4 fa e9 ad fd ff ff e8 06 0f 64 fa 4c 89 e2 be 50 00 00 00 48 c7 c7 00 4e 0e 89 e8 64 20 35 fa <0f> 0b e9 dc fd ff ff 41 bc f2 ff ff ff e9 4f fe ff ff e8 7b 11 a4
RSP: 0018:ffffc900047b7ae8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 1ffff920008f6f5e RCX: 0000000000000000
RDX: 0000000000040000 RSI: ffffffff815d8eb7 RDI: fffff520008f6f4f
RBP: ffffffff8a8f3460 R08: 0000000000000001 R09: ffff88802ce31927
R10: 0000000000000000 R11: 0000000033383754 R12: 000000000000ffab
R13: 0000000020000100 R14: ffffc900047b7d80 R15: ffffc900047b7b20
do_ebt_get_ctl+0x2b4/0x790 net/bridge/netfilter/ebtables.c:2317
nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
ip_getsockopt net/ipv4/ip_sockglue.c:1778 [inline]
ip_getsockopt+0x164/0x1c0 net/ipv4/ip_sockglue.c:1757
raw_getsockopt+0x1a1/0x1d0 net/ipv4/raw.c:876
__sys_getsockopt+0x219/0x4c0 net/socket.c:2179
__do_sys_getsockopt net/socket.c:2194 [inline]
__se_sys_getsockopt net/socket.c:2191 [inline]
__ia32_sys_getsockopt+0xb9/0x150 net/socket.c:2191
do_syscall_32_irqs_on arch/x86/entry/common.c:84 [inline]
__do_fast_syscall_32+0x57/0x80 arch/x86/entry/common.c:126
do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
RIP: 0023:0xf7f24569
Code: c4 01 10 03 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f551e0bc EFLAGS: 00000296 ORIG_RAX: 000000000000016d
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000082 RSI: 0000000020000100 RDI: 0000000020000180
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Aug 12, 2020, 11:45:24 PM8/12/20
to bri...@lists.linux-foundation.org, core...@netfilter.org, da...@davemloft.net, f...@strlen.de, kad...@netfilter.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, netfilt...@vger.kernel.org, nik...@cumulusnetworks.com, pa...@netfilter.org, ro...@cumulusnetworks.com, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: fb893de3 Merge tag 'tag-chrome-platform-for-v5.9' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1742b31c900000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1fedc63022bf07e
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1409f4a6900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5accb5...@syzkaller.appspotmail.com
------------[ cut here ]------------
Buffer overflow detected (80 < 137)!
WARNING: CPU: 0 PID: 6853 at include/linux/thread_info.h:134 copy_overflow include/linux/thread_info.h:134 [inline]
WARNING: CPU: 0 PID: 6853 at include/linux/thread_info.h:134 check_copy_size include/linux/thread_info.h:143 [inline]
WARNING: CPU: 0 PID: 6853 at include/linux/thread_info.h:134 copy_to_user include/linux/uaccess.h:151 [inline]
WARNING: CPU: 0 PID: 6853 at include/linux/thread_info.h:134 compat_do_ebt_get_ctl+0x47e/0x500 net/bridge/netfilter/ebtables.c:2270
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254
RSP: 0018:ffffc90005667ae8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 1ffff92000accf5e RCX: 0000000000000000
RDX: ffff88809458a280 RSI: ffffffff815dbce7 RDI: fffff52000accf4f
RBP: ffffffff8a8faa60 R08: 0000000000000001 R09: ffff8880ae6318e7
R10: 0000000000000000 R11: 0000000035383654 R12: 0000000000000089
R13: 0000000020000000 R14: ffffc90005667d80 R15: ffffc90005667b20
Code: 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000ffdae08c EFLAGS: 00000292 ORIG_RAX: 000000000000016d
RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000
HEAD commit: fb893de3 Merge tag 'tag-chrome-platform-for-v5.9' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1742b31c900000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1fedc63022bf07e
dashboard link: https://syzkaller.appspot.com/bug?extid=5accb5c62faa1d346480
compiler: gcc (GCC) 10.1.0-syz 20200507
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13280fd6900000
compiler: gcc (GCC) 10.1.0-syz 20200507
userspace arch: i386
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1409f4a6900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5accb5...@syzkaller.appspotmail.com
Buffer overflow detected (80 < 137)!
