ci starts bisection 2023-06-20 00:34:33.382166122 +0000 UTC m=+40373.231675482 bisecting fixing commit since e4cf7c25bae5c3b5089a3c23a897f450149caef2 building syzkaller on ab32d50881df9f96f2af301aadca62ad00b7e099 ensuring issue is reproducible on original commit e4cf7c25bae5c3b5089a3c23a897f450149caef2 testing commit e4cf7c25bae5c3b5089a3c23a897f450149caef2 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 34ea209f572a6488ae2cc54919bdf2b9cc3c08b43c93e63854c7ae4a01cf2461 all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find testing current HEAD 692b7dc87ca6d55ab254f8259e6f970171dc9d01 testing commit 692b7dc87ca6d55ab254f8259e6f970171dc9d01 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ef7858d73bbf981e55881417030919ef81f58fa5647caa46d9a8a07021c36887 all runs: OK too many neither good nor bad results, skipping this commit # git bisect start 692b7dc87ca6d55ab254f8259e6f970171dc9d01 e4cf7c25bae5c3b5089a3c23a897f450149caef2 Bisecting: 16771 revisions left to test after this (roughly 14 steps) [7ed34927254ae9eac0f6b0ad7e7c2bceb96fcdfc] Merge tag 'drm-intel-next-2023-03-23' of git://anongit.freedesktop.org/drm/drm-intel into drm-next testing commit 7ed34927254ae9eac0f6b0ad7e7c2bceb96fcdfc gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 791fc84c4da62e3182710aa378cbee9bc8cbb4f35c762c39a4f1f04c9f1a59bb all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good 7ed34927254ae9eac0f6b0ad7e7c2bceb96fcdfc Bisecting: 7866 revisions left to test after this (roughly 13 steps) [6e98b09da931a00bf4e0477d0fa52748bf28fcce] Merge tag 'net-next-6.4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 6e98b09da931a00bf4e0477d0fa52748bf28fcce gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 47974d606f9a6f102780e7234ccb9af1836d86332cdf0aeadb1932ef35ec9b4b all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good 6e98b09da931a00bf4e0477d0fa52748bf28fcce Bisecting: 3986 revisions left to test after this (roughly 12 steps) [d55571c0084465f1f7e1e29f22bd910d366a6e1d] Merge tag 'kbuild-v6.4' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit d55571c0084465f1f7e1e29f22bd910d366a6e1d gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8d1531da0a106bb811f6ae38c2bd50203c37a7e2fa32dc3a9a46907fbea9fe69 all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good d55571c0084465f1f7e1e29f22bd910d366a6e1d Bisecting: 1915 revisions left to test after this (roughly 11 steps) [f085df1be60abf670315c11036261cfaec16b2eb] Merge tag 'perf-tools-for-v6.4-3-2023-05-06' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux testing commit f085df1be60abf670315c11036261cfaec16b2eb gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9ae2062c356bdc6570e15fc5bf1fea3c75f1f64104c3459dd4acfb67b549e81b all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good f085df1be60abf670315c11036261cfaec16b2eb Bisecting: 955 revisions left to test after this (roughly 10 steps) [bca7a46336e38667f7670aacd2098dc45b8b7868] Merge tag 'iio-fixes-for-6.4a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into char-misc-linus testing commit bca7a46336e38667f7670aacd2098dc45b8b7868 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fa62c556096f2da7c86d1ba423a6929822ce31369461e561fd536a702726848c all runs: OK too many neither good nor bad results, skipping this commit # git bisect bad bca7a46336e38667f7670aacd2098dc45b8b7868 Bisecting: 467 revisions left to test after this (roughly 9 steps) [d635f6cc934bcd467c5d67148ece74632fd96abf] Merge tag 'drm-fixes-2023-05-20' of git://anongit.freedesktop.org/drm/drm testing commit d635f6cc934bcd467c5d67148ece74632fd96abf gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 030eb974615d43419a908fa0bff7c095bf44592eb606a604558fd3c3cf388078 all runs: OK too many neither good nor bad results, skipping this commit # git bisect bad d635f6cc934bcd467c5d67148ece74632fd96abf Bisecting: 252 revisions left to test after this (roughly 8 steps) [b802651bb6c90e53b30205b2a4358433e3be57c8] Merge tag 'media/v6.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit b802651bb6c90e53b30205b2a4358433e3be57c8 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 317070a5968d90ecb7163f0632f0d443ef86645bcf131bc4d282934584943edc all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good b802651bb6c90e53b30205b2a4358433e3be57c8 Bisecting: 126 revisions left to test after this (roughly 7 steps) [2d1bcbc6cd703e64caf8df314e3669b4786e008a] Merge tag 'probes-fixes-v6.