WARNING in compat_copy_entries
20 views
Skip to first unread message
syzbot
Feb 18, 2018, 5:59:04 PM2/18/18
to bri...@lists.linux-foundation.org, core...@netfilter.org, da...@davemloft.net, f...@strlen.de, kad...@blackhole.kfki.hu, linux-...@vger.kernel.org, net...@vger.kernel.org, netfilt...@vger.kernel.org, pa...@netfilter.org, ste...@networkplumber.org, syzkall...@googlegroups.com
Hello,
syzbot hit the following crash on upstream commit
ee78ad7848a72195e3683f9fdcc81f0b002fb2ed (Sat Feb 17 17:48:26 2018 +0000)
Merge tag 'powerpc-4.16-3' of
git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
So far this crash happened 36 times on upstream.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
user-space arch: i386
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+845a53...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
audit: type=1400 audit(1518894929.943:7): avc: denied { map } for
pid=4162 comm="syzkaller739777" path="/root/syzkaller739777723" dev="sda1"
ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
WARNING: CPU: 1 PID: 4162 at net/bridge/netfilter/ebtables.c:2056
ebt_size_mwt net/bridge/netfilter/ebtables.c:2056 [inline]
WARNING: CPU: 1 PID: 4162 at net/bridge/netfilter/ebtables.c:2056
size_entry_mwt net/bridge/netfilter/ebtables.c:2122 [inline]
WARNING: CPU: 1 PID: 4162 at net/bridge/netfilter/ebtables.c:2056
compat_copy_entries+0xcfa/0x1050 net/bridge/netfilter/ebtables.c:2160
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 4162 Comm: syzkaller739777 Not tainted 4.16.0-rc1+ #227
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x58/0x80 arch/x86/entry/entry_64.S:957
RIP: 0010:ebt_size_mwt net/bridge/netfilter/ebtables.c:2056 [inline]
RIP: 0010:size_entry_mwt net/bridge/netfilter/ebtables.c:2122 [inline]
RIP: 0010:compat_copy_entries+0xcfa/0x1050
net/bridge/netfilter/ebtables.c:2160
RSP: 0018:ffff8801b4e2f7e8 EFLAGS: 00010293
RAX: ffff8801b1860140 RBX: 0000000000000000 RCX: ffffffff84f075ea
RDX: 0000000000000000 RSI: ffffc9000180d2bc RDI: 0000000000000000
RBP: ffff8801b4e2f968 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff8818b280 R11: 00000000fffffe78 R12: 0000000000000008
R13: dffffc0000000000 R14: ffff8801b4e2f9c8 R15: ffffc9000180d2c4
compat_do_replace+0x398/0x7c0 net/bridge/netfilter/ebtables.c:2249
compat_do_ebt_set_ctl+0x22a/0x2d0 net/bridge/netfilter/ebtables.c:2330
compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
compat_nf_setsockopt+0x88/0x130 net/netfilter/nf_sockopt.c:156
compat_ip_setsockopt+0x8b/0xd0 net/ipv4/ip_sockglue.c:1285
inet_csk_compat_setsockopt+0x95/0x120 net/ipv4/inet_connection_sock.c:1041
compat_tcp_setsockopt+0x3d/0x70 net/ipv4/tcp.c:2916
compat_sock_common_setsockopt+0xb2/0x140 net/core/sock.c:2986
C_SYSC_setsockopt net/compat.c:403 [inline]
compat_SyS_setsockopt+0x17c/0x410 net/compat.c:386
do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f85c79
RSP: 002b:00000000ffe17c0c EFLAGS: 00000286 ORIG_RAX: 000000000000016e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000080 RSI: 0000000020159fb0 RDI: 0000000000000418
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzbot hit the following crash on upstream commit
ee78ad7848a72195e3683f9fdcc81f0b002fb2ed (Sat Feb 17 17:48:26 2018 +0000)
Merge tag 'powerpc-4.16-3' of
git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
So far this crash happened 36 times on upstream.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
user-space arch: i386
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+845a53...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
audit: type=1400 audit(1518894929.943:7): avc: denied { map } for
pid=4162 comm="syzkaller739777" path="/root/syzkaller739777723" dev="sda1"
ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
WARNING: CPU: 1 PID: 4162 at net/bridge/netfilter/ebtables.c:2056
ebt_size_mwt net/bridge/netfilter/ebtables.c:2056 [inline]
WARNING: CPU: 1 PID: 4162 at net/bridge/netfilter/ebtables.c:2056
size_entry_mwt net/bridge/netfilter/ebtables.c:2122 [inline]
WARNING: CPU: 1 PID: 4162 at net/bridge/netfilter/ebtables.c:2056
compat_copy_entries+0xcfa/0x1050 net/bridge/netfilter/ebtables.c:2160
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 4162 Comm: syzkaller739777 Not tainted 4.16.0-rc1+ #227
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x58/0x80 arch/x86/entry/entry_64.S:957
RIP: 0010:ebt_size_mwt net/bridge/netfilter/ebtables.c:2056 [inline]
RIP: 0010:size_entry_mwt net/bridge/netfilter/ebtables.c:2122 [inline]
RIP: 0010:compat_copy_entries+0xcfa/0x1050
net/bridge/netfilter/ebtables.c:2160
RSP: 0018:ffff8801b4e2f7e8 EFLAGS: 00010293
RAX: ffff8801b1860140 RBX: 0000000000000000 RCX: ffffffff84f075ea
RDX: 0000000000000000 RSI: ffffc9000180d2bc RDI: 0000000000000000
RBP: ffff8801b4e2f968 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff8818b280 R11: 00000000fffffe78 R12: 0000000000000008
