From: Dmitry Vyukov <dvyukov@google.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>, Kees Cook <keescook@google.com>
Cc: Netdev <netdev@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
WireGuard mailing list <wireguard@lists.zx2c4.com>,
Eric Dumazet <edumazet@google.com>
Subject: Re: UBSAN: object-size-mismatch in wg_xmit
Date: Mon, 21 Dec 2020 10:14:36 +0100 [thread overview]
Message-ID: <CACT4Y+ac8oFk1Sink0a6VLUiCENTOXgzqmkuHgQLcS2HhJeq=g@mail.gmail.com> (raw)
In-Reply-To: <CAHmME9qwbB7kbD=1sg_81=82vO07XMV7GyqBcCoC=zwM-v47HQ@mail.gmail.com>
On Sun, Dec 20, 2020 at 10:11 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> Hmm, on first glance, I'm not sure I'm seeing the bug:
>
> On Sun, Dec 20, 2020 at 5:54 PM syzbot
> <syzbot+8f90d005ab2d22342b6d@syzkaller.appspotmail.com> wrote:
> > UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2021:28
> > member access within address 0000000085889cc2 with insufficient space
> > for an object of type 'struct sk_buff'
> > __skb_queue_before include/linux/skbuff.h:2021 [inline]
> > __skb_queue_tail include/linux/skbuff.h:2054 [inline]
> > wg_xmit+0x45d/0xdf0 drivers/net/wireguard/device.c:182
>
> The code in question is:
>
> struct sk_buff_head packets;
> __skb_queue_head_init(&packets);
> ...
> skb_list_walk_safe(skb, skb, next) {
> skb_mark_not_on_list(skb);
>
> skb = skb_share_check(skb, GFP_ATOMIC);
> if (unlikely(!skb))
> continue;
> ...
> __skb_queue_tail(&packets, skb);
> }
>
> We're in a netdev's xmit function, so nothing else should have skb at
> that point. Given the warning is about "member access", I assume it's
> the next->prev dereference here:
>
> static inline void __skb_queue_before(struct sk_buff_head *list,
> struct sk_buff *next,
> struct sk_buff *newsk)
> {
> __skb_insert(newsk, next->prev, next, list);
> }
>
> So where is "next" coming from that UBSAN would complain about
> object-size-mismatch?
>
> static inline void __skb_queue_tail(struct sk_buff_head *list,
> struct sk_buff *newsk)
> {
> __skb_queue_before(list, (struct sk_buff *)list, newsk);
> }
>
> It comes from casting "list" into an sk_buff. While this might be some
> CFI-violating polymorphism, I can't see why this cast would actually
> be a problem in practice. The top of sk_buff is intentionally the same
> as sk_buff_head:
>
> struct sk_buff_head {
> struct sk_buff *next;
> struct sk_buff *prev;
> ...
> struct sk_buff {
> union {
> struct {
> struct sk_buff *next;
> struct sk_buff *prev;
> ...
>
> I'd suspect, "oh maybe it's just a clang 11 bug", but syzbot says it
> can't reproduce. So that makes me a little more nervous.
>
> Does anybody see something I've missed?
+Kees for UBSAN report questions
Hi Jason,
Thanks for looking into this.
Reading clang docs for ubsan:
https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
-fsanitize=object-size: An attempt to potentially use bytes which the
optimizer can determine are not part of the object being accessed.
This will also detect some types of undefined behavior that may not
directly access memory, but are provably incorrect given the size of
the objects involved, such as invalid downcasts and calling methods on
invalid pointers. These checks are made in terms of
__builtin_object_size, and consequently may be able to detect more
problems at higher optimization levels.
From skimming though your description this seems to fall into
"provably incorrect given the size of the objects involved".
I guess it's one of these cases which trigger undefined behavior and
compiler can e.g. remove all of this code assuming it will be never
called at runtime and any branches leading to it will always branch in
other directions, or something.
next prev parent reply other threads:[~2020-12-21 9:14 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-20 16:54 syzbot
2020-12-20 21:11 ` Jason A. Donenfeld
2020-12-21 9:14 ` Dmitry Vyukov [this message]
2020-12-21 11:23 ` Jason A. Donenfeld
2021-01-07 12:22 ` Dmitry Vyukov
2021-01-07 19:00 ` Jason A. Donenfeld
2021-01-07 19:06 ` Jeffrey Walton
2021-01-08 0:34 ` Corey Costello
2021-01-08 0:42 ` Eric Light
2021-01-08 0:44 ` Corey Costello
2021-01-08 0:50 ` Eric Light
2021-01-08 1:02 ` Phillip McMahon
2021-01-08 9:33 ` Dmitry Vyukov
2021-01-08 20:54 ` Nathan Chancellor
2021-01-08 9:30 ` Dmitry Vyukov
[not found] ` <CAGXu5j+jzmkiU_AWoTVF6e263iYSSJYUHB=Kdqh-MCfEO-aNSg@mail.gmail.com>
2021-01-09 9:46 ` Dmitry Vyukov
2021-01-09 10:49 ` Matthias Urlichs
2021-01-11 17:17 ` Dmitry Vyukov
2021-01-11 17:35 ` Jeffrey Walton
2021-01-11 17:58 ` Dmitry Vyukov
2021-01-11 18:14 ` Jeffrey Walton
2021-01-12 9:54 ` Dmitry Vyukov
2021-01-07 12:53 ` Jeffrey Walton
2021-01-07 17:01 ` Julian Wiedmann
2021-01-07 18:58 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACT4Y+ac8oFk1Sink0a6VLUiCENTOXgzqmkuHgQLcS2HhJeq=g@mail.gmail.com' \
--to=dvyukov@google.com \
--cc=Jason@zx2c4.com \
--cc=edumazet@google.com \
--cc=keescook@google.com \
--cc=netdev@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).