bisecting fixing commit since ddec8ed2d4905d0967ce2ec432e440e582aa52c6 building syzkaller on 2ca0d3855c36da0994766801f4b5067a74824437 testing commit ddec8ed2d4905d0967ce2ec432e440e582aa52c6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7ae99a8c6ebefca0e874e223db1e63f4f5d22ff2b18be00283b0a88a308b2536 all runs: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal testing current HEAD 9be9ed2612b5aedb52a2c240edb1630b6b743cb6 testing commit 9be9ed2612b5aedb52a2c240edb1630b6b743cb6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d9c1d9a3fc6509cb45035aa278e0b634bc1ff902aa5d03601a5264cc55431d32 all runs: OK # git bisect start 9be9ed2612b5aedb52a2c240edb1630b6b743cb6 ddec8ed2d4905d0967ce2ec432e440e582aa52c6 Bisecting: 15039 revisions left to test after this (roughly 14 steps) [01e2d1579682734585510c7bbba917e25446299a] Merge branch 'skb-mono-delivery-time' testing commit 01e2d1579682734585510c7bbba917e25446299a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d1f33a175c991c2a9d58987ea324cf46014363c77d9e507c5eb59217dd0be257 all runs: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal # git bisect good 01e2d1579682734585510c7bbba917e25446299a Bisecting: 8125 revisions left to test after this (roughly 13 steps) [25fd2d41b505d0640bdfe67aa77c549de2d3c18a] selftests: kselftest framework: provide "finished" helper testing commit 25fd2d41b505d0640bdfe67aa77c549de2d3c18a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c47df8b802acf01e9e01692bfc805310d8eebce12de4a207e556d1259cc35f7c run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #2: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #3: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #4: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #5: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #6: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #7: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #8: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #9: crashed: SYZFAIL: wrong response packet # git bisect good 25fd2d41b505d0640bdfe67aa77c549de2d3c18a Bisecting: 4230 revisions left to test after this (roughly 12 steps) [ff61bc81b3feebcef4d0431a92e2e40e8d4fe8b3] Merge tag 'pinctrl-v5.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit ff61bc81b3feebcef4d0431a92e2e40e8d4fe8b3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ceb7f5db79681bf87e4d16293add5c328f8cf294ba981ac308bdfadd3b9eac0e all runs: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal # git bisect good ff61bc81b3feebcef4d0431a92e2e40e8d4fe8b3 Bisecting: 2101 revisions left to test after this (roughly 11 steps) [6a34fdcca452457a530980be2561dab06da3627f] Merge tag 'rtc-5.18' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux testing commit 6a34fdcca452457a530980be2561dab06da3627f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a828ce60671acb5d81da2a9b06d772d02ba5adbd7d80984f6ef15a9c0f5bcb36 all runs: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal # git bisect good 6a34fdcca452457a530980be2561dab06da3627f Bisecting: 1051 revisions left to test after this (roughly 10 steps) [fb649bda6f5642f173ee3429a965c769554f23d8] Merge tag 'block-5.18-2022-04-15' of git://git.kernel.dk/linux-block testing commit fb649bda6f5642f173ee3429a965c769554f23d8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0068d57dc4cdf086b8cf1ad75c0769948658aa4fd78762b271fcadf06b699b56 all runs: OK # git bisect bad fb649bda6f5642f173ee3429a965c769554f23d8 Bisecting: 524 revisions left to test after this (roughly 9 steps) [269219321eb7d7645a3122cf40a420c5dc655eb9] net: lan966x: Stop processing the MAC entry is port is wrong. testing commit 269219321eb7d7645a3122cf40a420c5dc655eb9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 734cbc93d69dfa79224a614516f9255c506174a595e3a1322fa2c275f0e61c54 all runs: OK # git bisect bad 269219321eb7d7645a3122cf40a420c5dc655eb9 Bisecting: 261 revisions left to test after this (roughly 8 steps) [88e6c0207623874922712e162e25d9dafd39661e] Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 88e6c0207623874922712e162e25d9dafd39661e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f804b4b2841048fd551022db6e316e32c6b963bd8397ab49a5bd9eaf12f676c9 all runs: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal # git bisect good 88e6c0207623874922712e162e25d9dafd39661e Bisecting: 130 revisions left to test after this (roughly 7 steps) [ce4c854ee8681bc66c1c369518b6594e93b11ee5] Merge tag 'for-5.18-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit ce4c854ee8681bc66c1c369518b6594e93b11ee5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 52a8c9718cfb7a200f9761efe5da9c8baeb6957b90d1d6d143f096f9a7c1cae5 all runs: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal # git bisect good ce4c854ee8681bc66c1c369518b6594e93b11ee5 Bisecting: 69 revisions left to test after this (roughly 6 steps) [b423e54ba965b4469b48e46fd16941f1e1701697] myri10ge: fix an incorrect free for skb in myri10ge_sw_tso testing commit b423e54ba965b4469b48e46fd16941f1e1701697 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 96aeac6116936b5353c3beb69e8900f3669c9c4704cb75b4ed59e3e2c71d31db all runs: