KASAN: use-after-free Write in nf_nat_ipv6_manip_pkt
52 views
Skip to first unread message
syzbot
Feb 18, 2018, 5:59:04 PM2/18/18
to core...@netfilter.org, da...@davemloft.net, f...@strlen.de, kad...@blackhole.kfki.hu, kuz...@ms2.inr.ac.ru, linux-...@vger.kernel.org, net...@vger.kernel.org, netfilt...@vger.kernel.org, pa...@netfilter.org, syzkall...@googlegroups.com, yosh...@linux-ipv6.org
Hello,
syzbot hit the following crash on net-next commit
1ec010e705934c8acbe7dbf31afc81e60e3d828b (Fri Feb 16 10:03:07 2018 +0000)
tun: export flags, uid, gid, queue information over netlink
So far this crash happened 2 times on net-next, upstream.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+10005f...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
==================================================================
BUG: KASAN: use-after-free in nf_nat_ipv6_manip_pkt+0x47c/0x490
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:106
Write of size 16 at addr ffff8801d551e0e0 by task syzkaller546592/4162
CPU: 0 PID: 4162 Comm: syzkaller546592 Not tainted 4.16.0-rc1+ #231
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23b/0x360 mm/kasan/report.c:412
__asan_report_store_n_noabort+0x12/0x14 mm/kasan/report.c:449
nf_nat_ipv6_manip_pkt+0x47c/0x490
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:106
nf_nat_packet+0x3cb/0x560 net/netfilter/nf_nat_core.c:506
nf_nat_ipv6_fn+0x679/0xa80 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:329
nf_nat_ipv6_local_fn+0x33/0x5d0
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:407
ip6table_nat_local_fn+0x2c/0x40 net/ipv6/netfilter/ip6table_nat.c:69
nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483
nf_hook include/linux/netfilter.h:243 [inline]
__ip6_local_out+0x517/0xaa0 net/ipv6/output_core.c:164
ip6_local_out+0x2d/0x160 net/ipv6/output_core.c:174
ip6_send_skb+0xa1/0x330 net/ipv6/ip6_output.c:1677
ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1697
rawv6_push_pending_frames net/ipv6/raw.c:616 [inline]
rawv6_sendmsg+0x2f96/0x40c0 net/ipv6/raw.c:935
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:639
___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
__sys_sendmsg+0xe5/0x210 net/socket.c:2081
SYSC_sendmsg net/socket.c:2092 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2088
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x446ea9
RSP: 002b:00007ffc61680508 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000000003e RCX: 0000000000446ea9
RDX: 0000000000000000 RSI: 00000000209f2fc8 RDI: 0000000000000004
RBP: 00007ffc61680618 R08: 0000000000008a7f R09: 0000000000008a7f
R10: 0000000000000000 R11: 0000000000000217 R12: 00007ffc61680618
R13: 0000000000404370 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 4162:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
__do_kmalloc_node mm/slab.c:3669 [inline]
__kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3683
__kmalloc_reserve.isra.39+0x41/0xd0 net/core/skbuff.c:137
__alloc_skb+0x13b/0x780 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:986 [inline]
sock_wmalloc+0x140/0x1d0 net/core/sock.c:1941
__ip6_append_data.isra.44+0x26b9/0x3390 net/ipv6/ip6_output.c:1416
ip6_append_data+0x189/0x290 net/ipv6/ip6_output.c:1571
rawv6_sendmsg+0x1e09/0x40c0 net/ipv6/raw.c:928
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:639
___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
__sys_sendmsg+0xe5/0x210 net/socket.c:2081
SYSC_sendmsg net/socket.c:2092 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2088
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
Freed by task 4162:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kfree+0xd9/0x260 mm/slab.c:3800
skb_free_head+0x74/0xb0 net/core/skbuff.c:550
pskb_expand_head+0x36b/0x1210 net/core/skbuff.c:1492
__pskb_pull_tail+0x14a/0x17f0 net/core/skbuff.c:1875
skb_make_writable+0x15b/0x750 net/netfilter/core.c:528
tcp_manip_pkt+0x82/0x2d0 net/netfilter/nf_nat_proto_tcp.c:51
nf_nat_ipv6_manip_pkt+0x22d/0x490
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:99
nf_nat_packet+0x3cb/0x560 net/netfilter/nf_nat_core.c:506
nf_nat_ipv6_fn+0x679/0xa80 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:329
