syzkaller: divide error in `__tcp_select_window` #414

cpaasch · 2023-06-13T17:58:39Z

syzkaller-id: e4d528e2abf5f9ab3d895e5021c40a119902b080

HEAD: 74a1b71

Trace:

divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 26507 Comm: syz-executor.1 Not tainted 6.4.0-rc4-g74a1b717b26e #22
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
RIP: 0010:__tcp_select_window+0x811/0xf10 net/ipv4/tcp_output.c:3018
Code: 00 b8 ff ff ff ff 89 d9 d3 e0 89 c3 f7 d3 03 9c 24 80 00 00 00 21 c3 eb 17 e8 8b 0b ce fd 31 db eb 0e e8 82 0b ce fd 89 d8 99 <f7> 7c 24 14 29 d3 48 c7 44 24 60 0e 36 e0 45 48 b8 00 00 00 00 00
RSP: 0018:ffffc9000f247480 EFLAGS: 00010293
RAX: 000000000000ffcb RBX: 000000000000ffcb RCX: ffff8880269745c0
RDX: 0000000000000000 RSI: 000000000000ffcb RDI: 0000000000010000
RBP: ffffc9000f247578 R08: ffffffff837401f4 R09: ffffed1004d38a6f
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88801cec0500
R13: 1ffff110039d80a0 R14: 0000000000010000 R15: 000000000000ffcb
FS:  00007f3580364700(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000204fe000 CR3: 00000000396ef002 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 __tcp_cleanup_rbuf+0x235/0x430 net/ipv4/tcp.c:1489
 mptcp_recvmsg+0x1e5e/0x2260 net/mptcp/protocol.c:2040
 inet_recvmsg+0x2c9/0x570 net/ipv4/af_inet.c:863
 ____sys_recvmsg+0x499/0x5b0 net/socket.c:1019
 ___sys_recvmsg+0x4fa/0x6a0 net/socket.c:2766
 do_recvmmsg+0x32b/0x820 net/socket.c:2860
 __do_sys_recvmmsg net/socket.c:2939 [inline]
 __se_sys_recvmmsg net/socket.c:2955 [inline]
 __x64_sys_recvmmsg+0x183/0x230 net/socket.c:2955
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x45/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x45c359
Code: fc ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 3d fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f3580363c18 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 000000000079c050 RCX: 000000000045c359
RDX: 0000000000000001 RSI: 0000000020000140 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000f00 R11: 0000000000000246 R12: 000000000079c05c
R13: 0000000000021000 R14: 000000000079c050 R15: 00007f3580364700
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__tcp_select_window+0x811/0xf10 net/ipv4/tcp_output.c:3018
Code: 00 b8 ff ff ff ff 89 d9 d3 e0 89 c3 f7 d3 03 9c 24 80 00 00 00 21 c3 eb 17 e8 8b 0b ce fd 31 db eb 0e e8 82 0b ce fd 89 d8 99 <f7> 7c 24 14 29 d3 48 c7 44 24 60 0e 36 e0 45 48 b8 00 00 00 00 00
RSP: 0018:ffffc9000f247480 EFLAGS: 00010293
RAX: 000000000000ffcb RBX: 000000000000ffcb RCX: ffff8880269745c0
RDX: 0000000000000000 RSI: 000000000000ffcb RDI: 0000000000010000
RBP: ffffc9000f247578 R08: ffffffff837401f4 R09: ffffed1004d38a6f
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88801cec0500
R13: 1ffff110039d80a0 R14: 0000000000010000 R15: 000000000000ffcb
FS:  00007f3580364700(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000204fe000 CR3: 00000000396ef002 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
   0:	00 b8 ff ff ff ff    	add    %bh,-0x1(%rax)
   6:	89 d9                	mov    %ebx,%ecx
   8:	d3 e0                	shl    %cl,%eax
   a:	89 c3                	mov    %eax,%ebx
   c:	f7 d3                	not    %ebx
   e:	03 9c 24 80 00 00 00 	add    0x80(%rsp),%ebx
  15:	21 c3                	and    %eax,%ebx
  17:	eb 17                	jmp    0x30
  19:	e8 8b 0b ce fd       	callq  0xfdce0ba9
  1e:	31 db                	xor    %ebx,%ebx
  20:	eb 0e                	jmp    0x30
  22:	e8 82 0b ce fd       	callq  0xfdce0ba9
  27:	89 d8                	mov    %ebx,%eax
  29:	99                   	cltd
* 2a:	f7 7c 24 14          	idivl  0x14(%rsp) <-- trapping instruction
  2e:	29 d3                	sub    %edx,%ebx
  30:	48 c7 44 24 60 0e 36 	movq   $0x45e0360e,0x60(%rsp)
  37:	e0 45
  39:	48                   	rex.W
  3a:	b8 00 00 00 00       	mov    $0x0,%eax