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace testing commit 2d1bcbc6cd703e64caf8df314e3669b4786e008a gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bf6154762b2514cb46ac20d62826dd42b3f5619aed844a1fd39e4364e4336dae all runs: OK too many neither good nor bad results, skipping this commit # git bisect bad 2d1bcbc6cd703e64caf8df314e3669b4786e008a Bisecting: 62 revisions left to test after this (roughly 6 steps) [60d758659f1fb49e0d5b6ac2691ede8c0958795b] igb: fix bit_shift to be in [1..8] range testing commit 60d758659f1fb49e0d5b6ac2691ede8c0958795b gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d2ac0c08b303e3a895adc640903272260030d18eaff2f8ad94d0b06dce3a68ac all runs: OK too many neither good nor bad results, skipping this commit # git bisect bad 60d758659f1fb49e0d5b6ac2691ede8c0958795b Bisecting: 31 revisions left to test after this (roughly 5 steps) [56077b56cd3fb78e1c8619e29581ba25a5c55e86] tipc: do not update mtu if msg_max is too small in mtu negotiation testing commit 56077b56cd3fb78e1c8619e29581ba25a5c55e86 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 039e0076138e04fcd899a04200c586e3da5dc2470a78f6a324fe3cef70eabc7e all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good 56077b56cd3fb78e1c8619e29581ba25a5c55e86 Bisecting: 15 revisions left to test after this (roughly 4 steps) [47d55c62bdb9ce55283243f61b0575d4a9ce3744] Merge tag 'linux-can-fixes-for-6.4-20230515' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can testing commit 47d55c62bdb9ce55283243f61b0575d4a9ce3744 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: da3c155071f925dbc611a7f97052be604f87ab0a9c6847d25d77fb33ef2f65a0 all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good 47d55c62bdb9ce55283243f61b0575d4a9ce3744 Bisecting: 7 revisions left to test after this (roughly 3 steps) [6ad85ed0ebf7ece0f376950a6b3b3c6048093d35] Merge tag 'ipsec-2023-05-16' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec testing commit 6ad85ed0ebf7ece0f376950a6b3b3c6048093d35 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c4c70803dc0fac6ec6850dfab329eeb53e5cf9cea53bb5f9edf0936e5ae8d91d all runs: OK too many neither good nor bad results, skipping this commit # git bisect bad 6ad85ed0ebf7ece0f376950a6b3b3c6048093d35 Bisecting: 3 revisions left to test after this (roughly 2 steps) [5fc46f94219d1d103ffb5f0832be9da674d85a73] Revert "Fix XFRM-I support for nested ESP tunnels" testing commit 5fc46f94219d1d103ffb5f0832be9da674d85a73 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5e5bfa7c6a8c89722e2d4d6a4198e0bfb9c3012815906ab578c2be9fe5be196f all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good 5fc46f94219d1d103ffb5f0832be9da674d85a73 Bisecting: 1 revision left to test after this (roughly 1 step) [cf3128a7aca55b2eefb68281d44749c683bdc96f] af_key: Reject optional tunnel/BEET mode templates in outbound policies testing commit cf3128a7aca55b2eefb68281d44749c683bdc96f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9bfb477a41e2c56d3cb55e07bda2131e607723fdcff88f284dd5a1622f985a3e all runs: OK too many neither good nor bad results, skipping this commit # git bisect bad cf3128a7aca55b2eefb68281d44749c683bdc96f Bisecting: 0 revisions left to test after this (roughly 0 steps) [3d776e31c841ba2f69895d2255a49320bec7cea6] xfrm: Reject optional tunnel/BEET mode templates in outbound policies testing commit 3d776e31c841ba2f69895d2255a49320bec7cea6 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 526c166121b5e68f6fa856a554570aed0c6fe15e35deeebe90260ce3d03c1be2 all runs: OK too many neither good nor bad results, skipping this commit # git bisect bad 3d776e31c841ba2f69895d2255a49320bec7cea6 3d776e31c841ba2f69895d2255a49320bec7cea6 is the first bad commit commit 3d776e31c841ba2f69895d2255a49320bec7cea6 Author: Tobias Brunner Date: Tue May 9 10:59:58 2023 +0200 xfrm: Reject optional tunnel/BEET mode templates in outbound policies xfrm_state_find() uses `encap_family` of the current template with the passed local and remote addresses to find a matching state. If an optional tunnel or BEET mode template is skipped in a mixed-family scenario, there could be a mismatch causing an out-of-bounds read as the addresses were not replaced to match the family of the next template. While there are theoretical use cases for optional templates in outbound policies, the only practical one is to skip IPComp states in inbound policies if uncompressed packets are received that are handled by an implicitly created IPIP state instead. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Tobias Brunner Acked-by: Herbert Xu Signed-off-by: Steffen Klassert net/xfrm/xfrm_user.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) culprit signature: 526c166121b5e68f6fa856a554570aed0c6fe15e35deeebe90260ce3d03c1be2 parent signature: 5e5bfa7c6a8c89722e2d4d6a4198e0bfb9c3012815906ab578c2be9fe5be196f revisions tested: 17, total time: 6h5m57.18372789s (build: 4h19m10.995412622s, test: 1h41m27.108898053s) first good commit: 3d776e31c841ba2f69895d2255a49320bec7cea6 xfrm: Reject optional tunnel/BEET mode templates in outbound policies recipients (to): ["herbert@gondor.apana.org.au" "steffen.klassert@secunet.com" "tobias@strongswan.org"] recipients (cc): []