bisecting fixing commit since 01364dad1d4577e27a57729d41053f661bb8a5b9 building syzkaller on 78267cec1aaa5e066d66e6a6c76fea1753e51b46 testing commit 01364dad1d4577e27a57729d41053f661bb8a5b9 with gcc (GCC) 8.1.0 kernel signature: b039dd9694f5991f9d2e77b76b129d6cb919ec0eb1f1ad8176c95cc8eb5475c4 all runs: crashed: KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user testing current HEAD c10b57a567e4333b9fdf60b5ec36de9859263ca2 testing commit c10b57a567e4333b9fdf60b5ec36de9859263ca2 with gcc (GCC) 8.1.0 kernel signature: c6cbaef350c8a726115968faabcf20002d9f1f8120922a03db082a0a4dbd135e all runs: OK # git bisect start c10b57a567e4333b9fdf60b5ec36de9859263ca2 01364dad1d4577e27a57729d41053f661bb8a5b9 Bisecting: 94 revisions left to test after this (roughly 7 steps) [88f7a6aa7fb9aa5076b65489146045dac865f1d3] scripts/dtc: Remove redundant YYLOC global declaration testing commit 88f7a6aa7fb9aa5076b65489146045dac865f1d3 with gcc (GCC) 8.1.0 kernel signature: 961b5c4d5791ff3e6ad5203b431c4bf608c913c7638ee0c665e276615a5a6f5d all runs: crashed: KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user # git bisect good 88f7a6aa7fb9aa5076b65489146045dac865f1d3 Bisecting: 47 revisions left to test after this (roughly 6 steps) [14f307ec369c074208f51bb5e4e45d83bf415506] net: ks8851-ml: Fix IO operations, again testing commit 14f307ec369c074208f51bb5e4e45d83bf415506 with gcc (GCC) 8.1.0 kernel signature: 8167fb82ffcfa731dc4b3bec84e53dbfcd651eda62d92f9afafad664670ed758 all runs: OK # git bisect bad 14f307ec369c074208f51bb5e4e45d83bf415506 Bisecting: 23 revisions left to test after this (roughly 5 steps) [e68fb968fdd1d6f8c8558907edf1ce0b33a8108c] USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback testing commit e68fb968fdd1d6f8c8558907edf1ce0b33a8108c with gcc (GCC) 8.1.0 kernel signature: 125515b93ee4429cc21dd9e98b2bf54ff931cba8aa95f9d42709697d8b539805 all runs: OK # git bisect bad e68fb968fdd1d6f8c8558907edf1ce0b33a8108c Bisecting: 11 revisions left to test after this (roughly 4 steps) [c91b46394b340ed790d6aed76f0044c1c7838de0] xfrm: fix uctx len check in verify_sec_ctx_len testing commit c91b46394b340ed790d6aed76f0044c1c7838de0 with gcc (GCC) 8.1.0 kernel signature: 572f12efbc707ea65750f0be983ab2cde031b85f17ff2b5124249caa64dccb62 all runs: crashed: KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user # git bisect good c91b46394b340ed790d6aed76f0044c1c7838de0 Bisecting: 5 revisions left to test after this (roughly 3 steps) [c97a86b9ea96f3c72c1b5288f8b25f21bf7fad20] Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() testing commit c97a86b9ea96f3c72c1b5288f8b25f21bf7fad20 with gcc (GCC) 8.1.0 kernel signature: 1cf2c39acb2ef7bcf1d2500ef40b447ebbcbbb51f2eefe0aed62bed30ec24b5e all runs: OK # git bisect bad c97a86b9ea96f3c72c1b5288f8b25f21bf7fad20 Bisecting: 2 revisions left to test after this (roughly 2 steps) [ba2bc76526e19cc6d67bbaa3c979ab3c576d71e9] netfilter: nft_fwd_netdev: validate family and chain type testing commit ba2bc76526e19cc6d67bbaa3c979ab3c576d71e9 with gcc (GCC) 8.1.0 kernel signature: c56f43b8ffbfb219f2881f96f1a65b07b992239986244efc9f8fe1025d893dfc all runs: OK # git bisect bad ba2bc76526e19cc6d67bbaa3c979ab3c576d71e9 Bisecting: 0 revisions left to test after this (roughly 1 step) [dc0ea9b710102ef628a26663d892031a2c381549] xfrm: policy: Fix doulbe free in xfrm_policy_timer testing commit dc0ea9b710102ef628a26663d892031a2c381549 with gcc (GCC) 8.1.0 kernel signature: 8b02eed6fd1b7662d147e72584a8c38de0f47b881f36659b0647ec49a3be3968 all runs: OK # git bisect bad dc0ea9b710102ef628a26663d892031a2c381549 Bisecting: 0 revisions left to test after this (roughly 0 steps) [25106012e91a2399c487f495f81a48186f5a6a73] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire testing commit 25106012e91a2399c487f495f81a48186f5a6a73 with gcc (GCC) 8.1.0 kernel signature: 12e83a83e4494e2d48589155745988eaa26d0f0715eac4a4152c16c6c3f8d6d5 all runs: OK # git bisect bad 25106012e91a2399c487f495f81a48186f5a6a73 25106012e91a2399c487f495f81a48186f5a6a73 is the first bad commit commit 25106012e91a2399c487f495f81a48186f5a6a73 Author: Xin Long Date: Sun Feb 9 21:16:38 2020 +0800 xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire commit a1a7e3a36e01ca6e67014f8cf673cb8e47be5550 upstream. Without doing verify_sec_ctx_len() check in xfrm_add_acquire(), it may be out-of-bounds to access uctx->ctx_str with uctx->ctx_len, as noticed by syz: BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x237/0x430 Read of size 768 at addr ffff8880123be9b4 by task syz-executor.1/11650 Call Trace: dump_stack+0xe8/0x16e print_address_description.cold.3+0x9/0x23b kasan_report.cold.4+0x64/0x95 memcpy+0x1f/0x50 selinux_xfrm_alloc_user+0x237/0x430 security_xfrm_policy_alloc+0x5c/0xb0 xfrm_policy_construct+0x2b1/0x650 xfrm_add_acquire+0x21d/0xa10 xfrm_user_rcv_msg+0x431/0x6f0 netlink_rcv_skb+0x15a/0x410 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x50e/0x6a0 netlink_sendmsg+0x8ae/0xd40 sock_sendmsg+0x133/0x170 ___sys_sendmsg+0x834/0x9a0 __sys_sendmsg+0x100/0x1e0 do_syscall_64+0xe5/0x660 entry_SYSCALL_64_after_hwframe+0x6a/0xdf So fix it by adding the missing verify_sec_ctx_len check there. Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert") Reported-by: Hangbin Liu Signed-off-by: Xin Long Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman net/xfrm/xfrm_user.c | 3 +++ 1 file changed, 3 insertions(+) culprit signature: 12e83a83e4494e2d48589155745988eaa26d0f0715eac4a4152c16c6c3f8d6d5 parent signature: 572f12efbc707ea65750f0be983ab2cde031b85f17ff2b5124249caa64dccb62 revisions tested: 10, total time: 2h50m13.911927118s (build: 1h28m12.213575838s, test: 1h20m59.297737044s) first good commit: 25106012e91a2399c487f495f81a48186f5a6a73 xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire cc: ["gregkh@linuxfoundation.org" "lucien.xin@gmail.com" "steffen.klassert@secunet.com"]