Kconfig:
Kconfig_k9_kasan.txt

No reproducers.

The text was updated successfully, but these errors were encountered:

matttbe · 2023-06-15T15:37:42Z

@cpaasch thank you for the bug report!

@pabeni: could it be linked to #404?
I was looking at sending 613adcd ("mptcp: fix possible divide by zero in recvmsg()") to netdev but probably "safer" to hold that for the moment, no?

Since the blamed commit, closing the first subflow resets the first subflow socket state to SS_UNCONNECTED. The current mptcp listen implementation relies only on such state to prevent touching not-fully-disconnected sockets. Incoming mptcp fastclose (or paired endpoint removal) unconditionally closes the first subflow. All the above allows an incoming fastclose followed by a listen() call to successfully race with a blocking recvmsg(), potentially causing the latter to hit a divide by zero bug in cleanup_rbuf/__tcp_select_window(). Address the issue explicitly checking the msk socket state in mptcp_listen(). An alternative solution would be moving the first subflow socket state update into mptcp_disconnect(), but in the long term the first subflow socket should be removed: better avoid relaying on it for internal consistency check. Fixes: b29fcfb ("mptcp: full disconnect implementation") Reported-by: Christoph Paasch <cpaasch@apple.com> Closes: #414 Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>

Since the blamed commit, closing the first subflow resets the first subflow socket state to SS_UNCONNECTED. The current mptcp listen implementation relies only on such state to prevent touching not-fully-disconnected sockets. Incoming mptcp fastclose (or paired endpoint removal) unconditionally closes the first subflow. All the above allows an incoming fastclose followed by a listen() call to successfully race with a blocking recvmsg(), potentially causing the latter to hit a divide by zero bug in cleanup_rbuf/__tcp_select_window(). Address the issue explicitly checking the msk socket state in mptcp_listen(). An alternative solution would be moving the first subflow socket state update into mptcp_disconnect(), but in the long term the first subflow socket should be removed: better avoid relaying on it for internal consistency check. Fixes: b29fcfb ("mptcp: full disconnect implementation") Cc: stable@vger.kernel.org Reported-by: Christoph Paasch <cpaasch@apple.com> Closes: multipath-tcp/mptcp_net-next#414 Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: David S. Miller <davem@davemloft.net>

