syzbot


panic: malformed IPv4 option passed to ip_optcopy (2)

Status: fixed on 2019/01/19 20:26
Reported-by: syzbot+4da6b6be6ae02a24ff31@syzkaller.appspotmail.com
Fix commit: Bring back the ip_pcbopts() refactor. Pad the option buffer and therefor the mbuf to the next word length as it is required by the standard. Also use the correct offset from the input mbuf. OK visa@, input & OK bluhm@
First crash: 1357d, last: 1353d
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd panic: malformed IPv4 option passed to ip_optcopy C 10 1373d 1382d 3/3 fixed on 2019/01/08 00:18

Sample crash report:
panic: malformed IPv4 option passed to ip_optcopy
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
 198720  94493      0           0          0    0  syz-executor5461
*149272  94493      0           0  0x4000000    1K syz-executor5461
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_fragment(cf5c07fbf8856990,ffffff007f1433d9,ffff800000173290) at ip_fragment+0x625
ip_output(17d5a39689666dd0,ffffff006f307460,ffffff007f143300,0,ffffff006f016800,ffffff006f308c00) at ip_output+0xc8d sys/netinet/ip_output.c:501
udp_output(cf5c07fbf81f54fa,1400,ffffff006f308c00,0) at udp_output+0x45a sys/netinet/udp_usrreq.c:1004
sosend(58a7126b623f4bbc,ffffff006e4af260,ffff8000210e72c8,ffff8000210e7400,1000,0) at sosend+0x477 sys/kern/uipc_socket.c:513
dofilewritev(c5a2f71672af20b5,0,3,ffff8000210b4bc8,ffff8000210e7400) at dofilewritev+0x148 sys/kern/sys_generic.c:364
sys_writev(fbe5352a4b0548a4,790,ffff8000210b4bc8) at sys_writev+0xdb sys/kern/sys_generic.c:310
syscall(2d7fac4b52467d04) at syscall+0x473 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(2d7fac4b52467d04) at syscall+0x473 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,10aec53c4a0,0,1083f18e108,1083f18e100) at Xsyscall+0x128
end of kernel
end trace frame: 0x10afe8803d0, count: 5
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> show panic
malformed IPv4 option passed to ip_optcopy
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_fragment(cf5c07fbf8856990,ffffff007f1433d9,ffff800000173290) at ip_fragment+0x625
ip_output(17d5a39689666dd0,ffffff006f307460,ffffff007f143300,0,ffffff006f016800,ffffff006f308c00) at ip_output+0xc8d sys/netinet/ip_output.c:501
udp_output(cf5c07fbf81f54fa,1400,ffffff006f308c00,0) at udp_output+0x45a sys/netinet/udp_usrreq.c:1004
sosend(58a7126b623f4bbc,ffffff006e4af260,ffff8000210e72c8,ffff8000210e7400,1000,0) at sosend+0x477 sys/kern/uipc_socket.c:513
dofilewritev(c5a2f71672af20b5,0,3,ffff8000210b4bc8,ffff8000210e7400) at dofilewritev+0x148 sys/kern/sys_generic.c:364
sys_writev(fbe5352a4b0548a4,790,ffff8000210b4bc8) at sys_writev+0xdb sys/kern/sys_generic.c:310
syscall(2d7fac4b52467d04) at syscall+0x473 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(2d7fac4b52467d04) at syscall+0x473 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,10aec53c4a0,0,1083f18e108,1083f18e100) at Xsyscall+0x128
end of kernel
end trace frame: 0x10afe8803d0, count: -10
ddb{1}> show registers
rdi               0xffffffff81edbb38    kprintf_mutex
rsi                              0x5
rbp               0xffff8000210e6ef0
rbx               0xffff8000210e6f90
rdx                            0x3fd
rcx                                0
rax                              0x1
r8                0xffff8000210e6ec0
r9                                 0
r10               0x8989983e3d4cbb6c
r11               0x1ecd66cd6e111d7c