R13: dffffc0000000000 R14: ffff8801b4e2f9c8 R15: ffffc9000180d2c4
compat_do_replace+0x398/0x7c0 net/bridge/netfilter/ebtables.c:2249
compat_do_ebt_set_ctl+0x22a/0x2d0 net/bridge/netfilter/ebtables.c:2330
compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
compat_nf_setsockopt+0x88/0x130 net/netfilter/nf_sockopt.c:156
compat_ip_setsockopt+0x8b/0xd0 net/ipv4/ip_sockglue.c:1285
inet_csk_compat_setsockopt+0x95/0x120 net/ipv4/inet_connection_sock.c:1041
compat_tcp_setsockopt+0x3d/0x70 net/ipv4/tcp.c:2916
compat_sock_common_setsockopt+0xb2/0x140 net/core/sock.c:2986
C_SYSC_setsockopt net/compat.c:403 [inline]
compat_SyS_setsockopt+0x17c/0x410 net/compat.c:386
do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f85c79
RSP: 002b:00000000ffe17c0c EFLAGS: 00000286 ORIG_RAX: 000000000000016e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000080 RSI: 0000000020159fb0 RDI: 0000000000000418
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Florian Westphal
Feb 18, 2018, 7:27:43 PM2/18/18
to netfilt...@vger.kernel.org, syzkall...@googlegroups.com, bri...@lists.linux-foundation.org, net...@vger.kernel.org, Florian Westphal
We need to make sure the offsets are not out of range of the
total size.
Also check that they are in ascending order.
The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
changed to also bail out, no point in continuing parsing.
Briefly tested with simple ruleset of
-A INPUT --limit 1/s' --log
plus jump to custom chains using 32bit ebtables binary.
Reported-by: <syzbot+845a53...@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/bridge/netfilter/ebtables.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 02c4b409d317..3f536c7a3354 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2053,7 +2053,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
if (match_kern)
match_kern->match_size = ret;
- WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+ if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+ return -EINVAL;
+
match32 = (struct compat_ebt_entry_mwt *) buf;
}
@@ -2109,6 +2111,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
*
* offsets are relative to beginning of struct ebt_entry (i.e., 0).
*/
+ for (i = 0; i < 4 ; ++i) {
+ if (offsets[i] >= *total)
+ return -EINVAL;
+ if (i == 0)
+ continue;
+ if (offsets[i-1] > offsets[i])
+ return -EINVAL;
+ }
+
for (i = 0, j = 1 ; j < 4 ; j++, i++) {
struct compat_ebt_entry_mwt *match32;
unsigned int size;
--
2.16.1
total size.
Also check that they are in ascending order.
The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
changed to also bail out, no point in continuing parsing.
Briefly tested with simple ruleset of
-A INPUT --limit 1/s' --log
plus jump to custom chains using 32bit ebtables binary.
Reported-by: <syzbot+845a53...@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/bridge/netfilter/ebtables.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 02c4b409d317..3f536c7a3354 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2053,7 +2053,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
if (match_kern)
match_kern->match_size = ret;
- WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+ if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+ return -EINVAL;
+
match32 = (struct compat_ebt_entry_mwt *) buf;
}
@@ -2109,6 +2111,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
*
* offsets are relative to beginning of struct ebt_entry (i.e., 0).
*/
+ for (i = 0; i < 4 ; ++i) {
+ if (offsets[i] >= *total)
+ return -EINVAL;
+ if (i == 0)
+ continue;
+ if (offsets[i-1] > offsets[i])
+ return -EINVAL;
+ }
+
for (i = 0, j = 1 ; j < 4 ; j++, i++) {
struct compat_ebt_entry_mwt *match32;
unsigned int size;
--
2.16.1
Pablo Neira Ayuso
Feb 25, 2018, 2:08:04 PM2/25/18
to Florian Westphal, netfilt...@vger.kernel.org, syzkall...@googlegroups.com, bri...@lists.linux-foundation.org, net...@vger.kernel.org
On Mon, Feb 19, 2018 at 01:24:15AM +0100, Florian Westphal wrote:
> We need to make sure the offsets are not out of range of the
> total size.
> Also check that they are in ascending order.
>
> The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
> changed to also bail out, no point in continuing parsing.
>
> Briefly tested with simple ruleset of
> -A INPUT --limit 1/s' --log
> plus jump to custom chains using 32bit ebtables binary.
Also applied, thanks.
> We need to make sure the offsets are not out of range of the
> total size.
> Also check that they are in ascending order.
>
> The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
> changed to also bail out, no point in continuing parsing.
>
> Briefly tested with simple ruleset of
> -A INPUT --limit 1/s' --log
> plus jump to custom chains using 32bit ebtables binary.
Reply all
Reply to author
Forward
0 new messages