nf_nat_ipv6_local_fn+0x33/0x5d0
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:407
ip6table_nat_local_fn+0x2c/0x40 net/ipv6/netfilter/ip6table_nat.c:69
nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483
nf_hook include/linux/netfilter.h:243 [inline]
__ip6_local_out+0x517/0xaa0 net/ipv6/output_core.c:164
ip6_local_out+0x2d/0x160 net/ipv6/output_core.c:174
ip6_send_skb+0xa1/0x330 net/ipv6/ip6_output.c:1677
ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1697
rawv6_push_pending_frames net/ipv6/raw.c:616 [inline]
rawv6_sendmsg+0x2f96/0x40c0 net/ipv6/raw.c:935
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:639
___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
__sys_sendmsg+0xe5/0x210 net/socket.c:2081
SYSC_sendmsg net/socket.c:2092 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2088
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
The buggy address belongs to the object at ffff8801d551e040
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 160 bytes inside of
512-byte region [ffff8801d551e040, ffff8801d551e240)
The buggy address belongs to the page:
page:ffffea0007554780 count:1 mapcount:0 mapping:ffff8801d551e040 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801d551e040 0000000000000000 0000000100000006
raw: ffffea00075763e0 ffffea00075571e0 ffff8801db000940 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d551df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801d551e000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8801d551e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801d551e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d551e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzbot hit the following crash on net-next commit
1ec010e705934c8acbe7dbf31afc81e60e3d828b (Fri Feb 16 10:03:07 2018 +0000)
tun: export flags, uid, gid, queue information over netlink
So far this crash happened 2 times on net-next, upstream.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+10005f...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
==================================================================
BUG: KASAN: use-after-free in nf_nat_ipv6_manip_pkt+0x47c/0x490
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:106
Write of size 16 at addr ffff8801d551e0e0 by task syzkaller546592/4162
CPU: 0 PID: 4162 Comm: syzkaller546592 Not tainted 4.16.0-rc1+ #231
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23b/0x360 mm/kasan/report.c:412
__asan_report_store_n_noabort+0x12/0x14 mm/kasan/report.c:449
nf_nat_ipv6_manip_pkt+0x47c/0x490
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:106
nf_nat_packet+0x3cb/0x560 net/netfilter/nf_nat_core.c:506
nf_nat_ipv6_fn+0x679/0xa80 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:329
nf_nat_ipv6_local_fn+0x33/0x5d0
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:407
ip6table_nat_local_fn+0x2c/0x40 net/ipv6/netfilter/ip6table_nat.c:69
nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483
nf_hook include/linux/netfilter.h:243 [inline]
__ip6_local_out+0x517/0xaa0 net/ipv6/output_core.c:164
ip6_local_out+0x2d/0x160 net/ipv6/output_core.c:174
ip6_send_skb+0xa1/0x330 net/ipv6/ip6_output.c:1677
ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1697
rawv6_push_pending_frames net/ipv6/raw.c:616 [inline]
rawv6_sendmsg+0x2f96/0x40c0 net/ipv6/raw.c:935
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:639
___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
__sys_sendmsg+0xe5/0x210 net/socket.c:2081
SYSC_sendmsg net/socket.c:2092 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2088
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x446ea9
RSP: 002b:00007ffc61680508 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000000003e RCX: 0000000000446ea9
RDX: 0000000000000000 RSI: 00000000209f2fc8 RDI: 0000000000000004
RBP: 00007ffc61680618 R08: 0000000000008a7f R09: 0000000000008a7f
R10: 0000000000000000 R11: 0000000000000217 R12: 00007ffc61680618
R13: 0000000000404370 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 4162:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
