On Thu, Feb 1, 2018 at 9:34 AM, Steffen Klassert <steffen.klass...@secunet.com> wrote: > On Wed, Jan 31, 2018 at 07:58:01AM -0800, syzbot wrote: >> Hello, >> >> syzbot hit the following crash on upstream commit >> 72906f38934a49faf4d2d38ea9ae32adcf7d5d0c (Tue Jan 30 21:04:50 2018 +0000) >> Merge branch 'x86-hyperv-for-linus' of >> git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip >> >> So far this crash happened 4 times on net-next, upstream. >> C reproducer is attached. >> syzkaller reproducer is attached. >> Raw console output is attached. >> compiler: gcc (GCC) 7.1.1 20170620 >> .config is attached. >> user-space arch: i386 > > Looks like we forgot to refuse to insert socket policies > when userspace is 32 bit and kernel is 64 bit. We do this > already for policies inserted with netlink because we don't > have a compat layer for xfrm. This means that userspace > and kernel structues don't match, leading to broken > configurations. > > I don't have 32 bit userspace on 64 bit machines, so I > can't test this myself. Can you please test this patch:
Hi Steffen, Please see the email footer: > If you want to test a patch for this bug, please reply with: > #syz test: git://repo/address.git branch > and provide the patch inline or as an attachment. > Subject: [PATCH RFC] xfrm: Refuse to insert 32 bit userspace socket policies > on 64 bit systems > > We don't have compat layer for xfrm, so userspace and kernel > structures have different sizes in this case. This results in > a broken confuguration, so refuse to configure socket policies > when trying to insert from 32 bit userspace as we do it already > with policies inserted via netlink. > > Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> > --- > net/xfrm/xfrm_state.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c > index a3785f538018..25861a4ef872 100644 > --- a/net/xfrm/xfrm_state.c > +++ b/net/xfrm/xfrm_state.c > @@ -2056,6 +2056,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 > __user *optval, int optlen > struct xfrm_mgr *km; > struct xfrm_policy *pol = NULL; > > +#ifdef CONFIG_COMPAT > + if (in_compat_syscall()) > + return -EOPNOTSUPP; > +#endif > + > if (optlen <= 0 || optlen > PAGE_SIZE) > return -EMSGSIZE; > > -- > 2.14.1 > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/20180201083418.rfarzrodccdy54xx%40gauss3.secunet.de. > For more options, visit https://groups.google.com/d/optout.
