bisecting fixing commit since b850307b279cbd12ab8c654d1a3dfe55319cc475 building syzkaller on 39acb39de241670ec7f96312c37e4e84f97f5f19 testing commit b850307b279cbd12ab8c654d1a3dfe55319cc475 with gcc (GCC) 8.1.0 kernel signature: 78b0217221d7c4641ab6adb9f112dd4e791e155f58d37b366b9ad86e565d5c96 all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple testing current HEAD 2b79150141611d3c6e1b55d4e70f49602482f0b8 testing commit 2b79150141611d3c6e1b55d4e70f49602482f0b8 with gcc (GCC) 8.1.0 kernel signature: ab46f7ff9a225f38848e2e8f5c10dd1ad4f78810c1d46b70f15cede9421d77b8 all runs: OK # git bisect start 2b79150141611d3c6e1b55d4e70f49602482f0b8 b850307b279cbd12ab8c654d1a3dfe55319cc475 Bisecting: 845 revisions left to test after this (roughly 10 steps) [b10bafd333b75f9f85f99d2d96f5e33c50664679] ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support testing commit b10bafd333b75f9f85f99d2d96f5e33c50664679 with gcc (GCC) 8.1.0 kernel signature: 701ac6e0dafb7cdf0caa05b8a9045252d598446a904da82c1f6a026af61563a5 all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good b10bafd333b75f9f85f99d2d96f5e33c50664679 Bisecting: 422 revisions left to test after this (roughly 9 steps) [e3147d4974cf7229cfc36835ba0bf4da6f216987] ALSA: hda/realtek - Couldn't detect Mic if booting with headset plugged testing commit e3147d4974cf7229cfc36835ba0bf4da6f216987 with gcc (GCC) 8.1.0 kernel signature: 0d415416f22d219a1d2bfa16530aa98263c7d76d452826edc1ec891965d7e1e4 all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good e3147d4974cf7229cfc36835ba0bf4da6f216987 Bisecting: 211 revisions left to test after this (roughly 8 steps) [a21a9b514b8821af1230fb1a751600d847aeb1a2] Linux 4.14.201 testing commit a21a9b514b8821af1230fb1a751600d847aeb1a2 with gcc (GCC) 8.1.0 kernel signature: 48efe882ca19623c344006bb44e77aee6a7936a6f608f7ba6c5e33d4a158f2bc all runs: OK # git bisect bad a21a9b514b8821af1230fb1a751600d847aeb1a2 Bisecting: 105 revisions left to test after this (roughly 7 steps) [6d9fdd1325a2409f43ce5670766deaad12d9dd97] mm/swap_state: fix a data race in swapin_nr_pages testing commit 6d9fdd1325a2409f43ce5670766deaad12d9dd97 with gcc (GCC) 8.1.0 kernel signature: cf76588ed2722acb8e14830dc903396acb3e4d0c772b55c5a2c6d8e4f7d1a4e8 all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good 6d9fdd1325a2409f43ce5670766deaad12d9dd97 Bisecting: 52 revisions left to test after this (roughly 6 steps) [276e703687944ed8a3610bc63e892017c75e9966] pinctrl: mvebu: Fix i2c sda definition for 98DX3236 testing commit 276e703687944ed8a3610bc63e892017c75e9966 with gcc (GCC) 8.1.0 kernel signature: 8435e561fa7fb087129af6535659904f4a37e540836f24e438c30183d8cf1849 all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good 276e703687944ed8a3610bc63e892017c75e9966 Bisecting: 26 revisions left to test after this (roughly 5 steps) [736214625ae7640ce970b8da7a5c675fdc4a1999] ftrace: Move RCU is watching check after recursion check testing commit 736214625ae7640ce970b8da7a5c675fdc4a1999 with gcc (GCC) 8.1.0 kernel signature: 9db3e73c1784e0d9373bd3016f6bff468a9503cbdd49c254674081a78fa1940f all runs: OK # git bisect bad 736214625ae7640ce970b8da7a5c675fdc4a1999 Bisecting: 12 revisions left to test after this (roughly 4 steps) [328ec6286a78a71500b74255448e8f3c83d2b2c4] drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak testing commit 328ec6286a78a71500b74255448e8f3c83d2b2c4 with gcc (GCC) 8.1.0 kernel signature: fc3582c0ad9021277c9d694c39ea894b11169054aa45c489cd0bd29fcb98c51a all runs: OK # git bisect bad 328ec6286a78a71500b74255448e8f3c83d2b2c4 Bisecting: 6 revisions left to test after this (roughly 3 steps) [02555f63dab2d5d30be4402c791dce009a1a7291] random32: Restore __latent_entropy attribute on net_rand_state testing commit 