bisecting fixing commit since 5692097116094a4a7045abcc1dbc172dbdc5657e building syzkaller on 749688d22abef3f3cb9a0480e15c19a3f2ed8e13 testing commit 5692097116094a4a7045abcc1dbc172dbdc5657e with gcc (GCC) 8.1.0 kernel signature: ec01f7f11d1f6c447b8a505742246f2c55aff37734473c9b6ef35213410f112e all runs: crashed: KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user testing current HEAD 6dd0e32665e591e9debe3edaf73c2f8135bf047e testing commit 6dd0e32665e591e9debe3edaf73c2f8135bf047e with gcc (GCC) 8.1.0 kernel signature: 356b477ca4003ca63035ee3461ea236bea565439963d911dd01df8cbef819e29 all runs: OK # git bisect start 6dd0e32665e591e9debe3edaf73c2f8135bf047e 5692097116094a4a7045abcc1dbc172dbdc5657e Bisecting: 187 revisions left to test after this (roughly 8 steps) [6c1051ffc77feffc30d3f0f24defd8032b6c42e3] x86/mm: split vmalloc_sync_all() testing commit 6c1051ffc77feffc30d3f0f24defd8032b6c42e3 with gcc (GCC) 8.1.0 kernel signature: db1bf207f05f5adaa9eae81944abb8682412ac079e5ce278fb6147ce2935ae87 all runs: crashed: KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user # git bisect good 6c1051ffc77feffc30d3f0f24defd8032b6c42e3 Bisecting: 93 revisions left to test after this (roughly 7 steps) [583965eaec37fce852cff7184c01312a5e0a0eb4] USB: serial: option: add support for ASKEY WWHC050 testing commit 583965eaec37fce852cff7184c01312a5e0a0eb4 with gcc (GCC) 8.1.0 kernel signature: dac6a39d9ee93176daa859a93381cb4cf2de9c086771e2dc11f969de52050bc9 all runs: OK # git bisect bad 583965eaec37fce852cff7184c01312a5e0a0eb4 Bisecting: 46 revisions left to test after this (roughly 6 steps) [85eaea5f8e2d53ba97154973c711fe426b11122e] hsr: set .netnsok flag testing commit 85eaea5f8e2d53ba97154973c711fe426b11122e with gcc (GCC) 8.1.0 kernel signature: 92dc5502f40a6c7c4ecd00eaabf2a944692bef41f679b99863d64e1f4ffad42d all runs: crashed: KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user # git bisect good 85eaea5f8e2d53ba97154973c711fe426b11122e Bisecting: 23 revisions left to test after this (roughly 5 steps) [55831a04b548dc442031f9e2d0d5540f23fb839c] tools: Let O= makes handle a relative path with -C option testing commit 55831a04b548dc442031f9e2d0d5540f23fb839c with gcc (GCC) 8.1.0 kernel signature: fe58565b9f9355d7ad02d24d16259bb2dbc60a36f090415c9889b06716ef79bb all runs: crashed: KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user # git bisect good 55831a04b548dc442031f9e2d0d5540f23fb839c Bisecting: 11 revisions left to test after this (roughly 4 steps) [2eb46d0044849a70c796e3646a6ce50e5a69a992] RDMA/mlx5: Block delay drop to unprivileged users testing commit 2eb46d0044849a70c796e3646a6ce50e5a69a992 with gcc (GCC) 8.1.0 kernel signature: 8840bb2f9d800211840bc62c714c5c6e9f03da8eaa58dadd525c9d7523da69d1 all runs: crashed: KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user # git bisect good 2eb46d0044849a70c796e3646a6ce50e5a69a992 Bisecting: 5 revisions left to test after this (roughly 3 steps) [24c290b811945102e2c0e51cfe4b9efea9ae49d4] netfilter: nft_fwd_netdev: validate family and chain type testing commit 24c290b811945102e2c0e51cfe4b9efea9ae49d4 with gcc (GCC) 8.1.0 kernel signature: 67d36d2b74ce2ddaa4f2a2bace46a41aa804aeadec1d8632c5c60bb81d761890 