WARNING: CPU: 0 PID: 6853 at include/linux/thread_info.h:134 copy_overflow include/linux/thread_info.h:134 [inline]
WARNING: CPU: 0 PID: 6853 at include/linux/thread_info.h:134 check_copy_size include/linux/thread_info.h:143 [inline]
WARNING: CPU: 0 PID: 6853 at include/linux/thread_info.h:134 copy_to_user include/linux/uaccess.h:151 [inline]
WARNING: CPU: 0 PID: 6853 at include/linux/thread_info.h:134 compat_do_ebt_get_ctl+0x47e/0x500 net/bridge/netfilter/ebtables.c:2270
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 6853 Comm: syz-executor171 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
panic+0x2e3/0x75c kernel/panic.c:231
__warn.cold+0x20/0x45 kernel/panic.c:600
report_bug+0x1bd/0x210 lib/bug.c:198
handle_bug+0x38/0x90 arch/x86/kernel/traps.c:234
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
panic+0x2e3/0x75c kernel/panic.c:231
__warn.cold+0x20/0x45 kernel/panic.c:600
report_bug+0x1bd/0x210 lib/bug.c:198
exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254
asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
RIP: 0010:copy_overflow include/linux/thread_info.h:134 [inline]
RIP: 0010:check_copy_size include/linux/thread_info.h:143 [inline]
RIP: 0010:copy_to_user include/linux/uaccess.h:151 [inline]
RIP: 0010:compat_do_ebt_get_ctl+0x47e/0x500 net/bridge/netfilter/ebtables.c:2270
Code: ba fd ff ff 4c 89 f7 e8 60 07 a2 fa e9 ad fd ff ff e8 36 18 62 fa 4c 89 e2 be 50 00 00 00 48 c7 c7 40 b9 0e 89 e8 94 1f 33 fa <0f> 0b e9 dc fd ff ff 41 bc f2 ff ff ff e9 4f fe ff ff e8 3b 07 a2
RIP: 0010:copy_overflow include/linux/thread_info.h:134 [inline]
RIP: 0010:check_copy_size include/linux/thread_info.h:143 [inline]
RIP: 0010:copy_to_user include/linux/uaccess.h:151 [inline]
RIP: 0010:compat_do_ebt_get_ctl+0x47e/0x500 net/bridge/netfilter/ebtables.c:2270
RSP: 0018:ffffc90005667ae8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 1ffff92000accf5e RCX: 0000000000000000
RDX: ffff88809458a280 RSI: ffffffff815dbce7 RDI: fffff52000accf4f
RBP: ffffffff8a8faa60 R08: 0000000000000001 R09: ffff8880ae6318e7
R10: 0000000000000000 R11: 0000000035383654 R12: 0000000000000089
R13: 0000000020000000 R14: ffffc90005667d80 R15: ffffc90005667b20
do_ebt_get_ctl+0x2b4/0x790 net/bridge/netfilter/ebtables.c:2317
nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
ip_getsockopt net/ipv4/ip_sockglue.c:1778 [inline]
ip_getsockopt+0x164/0x1c0 net/ipv4/ip_sockglue.c:1757
tcp_getsockopt+0x86/0xd0 net/ipv4/tcp.c:3884
nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
ip_getsockopt net/ipv4/ip_sockglue.c:1778 [inline]
ip_getsockopt+0x164/0x1c0 net/ipv4/ip_sockglue.c:1757
__sys_getsockopt+0x219/0x4c0 net/socket.c:2179
__do_sys_getsockopt net/socket.c:2194 [inline]
__se_sys_getsockopt net/socket.c:2191 [inline]
__ia32_sys_getsockopt+0xb9/0x150 net/socket.c:2191
do_syscall_32_irqs_on arch/x86/entry/common.c:84 [inline]
__do_fast_syscall_32+0x57/0x80 arch/x86/entry/common.c:126
do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
RIP: 0023:0xf7f91569
__do_sys_getsockopt net/socket.c:2194 [inline]
__se_sys_getsockopt net/socket.c:2191 [inline]
__ia32_sys_getsockopt+0xb9/0x150 net/socket.c:2191
do_syscall_32_irqs_on arch/x86/entry/common.c:84 [inline]
__do_fast_syscall_32+0x57/0x80 arch/x86/entry/common.c:126
do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
Code: 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000ffdae08c EFLAGS: 00000292 ORIG_RAX: 000000000000016d
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000082 RSI: 0000000020000000 RDI: 0000000020000100
RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000