02555f63dab2d5d30be4402c791dce009a1a7291 with gcc (GCC) 8.1.0 kernel signature: 5d5ab256d6d824b9d07381a49c17e04b550faacd97dd6271eb3c79ebe363020f all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good 02555f63dab2d5d30be4402c791dce009a1a7291 Bisecting: 3 revisions left to test after this (roughly 2 steps) [4aefd05cfdb3c2b0634250180a91001315ec4c06] epoll: replace ->visited/visited_list with generation count testing commit 4aefd05cfdb3c2b0634250180a91001315ec4c06 with gcc (GCC) 8.1.0 kernel signature: b5c28a9b1e0d8aadf83eb9dd03ed0238c27d37d8b219cba21c292f1424e84f7f all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good 4aefd05cfdb3c2b0634250180a91001315ec4c06 Bisecting: 1 revision left to test after this (roughly 1 step) [a3915080e95da5257c541bbc39fa4007076d8fa3] ep_create_wakeup_source(): dentry name can change under you... testing commit a3915080e95da5257c541bbc39fa4007076d8fa3 with gcc (GCC) 8.1.0 kernel signature: 84b88e76c88c95e6853123768f39f4d4609f997e01c2107c233f5f67648cf351 all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good a3915080e95da5257c541bbc39fa4007076d8fa3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [60634d81cb43b19817b79a8a1d38e25e907e5ea1] netfilter: ctnetlink: add a range check for l3/l4 protonum testing commit 60634d81cb43b19817b79a8a1d38e25e907e5ea1 with gcc (GCC) 8.1.0 kernel signature: fd9b59d76b5afc2ca5b9ba0553fbf56d585cfc7010ea15297a0cb88c0b79eefc all runs: OK # git bisect bad 60634d81cb43b19817b79a8a1d38e25e907e5ea1 60634d81cb43b19817b79a8a1d38e25e907e5ea1 is the first bad commit commit 60634d81cb43b19817b79a8a1d38e25e907e5ea1 Author: Will McVicker Date: Mon Aug 24 19:38:32 2020 +0000 netfilter: ctnetlink: add a range check for l3/l4 protonum commit 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 upstream. The indexes to the nf_nat_l[34]protos arrays come from userspace. So check the tuple's family, e.g. l3num, when creating the conntrack in order to prevent an OOB memory access during setup. Here is an example kernel panic on 4.14.180 when userspace passes in an index greater than NFPROTO_NUMPROTO. Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in:... Process poc (pid: 5614, stack limit = 0x00000000a3933121) CPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483 Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM task: 000000002a3dfffe task.stack: 00000000a3933121 pc : __cfi_check_fail+0x1c/0x24 lr : __cfi_check_fail+0x1c/0x24 ... Call trace: __cfi_check_fail+0x1c/0x24 name_to_dev_t+0x0/0x468 nfnetlink_parse_nat_setup+0x234/0x258 ctnetlink_parse_nat_setup+0x4c/0x228 ctnetlink_new_conntrack+0x590/0xc40 nfnetlink_rcv_msg+0x31c/0x4d4 netlink_rcv_skb+0x100/0x184 nfnetlink_rcv+0xf4/0x180 netlink_unicast+0x360/0x770 netlink_sendmsg+0x5a0/0x6a4 ___sys_sendmsg+0x314/0x46c SyS_sendmsg+0xb4/0x108 el0_svc_naked+0x34/0x38 This crash is not happening since 5.4+, however, ctnetlink still allows for creating entries with unsupported layer 3 protocol number. Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for nf_conntrack") Signed-off-by: Will McVicker [pablo@netfilter.org: rebased original patch on top of nf.git] Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman net/netfilter/nf_conntrack_netlink.c | 2 ++ 1 file changed, 2 insertions(+) culprit signature: fd9b59d76b5afc2ca5b9ba0553fbf56d585cfc7010ea15297a0cb88c0b79eefc parent signature: 84b88e76c88c95e6853123768f39f4d4609f997e01c2107c233f5f67648cf351 revisions tested: 13, total time: 3h0m57.84475963s (build: 1h47m53.417284572s, test: 1h11m44.861238659s) first good commit: 60634d81cb43b19817b79a8a1d38e25e907e5ea1 netfilter: ctnetlink: add a range check for l3/l4 protonum recipients (to): ["gregkh@linuxfoundation.org" "pablo@netfilter.org" "willmcvicker@google.com"] recipients (cc): []