Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

[Florian Westphal]

Steffen Klassert <steffen.klassert@xxxxxxxxxxx> wrote:
> On Wed, Nov 01, 2017 at 11:06:08PM +0100, Florian Westphal wrote:
> > I also don't understand how address comparision is supposed to work in this case,
> > it seems that if saddr/daddr are v4 and template v6 we compare full ipv6 addresses
> > (how would that succeed...?) and, if saddr/daddr is v6 add template is v4 we just
> > compare the first 32bit of the ipv6 addresses...?
> 
> When we do tunnel or beet mode, we pass saddr and daddr from the
> template to xfrm_state_find(), this should be ok. On transport
> mode, we pass the addresses from the flowi, assuming that the
> IP addresses (and address family) don't change during transformation.
> This assumption is wrong in the IPv4 mapped IPv6 case, packet
> is IPv4 and template is IPv6.

Right, sendto() uses ipv4 address on ipv6 socket.

> I'd propose to use the addresses from the template unconditionally,
> like the (untested) patch below does.
> 
> Unfortunalely the reproducer does not work with my config,
> sendto returns EAGAIN. Could anybody try this patch?

The reproducer no longer causes KASAN spew with your patch,
but i don't have a test case that actually creates/uses a tunnel.