all runs: OK # git bisect bad 24c290b811945102e2c0e51cfe4b9efea9ae49d4 Bisecting: 2 revisions left to test after this (roughly 2 steps) [7ad217a824f7fab1e8534a6dfa82899ae1900bcb] xfrm: policy: Fix doulbe free in xfrm_policy_timer testing commit 7ad217a824f7fab1e8534a6dfa82899ae1900bcb with gcc (GCC) 8.1.0 kernel signature: 5f0cbf166ecca964c77d6d6e3ddb5847f299a6e2fa5dd9b22fa948668039447b all runs: OK # git bisect bad 7ad217a824f7fab1e8534a6dfa82899ae1900bcb Bisecting: 0 revisions left to test after this (roughly 1 step) [0a7b397c013322fec975f30012302f694efba2da] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire testing commit 0a7b397c013322fec975f30012302f694efba2da with gcc (GCC) 8.1.0 kernel signature: 9b930996f193cede556af3e5806cf37d33cda1f8b48fb6eac7f5b002af77f948 all runs: OK # git bisect bad 0a7b397c013322fec975f30012302f694efba2da Bisecting: 0 revisions left to test after this (roughly 0 steps) [cf265c64c91957fd0f1b86b7427028d823966d74] xfrm: fix uctx len check in verify_sec_ctx_len testing commit cf265c64c91957fd0f1b86b7427028d823966d74 with gcc (GCC) 8.1.0 kernel signature: f6e41e826bd833da7d7617bec67b5535cccef3471a77982b39058faeb02e3757 all runs: crashed: KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user # git bisect good cf265c64c91957fd0f1b86b7427028d823966d74 0a7b397c013322fec975f30012302f694efba2da is the first bad commit commit 0a7b397c013322fec975f30012302f694efba2da Author: Xin Long Date: Sun Feb 9 21:16:38 2020 +0800 xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire commit a1a7e3a36e01ca6e67014f8cf673cb8e47be5550 upstream. Without doing verify_sec_ctx_len() check in xfrm_add_acquire(), it may be out-of-bounds to access uctx->ctx_str with uctx->ctx_len, as noticed by syz: BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x237/0x430 Read of size 768 at addr ffff8880123be9b4 by task syz-executor.1/11650 Call Trace: dump_stack+0xe8/0x16e print_address_description.cold.3+0x9/0x23b kasan_report.cold.4+0x64/0x95 memcpy+0x1f/0x50 selinux_xfrm_alloc_user+0x237/0x430 security_xfrm_policy_alloc+0x5c/0xb0 xfrm_policy_construct+0x2b1/0x650 xfrm_add_acquire+0x21d/0xa10 xfrm_user_rcv_msg+0x431/0x6f0 netlink_rcv_skb+0x15a/0x410 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x50e/0x6a0 netlink_sendmsg+0x8ae/0xd40 sock_sendmsg+0x133/0x170 ___sys_sendmsg+0x834/0x9a0 __sys_sendmsg+0x100/0x1e0 do_syscall_64+0xe5/0x660 entry_SYSCALL_64_after_hwframe+0x6a/0xdf So fix it by adding the missing verify_sec_ctx_len check there. Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert") Reported-by: Hangbin Liu Signed-off-by: Xin Long Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman net/xfrm/xfrm_user.c | 3 +++ 1 file changed, 3 insertions(+) culprit signature: 9b930996f193cede556af3e5806cf37d33cda1f8b48fb6eac7f5b002af77f948 parent signature: f6e41e826bd833da7d7617bec67b5535cccef3471a77982b39058faeb02e3757 revisions tested: 11, total time: 2h49m41.238895898s (build: 1h40m21.526792034s, test: 1h8m8.239210332s) first good commit: 0a7b397c013322fec975f30012302f694efba2da xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire cc: ["gregkh@linuxfoundation.org" "lucien.xin@gmail.com" "steffen.klassert@secunet.com"]