The bug fixed in:
Date: Thu Mar 29 19:05:30 2018 +0900
vlan: Fix vlan insertion for packets without ethernet header
caused problems for syzbot.
The bug lead to underflow in memmove (a-la memmove(p, y, -2)) which was detected as paging fault in memmove, but also caused a splash of assorted crashes all over the place. While memmove was busy squashing all machine memory, we got crashes in (1) interrupts handled during memmove and (2) on other CPUs.
It's a shame that KASAN did not catch it earlier.
The following test is indeed not caught by KASAN:
volatile char* volatile p = kmalloc(64, GFP_KERNEL);
memset((char*)p, 0, 64);
memmove((char*)p, (char*)p + 4, -2);
Presumably checks here:
void *memmove(void *dest, const void *src, size_t len)
check_memory_region((unsigned long)src, len, false, _RET_IP_);
check_memory_region((unsigned long)dest, len, true, _RET_IP_);
return __memmove(dest, src, len);
got shadow start == end and did not actually check anything.
Probably need an explicit overflow check and examine other KASAN interceptors.
It still has the issue at kernel 5.3-rc1. Maybe We should try to fix the missing underflow issue.
I first try to see why the shadow start is equal to shadow end and send the patch to fix it.
Resolved with .
I don't have the permissions to close this bug though.