r12                     0x3000000008
r13               0xffff8000210e6f00
r14                            0x100
r15               0xffffffff81c5e947    substchar+0x10fc3
rip               0xffffffff811bca38    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff8000210e6ee0
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor5461) pid=149272 stat=onproc
    flags process=0 proc=4000000<THREAD>
    pri=51, usrpri=51, nice=20
    forw=0xffffffffffffffff, list=0xffff8000210b4e20,0xffffffff81f734e0
    process=0xffff80002109a018 user=0xffff8000210e2000, vmspace=0xffffff007f123528
    estcpu=1, cpticks=1, pctcpu=0.0
    user=0, sys=1, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 94493  198720  43260      0  7           0                syz-executor5461
 94493  162239  43260      0  3   0x4000080  fsleep        syz-executor5461
 94493  394784  43260      0  3   0x4000080  fsleep        syz-executor5461
*94493  149272  43260      0  7   0x4000000                syz-executor5461
 43260  274301  75395      0  3        0x82  nanosleep     syz-executor5461
 75395  450220  64241      0  3    0x10008a  pause         ksh
 64241  303646  48657      0  3        0x92  select        sshd
 79547  114943      1      0  3    0x100083  ttyin         getty
 48657  227558      1      0  3        0x80  select        sshd
 96995   62829  52889     73  3    0x100090  kqread        syslogd
 52889  195501      1      0  3    0x100082  netio         syslogd
 54315  463431      1     77  3    0x100090  poll          dhclient
 73361  215428      1      0  3        0x80  poll          dhclient
 86678  514671      0      0  3     0x14200  pgzero        zerothread
 42358  218261      0      0  3     0x14200  aiodoned      aiodoned
 49820  313607      0      0  3     0x14200  syncer        update
 37386  150931      0      0  3     0x14200  cleaner       cleaner
 99507  369069      0      0  3     0x14200  reaper        reaper
 71626  455578      0      0  3     0x14200  pgdaemon      pagedaemon
  5952  290225      0      0  3     0x14200  bored         crynlk
 45274  204849      0      0  3     0x14200  bored         crypto
 64538  202509      0      0  3  0x40014200  acpi0         acpi0
 65675  191149      0      0  3  0x40014200                idle1
 54482  144785      0      0  3     0x14200  bored         softnet
 35473  495950      0      0  3     0x14200  bored         systqmp
 50658  228535      0      0  3     0x14200  bored         systq
 16489  118424      0      0  3  0x40014200  bored         softclock
 47302  104405      0      0  3  0x40014200                idle0
     1  106821      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{1}> 

Crashes (149):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-setuid 2019/01/13 07:45 openbsd 5d60bdcf2121 c3f3344c .config log report syz C
ci-openbsd-setuid 2019/01/13 05:20 openbsd 5d60bdcf2121 c3f3344c .config log report syz
ci-openbsd-multicore 2019/01/16 22:34 openbsd 17e34b32ed8c 352bac0d .config log report
ci-openbsd-multicore 2019/01/16 21:28 openbsd 17e34b32ed8c 352bac0d .config log report
ci-openbsd-main 2019/01/16 19:33 openbsd 17e34b32ed8c 352bac0d .config log report
ci-openbsd-setuid 2019/01/16 18:08 openbsd 17e34b32ed8c 352bac0d .config log report
ci-openbsd-setuid 2019/01/16 17:46 openbsd 17e34b32ed8c 352bac0d .config log report
ci-openbsd-setuid 2019/01/16 16:35 openbsd 17e34b32ed8c 352bac0d .config log report
