syzbot


UBSAN: shift-out-of-bounds in nft_hash_estimate

Status: fixed on 2021/11/10 00:50
Subsystems: netfilter
[Documentation on labels]
Fix commit: a54754ec9891 netfilter: nftables: avoid overflows in nft_hash_buckets()
First crash: 1253d, last: 1252d
Cause bisection: introduced by (bisect log) :
commit e32a4dc6512ce3c1a1920531246e7037896e510a
Author: Florian Westphal <fw@strlen.de>
Date: Tue Feb 18 10:59:26 2020 +0000

  netfilter: nf_tables: make sets built-in

Crash: UBSAN: undefined-behaviour in nft_hash_buckets (log)
Repro: C syz .config
  

Sample crash report:
================================================================================
UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
shift exponent 64 is too large for 64-bit type 'long unsigned int'
CPU: 0 PID: 8402 Comm: syz-executor953 Not tainted 5.12.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
 __roundup_pow_of_two include/linux/log2.h:57 [inline]
 nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline]
 nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652
 nft_select_set_ops net/netfilter/nf_tables_api.c:3543 [inline]
 nf_tables_newset+0xd1f/0x3150 net/netfilter/nf_tables_api.c:4293
 nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]
 nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43f499
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffed8d04b48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f499
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 0000000000403480 R08: 0000000000000008 R09: 0000000000400488
R10: 0000000000000a00 R11: 0000000000000246 R12: 0000000000403510
R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488
================================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/05/05 17:03 net-old bbd6f0a94813 06c27ff5 .config console log report syz C ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in nft_hash_estimate
2021/05/05 13:13 net-next-old 95aafe911db6 06c27ff5 .config console log report syz C ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in nft_hash_estimate
2021/05/05 12:54 net-next-old 95aafe911db6 06c27ff5 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in nft_hash_estimate
* Struck through repros no longer work on HEAD.