integer divide fault in tcp_mss()

Michael Tuexen tuexen at freebsd.org
Thu May 20 21:41:20 UTC 2021 

On 20. May 2021, at 23:04, Mark Johnston <markj at FreeBSD.org> wrote:
> 
> On Thu, May 20, 2021 at 10:58:01PM +0200, Michael Tuexen wrote:
>>> On 20. May 2021, at 22:31, Mark Johnston <markj at freebsd.org> wrote:
>>> 
>>> Hi,
>>> 
>>> My syzkaller instance managed to trigger an integer divide fault in
>>> tcp_mss().  I attached a reproducer with debugging info.
>>> 
>>> I'm not sure if it's a recent regression or not.  Interestingly, syzbot
>>> doesn't appear to have discovered this one.
>>> 
>>> #14 <signal handler called> 
>>> #15 0xffffffff80dee710 in tcp_mss (tp=tp at entry=0xfffffe00cb99e428, offer=offer at entry=-1) at /usr/home/markj/src/freebsd/sys/netinet/tcp_input.c:3903
>>> #16 0xffffffff80e0cc70 in tcp_usr_send (so=<optimized out>, flags=<optimized out>, m=0x0, nam=0xfffff800038c9dc0, control=<optimized out>, 
>>>   td=0xfffffe00cb995740) at /usr/home/markj/src/freebsd/sys/netinet/tcp_usrreq.c:1144
>>> #17 0xffffffff80cbe3f7 in sosend_generic (so=0xfffff8006806db10, addr=0xfffff800038c9dc0, uio=<optimized out>, top=0xfffff80004a18900, 
>>>   control=<optimized out>, flags=128, td=0xfffffe00cb995740) at /usr/home/markj/src/freebsd/sys/kern/uipc_socket.c:1759
>>> #18 0xffffffff80cbe706 in sosend (so=0x0, so at entry=0xfffff8006806db10, addr=0x10000, uio=0x0, uio at entry=0xfffffe0084f248a8, top=0xffff, top at entry=0x0, 
>>>   control=control at entry=0x0, flags=16, flags at entry=128, td=0xfffffe00cb995740) at /usr/home/markj/src/freebsd/sys/kern/uipc_socket.c:1809
>>> #19 0xffffffff80cc54ec in kern_sendit (td=<optimized out>, td at entry=0xfffffe00cb995740, s=3, mp=<optimized out>, mp at entry=0xfffffe0084f24980, flags=128, 
>>>   control=0x0, segflg=segflg at entry=UIO_USERSPACE) at /usr/home/markj/src/freebsd/sys/kern/uipc_syscalls.c:798
>>> #20 0xffffffff80cc588b in sendit (td=0xfffffe00cb995740, s=65536, mp=mp at entry=0xfffffe0084f24980, flags=65535)
>>>   at /usr/home/markj/src/freebsd/sys/kern/uipc_syscalls.c:723
>>> #21 0xffffffff80cc569d in sys_sendto (td=0x0, uap=<optimized out>) at /usr/home/markj/src/freebsd/sys/kern/uipc_syscalls.c:841
>>> #22 0xffffffff810cf77e in syscallenter (td=<optimized out>) at /usr/home/markj/src/freebsd/sys/amd64/amd64/../../kern/subr_syscall.c:189
>>> #23 amd64_syscall (td=0xfffffe00cb995740, traced=0) at /usr/home/markj/src/freebsd/sys/amd64/amd64/trap.c:1156
>>> <report.txt>
>> Does the reproducer work for you? 
> 
> Hrm, I reproduced the crash in a test VM but now I can't get it to
> happen anymore using a stock GENERIC kernel.  This is probably from a
> local change that I was testing then.  Sorry for the noise.
I executed the syzkaller reproducer about 1000000 times and it did not trigger anything.
So chances are high that this problem might actually be related to some local changes.

Thanks for notifying and retesting.

Best regards
Michael

More information about the freebsd-transport mailing list