BUG: KASAN: stack-out-of-bounds in ipv6_addr_equal include/net/ipv6.h

58 views
Skip to first unread message

air icy

unread,
Jun 15, 2018, 2:33:34 AM6/15/18
to da...@davemloft.net, kuz...@ms2.inr.ac.ru, yosh...@linux-ipv6.org, net...@vger.kernel.org, syzk...@googlegroups.com
Hi,
I found a kernel bug with enchanced syzkaller in the newest linux kernel v4.17.
The output is as follows:
==================================================================
BUG: KASAN: stack-out-of-bounds in ipv6_addr_equal include/net/ipv6.h:508 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_state_addr_check include/net/xfrm.h:1358 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_addr_check include/net/xfrm.h:1375 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2693/0x2740 net/xfrm/xfrm_state.c:959
Read of size 4 at addr ffff880065d77b70 by task syz-executor1/10036

CPU: 0 PID: 10036 Comm: syz-executor1 Not tainted 4.17.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
Call Trace:

The buggy address belongs to the page:
page:ffffea0001975dc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 ffffea0001975dc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff880065d77a00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2
 ffff880065d77a80: f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00
>ffff880065d77b00: f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 f4 f2
                                                             ^
 ffff880065d77b80: f2 f2 f2 00 00 00 00 00 00 00 00 00 f4 f4 f4 f3
 ffff880065d77c00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 10036 Comm: syz-executor1 Tainted: G    B             4.17.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
Call Trace:
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
config file is attached in this email

thanks 
Xuwen Tu

 log2
​​
 report2
​​
 .config

Dmitry Vyukov

unread,
Jun 15, 2018, 3:33:00 AM6/15/18
to air icy, David Miller, Alexey Kuznetsov, Hideaki YOSHIFUJI, netdev, syzkaller
On Fri, Jun 15, 2018 at 8:33 AM, air icy <icy...@gmail.com> wrote:
>
> Hi,
> I found a kernel bug with enchanced syzkaller in the newest linux kernel v4.17.
> The output is as follows:
>
> ==================================================================
> BUG: KASAN: stack-out-of-bounds in ipv6_addr_equal include/net/ipv6.h:508 [inline]
> BUG: KASAN: stack-out-of-bounds in __xfrm6_state_addr_check include/net/xfrm.h:1358 [inline]
> BUG: KASAN: stack-out-of-bounds in xfrm_state_addr_check include/net/xfrm.h:1375 [inline]
> BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2693/0x2740 net/xfrm/xfrm_state.c:959
> Read of size 4 at addr ffff880065d77b70 by task syz-executor1/10036

This may be related to "KMSAN: uninit-value in xfrm_state_find":
https://groups.google.com/d/msg/syzkaller-bugs/myqLUHNGRRc/Zb3SlyJZBwAJ
> log2
>
> report2
>
> .config
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Dmitry Vyukov

unread,
Jun 15, 2018, 4:24:49 AM6/15/18
to air icy, syzkaller
On Fri, Jun 15, 2018 at 8:33 AM, air icy <icy...@gmail.com> wrote:
>
> Hi,
> I found a kernel bug with enchanced syzkaller in the newest linux kernel v4.17.

-kernel mailing lists and dev

Hi,

Do you mind sharing how syzkaller was enhanced and the code?

Thanks
Reply all
Reply to author
Forward
0 new messages