__do_kmalloc_node mm/slab.c:3669 [inline]
__kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3683
__kmalloc_reserve.isra.39+0x41/0xd0 net/core/skbuff.c:137
__alloc_skb+0x13b/0x780 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:986 [inline]
sock_wmalloc+0x140/0x1d0 net/core/sock.c:1941
__ip6_append_data.isra.44+0x26b9/0x3390 net/ipv6/ip6_output.c:1416
ip6_append_data+0x189/0x290 net/ipv6/ip6_output.c:1571
rawv6_sendmsg+0x1e09/0x40c0 net/ipv6/raw.c:928
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:639
___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
__sys_sendmsg+0xe5/0x210 net/socket.c:2081
SYSC_sendmsg net/socket.c:2092 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2088
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
Freed by task 4162:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kfree+0xd9/0x260 mm/slab.c:3800
skb_free_head+0x74/0xb0 net/core/skbuff.c:550
pskb_expand_head+0x36b/0x1210 net/core/skbuff.c:1492
__pskb_pull_tail+0x14a/0x17f0 net/core/skbuff.c:1875
skb_make_writable+0x15b/0x750 net/netfilter/core.c:528
tcp_manip_pkt+0x82/0x2d0 net/netfilter/nf_nat_proto_tcp.c:51
nf_nat_ipv6_manip_pkt+0x22d/0x490
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:99
nf_nat_packet+0x3cb/0x560 net/netfilter/nf_nat_core.c:506
nf_nat_ipv6_fn+0x679/0xa80 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:329
nf_nat_ipv6_local_fn+0x33/0x5d0
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:407
ip6table_nat_local_fn+0x2c/0x40 net/ipv6/netfilter/ip6table_nat.c:69
nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483
nf_hook include/linux/netfilter.h:243 [inline]
__ip6_local_out+0x517/0xaa0 net/ipv6/output_core.c:164
ip6_local_out+0x2d/0x160 net/ipv6/output_core.c:174
ip6_send_skb+0xa1/0x330 net/ipv6/ip6_output.c:1677
ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1697
rawv6_push_pending_frames net/ipv6/raw.c:616 [inline]
rawv6_sendmsg+0x2f96/0x40c0 net/ipv6/raw.c:935
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:639
___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
__sys_sendmsg+0xe5/0x210 net/socket.c:2081
SYSC_sendmsg net/socket.c:2092 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2088
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
The buggy address belongs to the object at ffff8801d551e040
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 160 bytes inside of
512-byte region [ffff8801d551e040, ffff8801d551e240)
The buggy address belongs to the page:
page:ffffea0007554780 count:1 mapcount:0 mapping:ffff8801d551e040 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801d551e040 0000000000000000 0000000100000006
raw: ffffea00075763e0 ffffea00075571e0 ffff8801db000940 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d551df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801d551e000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8801d551e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801d551e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d551e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzbot
Feb 18, 2018, 9:15:42 PM2/18/18
to Florian Westphal, f...@strlen.de, syzkall...@googlegroups.com
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
> master
Your 'test:' command is accepted, but please keep
syzkall...@googlegroups.com mailing list in CC next time. It serves as
a history of what happened with each bug report. Thank you.
> diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
> b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
> --- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
> +++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
> @@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct sk_buff *skb,
> !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
> target, maniptype))
> return false;
> +
> + /* must reload, offset might have changed */
> + ipv6h = (void *)skb->data + iphdroff;
> +
> manip_addr:
> if (maniptype == NF_NAT_MANIP_SRC)
> ipv6h->saddr = target->src.u3.in6;
> --
> 2.16.1
> master
Your 'test:' command is accepted, but please keep
syzkall...@googlegroups.com mailing list in CC next time. It serves as
a history of what happened with each bug report. Thank you.
> diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
> b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
> --- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
> +++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
> @@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct sk_buff *skb,
> !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
> target, maniptype))
> return false;
> +
> + /* must reload, offset might have changed */
> + ipv6h = (void *)skb->data + iphdroff;
> +
> manip_addr:
> if (maniptype == NF_NAT_MANIP_SRC)
> ipv6h->saddr = target->src.u3.in6;
> --
> 2.16.1
syzbot
Feb 18, 2018, 9:33:02 PM2/18/18
to core...@netfilter.org, da...@davemloft.net, f...@strlen.de, kad...@blackhole.kfki.hu, kuz...@ms2.inr.ac.ru, linux-...@vger.kernel.org, net...@vger.kernel.org, netfilt...@vger.kernel.org, pa...@netfilter.org, syzkall...@googlegroups.com, yosh...@linux-ipv6.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+10005f...@syzkaller.appspotmail.com
Note: the tag will also help syzbot to understand when the bug is fixed.
Tested on git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/master
commit
de526f401284e1638d4c97cb5a4c292ac3f37655 (Mon Feb 12 16:11:48 2018 +0000)
netfilter: xt_hashlimit: fix lock imbalance
compiler: gcc (GCC) 7.1.1 20170620
Patch is attached.
Kernel config is attached.
---
There is no WARRANTY for the result, to the extent permitted by applicable
law.
Except when otherwise stated in writing syzbot provides the result "AS IS"
without warranty of any kind, either expressed or implied, but not limited
to,
the implied warranties of merchantability and fittness for a particular
purpose.
The entire risk as to the quality of the result is with you. Should the
result
prove defective, you assume the cost of all necessary servicing, repair or
correction.
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+10005f...@syzkaller.appspotmail.com
Note: the tag will also help syzbot to understand when the bug is fixed.
Tested on git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/master
commit
de526f401284e1638d4c97cb5a4c292ac3f37655 (Mon Feb 12 16:11:48 2018 +0000)
netfilter: xt_hashlimit: fix lock imbalance
compiler: gcc (GCC) 7.1.1 20170620
Kernel config is attached.
---
There is no WARRANTY for the result, to the extent permitted by applicable
law.
Except when otherwise stated in writing syzbot provides the result "AS IS"
without warranty of any kind, either expressed or implied, but not limited
to,
the implied warranties of merchantability and fittness for a particular
purpose.
The entire risk as to the quality of the result is with you. Should the
result
prove defective, you assume the cost of all necessary servicing, repair or
correction.
Paolo Abeni
Feb 19, 2018, 3:16:16 AM2/19/18
to syzbot, syzkall...@googlegroups.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master
---
diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
index bed57ee65f7b..3044ea30fcbe 100644
--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
@@ -99,6 +99,9 @@ static bool nf_nat_ipv6_manip_pkt(struct sk_buff *skb,
---
diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
index bed57ee65f7b..3044ea30fcbe 100644
--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
@@ -99,6 +99,9 @@ static bool nf_nat_ipv6_manip_pkt(struct sk_buff *skb,
!l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
target, maniptype))
return false;
+
+ /* manip_pkt() may clone the skb, we must re-read skb->data */
target, maniptype))
return false;
+
+ ipv6h = (void *)skb->data + iphdroff;
syzbot
Feb 19, 2018, 3:33:02 AM2/19/18
to core...@netfilter.org, da...@davemloft.net, f...@strlen.de, kad...@blackhole.kfki.hu, kuz...@ms2.inr.ac.ru, linux-...@vger.kernel.org, net...@vger.kernel.org, netfilt...@vger.kernel.org, pab...@redhat.com, pa...@netfilter.org, syzkall...@googlegroups.com, yosh...@linux-ipv6.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+10005f...@syzkaller.appspotmail.com
Note: the tag will also help syzbot to understand when the bug is fixed.
Tested on net commit
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+10005f...@syzkaller.appspotmail.com
Note: the tag will also help syzbot to understand when the bug is fixed.
9ab2323ca184168c288f7355fc19ec0838efc20c (Fri Feb 16 09:18:33 2018 +0000)
sctp: remove the left unnecessary check for chunk in sctp_renege_events
Reply all
Reply to author
Forward
0 new messages