UBSAN: object-size-mismatch in wg_xmit
Jason A. Donenfeld
Jason at zx2c4.com
Thu Jan 7 18:58:33 UTC 2021
On Thu, Jan 7, 2021 at 6:02 PM Julian Wiedmann <jwi at linux.ibm.com> wrote:
>
> On 21.12.20 12:23, Jason A. Donenfeld wrote:
> > Hi Dmitry,
> >
>
> ...
>
> > fall on the border of a mapping? Is UBSAN non-deterministic as an
> > optimization? Or is there actually some mysterious UaF happening with
> > my usage of skbs that I shouldn't overlook?
> >
>
> One oddity is that wg_xmit() returns negative errnos, rather than a
> netdev_tx_t (ie. NETDEV_TX_OK or NETDEV_TX_BUSY).
>
> Any chance that the stack mis-interprets one of those custom errnos
> as NETDEV_TX_BUSY, and thus believes that it still owns the skb?
The stack trace shows the splat happening as a result of
__skb_queue_tail, called from wg_xmit, not something that happens
after wg_xmit returns.
More information about the WireGuard
mailing list