commit 0226436 upstream. Since the blamed commit, closing the first subflow resets the first subflow socket state to SS_UNCONNECTED. The current mptcp listen implementation relies only on such state to prevent touching not-fully-disconnected sockets. Incoming mptcp fastclose (or paired endpoint removal) unconditionally closes the first subflow. All the above allows an incoming fastclose followed by a listen() call to successfully race with a blocking recvmsg(), potentially causing the latter to hit a divide by zero bug in cleanup_rbuf/__tcp_select_window(). Address the issue explicitly checking the msk socket state in mptcp_listen(). An alternative solution would be moving the first subflow socket state update into mptcp_disconnect(), but in the long term the first subflow socket should be removed: better avoid relaying on it for internal consistency check. Fixes: b29fcfb ("mptcp: full disconnect implementation") Cc: stable@vger.kernel.org Reported-by: Christoph Paasch <cpaasch@apple.com> Closes: multipath-tcp/mptcp_net-next#414 Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 0226436 ] Since the blamed commit, closing the first subflow resets the first subflow socket state to SS_UNCONNECTED. The current mptcp listen implementation relies only on such state to prevent touching not-fully-disconnected sockets. Incoming mptcp fastclose (or paired endpoint removal) unconditionally closes the first subflow. All the above allows an incoming fastclose followed by a listen() call to successfully race with a blocking recvmsg(), potentially causing the latter to hit a divide by zero bug in cleanup_rbuf/__tcp_select_window(). Address the issue explicitly checking the msk socket state in mptcp_listen(). An alternative solution would be moving the first subflow socket state update into mptcp_disconnect(), but in the long term the first subflow socket should be removed: better avoid relaying on it for internal consistency check. Fixes: b29fcfb ("mptcp: full disconnect implementation") Cc: stable@vger.kernel.org Reported-by: Christoph Paasch <cpaasch@apple.com> Closes: multipath-tcp/mptcp_net-next#414 Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>

BugLink: https://bugs.launchpad.net/bugs/2036075 commit 0226436acf2495cde4b93e7400e5a87305c26054 upstream. Since the blamed commit, closing the first subflow resets the first subflow socket state to SS_UNCONNECTED. The current mptcp listen implementation relies only on such state to prevent touching not-fully-disconnected sockets. Incoming mptcp fastclose (or paired endpoint removal) unconditionally closes the first subflow. All the above allows an incoming fastclose followed by a listen() call to successfully race with a blocking recvmsg(), potentially causing the latter to hit a divide by zero bug in cleanup_rbuf/__tcp_select_window(). Address the issue explicitly checking the msk socket state in mptcp_listen(). An alternative solution would be moving the first subflow socket state update into mptcp_disconnect(), but in the long term the first subflow socket should be removed: better avoid relaying on it for internal consistency check. Fixes: b29fcfb ("mptcp: full disconnect implementation") Cc: stable@vger.kernel.org Reported-by: Christoph Paasch <cpaasch@apple.com> Closes: multipath-tcp/mptcp_net-next#414 Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

BugLink: https://bugs.launchpad.net/bugs/2036075 commit 0226436 upstream. Since the blamed commit, closing the first subflow resets the first subflow socket state to SS_UNCONNECTED. The current mptcp listen implementation relies only on such state to prevent touching not-fully-disconnected sockets. Incoming mptcp fastclose (or paired endpoint removal) unconditionally closes the first subflow. All the above allows an incoming fastclose followed by a listen() call to successfully race with a blocking recvmsg(), potentially causing the latter to hit a divide by zero bug in cleanup_rbuf/__tcp_select_window(). Address the issue explicitly checking the msk socket state in mptcp_listen(). An alternative solution would be moving the first subflow socket state update into mptcp_disconnect(), but in the long term the first subflow socket should be removed: better avoid relaying on it for internal consistency check. Fixes: b29fcfb ("mptcp: full disconnect implementation") Cc: stable@vger.kernel.org Reported-by: Christoph Paasch <cpaasch@apple.com> Closes: multipath-tcp/mptcp_net-next#414 Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

matttbe added bug syzkaller labels Jun 14, 2023

matttbe closed this as completed in e249287 Jun 29, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

syzkaller: divide error in `__tcp_select_window` #414

syzkaller: divide error in `__tcp_select_window` #414

cpaasch commented Jun 13, 2023

matttbe commented Jun 15, 2023

syzkaller: divide error in __tcp_select_window #414

syzkaller: divide error in __tcp_select_window #414

Comments

cpaasch commented Jun 13, 2023

matttbe commented Jun 15, 2023

syzkaller: divide error in `__tcp_select_window` #414

syzkaller: divide error in `__tcp_select_window` #414