ci-openbsd-setuid 2019/01/16 14:43 openbsd 17e34b32ed8c 352bac0d .config log report
ci-openbsd-setuid 2019/01/16 12:01 openbsd 17e34b32ed8c 352bac0d .config log report
ci-openbsd-main 2019/01/16 10:57 openbsd 17e34b32ed8c 352bac0d .config log report
ci-openbsd-main 2019/01/16 09:42 openbsd 17e34b32ed8c b47fa78d .config log report
ci-openbsd-setuid 2019/01/16 07:50 openbsd 17e34b32ed8c b47fa78d .config log report
ci-openbsd-multicore 2019/01/16 06:44 openbsd 39356ae6e19b b47fa78d .config log report
ci-openbsd-main 2019/01/16 05:40 openbsd 39356ae6e19b b47fa78d .config log report
ci-openbsd-multicore 2019/01/16 03:32 openbsd 39356ae6e19b b47fa78d .config log report
ci-openbsd-setuid 2019/01/16 02:18 openbsd 39356ae6e19b b47fa78d .config log report
ci-openbsd-main 2019/01/16 00:00 openbsd 39356ae6e19b b47fa78d .config log report
ci-openbsd-setuid 2019/01/15 22:38 openbsd 39356ae6e19b b47fa78d .config log report
ci-openbsd-setuid 2019/01/15 21:29 openbsd 39356ae6e19b b47fa78d .config log report
ci-openbsd-setuid 2019/01/15 20:16 openbsd 39356ae6e19b b47fa78d .config log report
ci-openbsd-setuid 2019/01/15 19:42 openbsd 39356ae6e19b b47fa78d .config log report
ci-openbsd-setuid 2019/01/15 18:05 openbsd 39356ae6e19b b47fa78d .config log report
ci-openbsd-setuid 2019/01/15 16:31 openbsd a1d3f8bc44da ebacf5cb .config log report
ci-openbsd-setuid 2019/01/15 14:23 openbsd a1d3f8bc44da ebacf5cb .config log report
ci-openbsd-setuid 2019/01/15 13:08 openbsd a1d3f8bc44da ebacf5cb .config log report
ci-openbsd-setuid 2019/01/15 11:19 openbsd a1d3f8bc44da ebacf5cb .config log report
ci-openbsd-setuid 2019/01/15 09:41 openbsd a1d3f8bc44da ebacf5cb .config log report
ci-openbsd-multicore 2019/01/15 08:20 openbsd a1d3f8bc44da ebacf5cb .config log report
ci-openbsd-main 2019/01/15 07:00 openbsd a1d3f8bc44da ebacf5cb .config log report
ci-openbsd-multicore 2019/01/15 04:57 openbsd febce3603669 2f3438a8 .config log report
ci-openbsd-setuid 2019/01/15 04:43 openbsd febce3603669 2f3438a8 .config log report
ci-openbsd-main 2019/01/15 03:08 openbsd febce3603669 2f3438a8 .config log report
ci-openbsd-setuid 2019/01/15 01:55 openbsd febce3603669 2f3438a8 .config log report
ci-openbsd-multicore 2019/01/15 00:02 openbsd febce3603669 2f3438a8 .config log report
ci-openbsd-setuid 2019/01/14 20:08 openbsd febce3603669 2f3438a8 .config log report
ci-openbsd-setuid 2019/01/14 19:07 openbsd a30f5dcbf70f 2f3438a8 .config log report
ci-openbsd-setuid 2019/01/14 17:18 openbsd a30f5dcbf70f 2f3438a8 .config log report
ci-openbsd-main 2019/01/14 17:01 openbsd a30f5dcbf70f 2f3438a8 .config log report
ci-openbsd-setuid 2019/01/14 15:58 openbsd a30f5dcbf70f 2f3438a8 .config log report
ci-openbsd-setuid 2019/01/14 13:57 openbsd a30f5dcbf70f 2f3438a8 .config log report
ci-openbsd-setuid 2019/01/14 11:49 openbsd a30f5dcbf70f 2f3438a8 .config log report
ci-openbsd-multicore 2019/01/14 10:12 openbsd a30f5dcbf70f 2f3438a8 .config log report
ci-openbsd-setuid 2019/01/14 08:51 openbsd a30f5dcbf70f 2f3438a8 .config log report
ci-openbsd-multicore 2019/01/14 07:47 openbsd a30f5dcbf70f 2f3438a8 .config log report
ci-openbsd-setuid 2019/01/14 06:08 openbsd fd2fcf1a4ee4 2f3438a8 .config log report
ci-openbsd-setuid 2019/01/14 05:19 openbsd fd2fcf1a4ee4 2f3438a8 .config log report
ci-openbsd-main 2019/01/14 04:45 openbsd fd2fcf1a4ee4 2f3438a8 .config log report
ci-openbsd-setuid 2019/01/13 04:58 openbsd 5d60bdcf2121 c3f3344c .config log report
* Struck through repros no longer work on HEAD.