Page MenuHomeFreeBSD
Differential D30241

syzcaller found an interesting Invariant crash
ClosedPublic
Actions

Authored by rrs on May 13 2021, 10:58 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Apr 10, 3:50 AM
Unknown Object (File)
Jan 17 2024, 5:12 AM
Unknown Object (File)
Dec 21 2023, 11:11 AM
Unknown Object (File)
Dec 20 2023, 5:54 AM
Unknown Object (File)
Dec 12 2023, 4:45 PM
Unknown Object (File)
Nov 18 2023, 3:41 PM
Unknown Object (File)
Sep 2 2023, 10:27 PM
Unknown Object (File)
Aug 16 2023, 8:10 AM
View All 13 Files
Subscribers
melifaro

Details

Reviewers
tuexen
Group Reviewers
transport
Commits
rG3a3bba7df566: tcp: Incorrect KASSERT causes a panic in rack
rG02cffbc2507e: tcp: Incorrect KASSERT causes a panic in rack
Summary

syzcaller came up with an interesting crash that has to do with sending
both a SYN and FIN together. Turns out there were actually two problems.

  1. Not splitting the flags when you clone off a new rsm the right way (SYN should go to the left edge and FIN should go to the right)
  2. a KASSERT that did not properly account for this case i.e. no mbuf/no data.
Test Plan

This pkt-drill script will currently cause a crash without the patch. With the
patch everything works as it should.

// https://syzkaller.appspot.com/bug?id=d7af235bf0fc9316b790bafe2a868fa7d69dfdc9
 0.00 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0.00 setsockopt(3, IPPROTO_TCP, TCP_FUNCTION_BLK, {function_set_name="rack",
                                                    pcbcnt=0}, 36) = 0
+0.00 sendto(3, ..., 0, MSG_EOF, ..., ...) = 0
+0.00 setsockopt(3,IPPROTO_TCP,TCP_NOOPT, [1], 4) = 0
+0.00 shutdown(3, SHUT_WR) = 0
+0.00 close(3) = 0

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

rrs created this revision.May 13 2021, 10:58 AM
Herald added a reviewer: transport. · View Herald TranscriptMay 13 2021, 10:58 AM
Herald added a subscriber: melifaro. · View Herald Transcript
rrs requested review of this revision.May 13 2021, 10:58 AM
rrs added a reviewer: tuexen.
tuexen accepted this revision.May 13 2021, 11:03 AM
tuexen retitled this revision from Skyzall found an interesting Invariant crash to syzcaller found an interesting Invariant crash.
tuexen edited the summary of this revision. (Show Details)
tuexen edited the test plan for this revision. (Show Details)
This revision is now accepted and ready to land.May 13 2021, 11:04 AM
Closed by commit rG02cffbc2507e: tcp: Incorrect KASSERT causes a panic in rack (authored by rrs). · Explain WhyMay 13 2021, 11:40 AM
This revision was automatically updated to reflect the committed changes.
rrs added a commit: rG02cffbc2507e: tcp: Incorrect KASSERT causes a panic in rack.
tuexen added a commit: rG3a3bba7df566: tcp: Incorrect KASSERT causes a panic in rack.Jun 9 2021, 12:06 AM

Revision Contents
Changeset List

PathSize
sys/
netinet/
tcp_stacks/
12 lines

Diff 89119

View Options

sys/netinet/tcp_stacks/rack.c

Loading...