Re: [syzbot] general protection fault in sctp_rcv
From: Dan Carpenter <hidden>
Date: 2021-09-23 09:35:45
Also in:
linux-sctp, lkml
On Wed, Sep 22, 2021 at 05:18:29PM +0800, Xin Long wrote:
quoted hunk ↗ jump to hunk
On Tue, Sep 21, 2021 at 12:09 PM syzbot [off-list ref] wrote:quoted
Hello, syzbot found the following issue on: HEAD commit: 98dc68f8b0c2 selftests: nci: replace unsigned int with int git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=11fd443d300000 kernel config: https://syzkaller.appspot.com/x/.config?x=c31c0936547df9ea dashboard link: https://syzkaller.appspot.com/bug?extid=581aff2ae6b860625116 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 11205 Comm: kworker/0:12 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]by anyway, checking if skb_header_pointer() return NULL is always needed:@@ -702,7 +702,7 @@ static int sctp_rcv_ootb(struct sk_buff *skb) ch = skb_header_pointer(skb, offset, sizeof(*ch), &_ch); /* Break out if chunk length is less then minimal. */ - if (ntohs(ch->length) < sizeof(_ch)) + if (!ch || ntohs(ch->length) < sizeof(_ch)) break;
The skb_header_pointer() function is annotated as __must_check but that only means you have to use the return value. These things would be better as a Coccinelle or Smatch check. I will create a Smatch warning for this. regards, dan carpenter