Christoph Hellwig
Aug 13, 2020, 11:40:28 AM8/13/20
to Florian Westphal, netfilt...@vger.kernel.org, h...@lst.de, syzkall...@googlegroups.com, net...@vger.kernel.org, syzbot+5accb5...@syzkaller.appspotmail.com
Jakub Kicinski
Aug 13, 2020, 12:05:39 PM8/13/20
to Florian Westphal, netfilt...@vger.kernel.org, h...@lst.de, syzkall...@googlegroups.com, net...@vger.kernel.org, syzbot+5accb5...@syzkaller.appspotmail.com
On Thu, 13 Aug 2020 09:46:11 +0200 Florian Westphal wrote:
> Fixes: fc66de8e16e ("netfilter/ebtables: clean up compat {get, set}sockopt handling")
Fixes tag: Fixes: fc66de8e16e ("netfilter/ebtables: clean up compat {get, set}sockopt handling")
Has these problem(s):
- SHA1 should be at least 12 digits long
Can be fixed by setting core.abbrev to 12 (or more) or (for git v2.11
or later) just making sure it is not set (or set to "auto").
> Fixes: fc66de8e16e ("netfilter/ebtables: clean up compat {get, set}sockopt handling")
Fixes tag: Fixes: fc66de8e16e ("netfilter/ebtables: clean up compat {get, set}sockopt handling")
Has these problem(s):
- SHA1 should be at least 12 digits long
Can be fixed by setting core.abbrev to 12 (or more) or (for git v2.11
or later) just making sure it is not set (or set to "auto").
Pablo Neira Ayuso
Aug 14, 2020, 5:59:51 AM8/14/20
to Florian Westphal, netfilt...@vger.kernel.org, h...@lst.de, syzkall...@googlegroups.com, net...@vger.kernel.org, syzbot+5accb5...@syzkaller.appspotmail.com
On Thu, Aug 13, 2020 at 09:46:11AM +0200, Florian Westphal wrote:
> syzkaller reports splat:
> This adds a argument check on *len just like in the non-compat version
> of the handler.
>
> Before the "Fixes" commit, the reproducer fails with -EINVAL as
> expected:
> 1. core calls the "compat" getsockopt version
> 2. compat getsockopt version detects the *len value is possibly
> in 64-bit layout (*len != compat_len)
> 3. compat getsockopt version delegates everything to native getsockopt
> version
> 4. native getsockopt rejects invalid *len
>
> -> compat handler only sees len == sizeof(compat_struct) for GET_ENTRIES.
>
> After the refactor, event sequence is:
> 1. getsockopt calls "compat" version (len != native_len)
> 2. compat version attempts to copy *len bytes, where *len is random
> value from userspace
Applied, thanks.
> syzkaller reports splat:
> ------------[ cut here ]------------
> Buffer overflow detected (80 < 137)!
> Call Trace:
> Buffer overflow detected (80 < 137)!
> do_ebt_get_ctl+0x2b4/0x790 net/bridge/netfilter/ebtables.c:2317
> nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
> ip_getsockopt net/ipv4/ip_sockglue.c:1778 [inline]
>
> caused by a copy-to-user with a too-large "*len" value.
> nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
> ip_getsockopt net/ipv4/ip_sockglue.c:1778 [inline]
>
> This adds a argument check on *len just like in the non-compat version
> of the handler.
>
> Before the "Fixes" commit, the reproducer fails with -EINVAL as
> expected:
> 1. core calls the "compat" getsockopt version
> 2. compat getsockopt version detects the *len value is possibly
> in 64-bit layout (*len != compat_len)
> 3. compat getsockopt version delegates everything to native getsockopt
> version
> 4. native getsockopt rejects invalid *len
>
> -> compat handler only sees len == sizeof(compat_struct) for GET_ENTRIES.
>
> After the refactor, event sequence is:
> 1. getsockopt calls "compat" version (len != native_len)
> 2. compat version attempts to copy *len bytes, where *len is random
> value from userspace
Applied, thanks.
Reply all
Reply to author
Forward
0 new messages