OK # git bisect bad b423e54ba965b4469b48e46fd16941f1e1701697 Bisecting: 30 revisions left to test after this (roughly 5 steps) [5dc64b6dcbc2350200a05d0b495dfaef6723a87c] Merge branch 'bnxt_en-fixes' testing commit 5dc64b6dcbc2350200a05d0b495dfaef6723a87c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9caaa9851e0a6e2acd94a3830b49984eca768452c968fde671453fe5b890b25c all runs: OK # git bisect bad 5dc64b6dcbc2350200a05d0b495dfaef6723a87c Bisecting: 14 revisions left to test after this (roughly 4 steps) [6bf92d70e690b7ff12b24f4bfff5e5434d019b82] net: ipv4: fix route with nexthop object delete warning testing commit 6bf92d70e690b7ff12b24f4bfff5e5434d019b82 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ecb4872a91f98654dd8d7447627c1fd4d18244a3ca45df63e29d36503b961b4b run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 6bf92d70e690b7ff12b24f4bfff5e5434d019b82 Bisecting: 7 revisions left to test after this (roughly 3 steps) [2c0069f3f91f125b1b2ce66cc6bea8eb134723c3] ice: Fix MAC address setting testing commit 2c0069f3f91f125b1b2ce66cc6bea8eb134723c3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a68e81143a39adc0ff30583c8658483505cde7d3e44402fabac212f84ad54a04 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 2c0069f3f91f125b1b2ce66cc6bea8eb134723c3 Bisecting: 3 revisions left to test after this (roughly 2 steps) [012d69fbfcc739f846766c1da56ef8b493b803b5] vrf: fix packet sniffing for traffic originating from ip tunnels testing commit 012d69fbfcc739f846766c1da56ef8b493b803b5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 26689e6a9a4a8cee7c6d5195f46d80cbcc9d5232a2f85475ece917a3fd332229 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 012d69fbfcc739f846766c1da56ef8b493b803b5 Bisecting: 0 revisions left to test after this (roughly 1 step) [9381fe8c849cfbe50245ac01fc077554f6eaa0e2] net/tls: fix slab-out-of-bounds bug in decrypt_internal testing commit 9381fe8c849cfbe50245ac01fc077554f6eaa0e2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d332caf497308d0ba6606ae04c0ad725d57f3ba3372124fe372c235731908b2f all runs: OK # git bisect bad 9381fe8c849cfbe50245ac01fc077554f6eaa0e2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [059a47f1da93811d37533556d67e72f2261b1127] net: sfc: add missing xdp queue reinitialization testing commit 059a47f1da93811d37533556d67e72f2261b1127 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: df3f0c3c48357d9be51e1c0043684da4f307171a60000497fd84d34972bf5c08 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #2: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #3: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #4: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #5: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #6: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #7: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #8: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal run #9: boot failed: WARNING in blk_release_queue # git bisect good 059a47f1da93811d37533556d67e72f2261b1127 9381fe8c849cfbe50245ac01fc077554f6eaa0e2 is the first bad commit commit 9381fe8c849cfbe50245ac01fc077554f6eaa0e2 Author: Ziyang Xuan Date: Thu Mar 31 15:04:28 2022 +0800 net/tls: fix slab-out-of-bounds bug in decrypt_internal The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in tls_set_sw_offload(). The return value of crypto_aead_ivsize() for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes memory space will trigger slab-out-of-bounds bug as following: ================================================================== BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] Read of size 16 at addr ffff888114e84e60 by task tls/10911 Call Trace: dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db ? decrypt_internal+0x385/0xc40 [tls] kasan_report+0xab/0x120 ? decrypt_internal+0x385/0xc40 [tls] kasan_check_range+0xf9/0x1e0 memcpy+0x20/0x60 decrypt_internal+0x385/0xc40 [tls] ? tls_get_rec+0x2e0/0x2e0 [tls] ? process_rx_list+0x1a5/0x420 [tls] ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls] decrypt_skb_update+0x9d/0x400 [tls] tls_sw_recvmsg+0x3c8/0xb50 [tls] Allocated by task 10911: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 tls_set_sw_offload+0x2eb/0xa20 [tls] tls_setsockopt+0x68c/0x700 [tls] __sys_setsockopt+0xfe/0x1b0 Replace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size when memcpy() iv value in TLS_1_3_VERSION scenario. Fixes: f295b3ae9f59 ("net/tls: Add support of AES128-CCM based ciphers") Signed-off-by: Ziyang Xuan Reviewed-by: Jakub Kicinski Signed-off-by: David S. Miller net/tls/tls_sw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) culprit signature: d332caf497308d0ba6606ae04c0ad725d57f3ba3372124fe372c235731908b2f parent signature: df3f0c3c48357d9be51e1c0043684da4f307171a60000497fd84d34972bf5c08 revisions tested: 17, total time: 3h34m41.981388513s (build: 1h43m35.665317655s, test: 1h49m25.144753228s) first good commit: 9381fe8c849cfbe50245ac01fc077554f6eaa0e2 net/tls: fix slab-out-of-bounds bug in decrypt_internal recipients (to): ["davem@davemloft.net" "kuba@kernel.org" "william.xuanziyang@huawei.com"] recipients (cc): []