KASAN: use-after-free Read in ip6t_do_table
15 views
Skip to first unread message
syzbot
Oct 11, 2019, 11:56:10 PM10/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=14f9de77600000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=b37bf8c6f9f9a98f8a4f
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b37bf8...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ifname_compare_aligned
include/linux/netfilter/x_tables.h:369 [inline]
BUG: KASAN: use-after-free in ip6_packet_match
net/ipv6/netfilter/ip6_tables.c:89 [inline]
BUG: KASAN: use-after-free in ip6t_do_table+0x14e2/0x17e0
net/ipv6/netfilter/ip6_tables.c:333
Read of size 8 at addr ffff88018dee4000 by task syz-executor.0/21852
CPU: 0 PID: 21852 Comm: syz-executor.0 Not tainted 4.9.141+ #1
ffff88018f75f080 ffffffff81b42e79 ffffea000637b900 ffff88018dee4000
0000000000000000 ffff88018dee4000 dffffc0000000000 ffff88018f75f0b8
ffffffff815009b8 ffff88018dee4000 0000000000000008 0000000000000000
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff815009b8>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814f3074>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:433
[<ffffffff8277f202>] ifname_compare_aligned
include/linux/netfilter/x_tables.h:369 [inline]
[<ffffffff8277f202>] ip6_packet_match net/ipv6/netfilter/ip6_tables.c:89
[inline]
[<ffffffff8277f202>] ip6t_do_table+0x14e2/0x17e0
net/ipv6/netfilter/ip6_tables.c:333
[<ffffffff82787695>] ip6table_filter_hook+0x65/0x80
net/ipv6/netfilter/ip6table_filter.c:41
[<ffffffff823ddae6>] nf_iterate+0x126/0x310 net/netfilter/core.c:324
[<ffffffff823ddde4>] nf_hook_slow+0x114/0x1e0 net/netfilter/core.c:355
[<ffffffff827bcbe4>] nf_hook_thresh include/linux/netfilter.h:191 [inline]
[<ffffffff827bcbe4>] nf_hook include/linux/netfilter.h:203 [inline]
[<ffffffff827bcbe4>] __ip6_local_out+0x484/0x620 net/ipv6/output_core.c:164
[<ffffffff827bcda9>] ip6_local_out+0x29/0x180 net/ipv6/output_core.c:174
[<ffffffff826a4891>] ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1751
[<ffffffff82706689>] udp_v6_send_skb+0x429/0xe70 net/ipv6/udp.c:974
[<ffffffff827072fd>] udp_v6_push_pending_frames+0x22d/0x340
net/ipv6/udp.c:1007
[<ffffffff827092b1>] udpv6_sendmsg+0x1dc1/0x2430 net/ipv6/udp.c:1273
[<ffffffff825952f3>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770
[<ffffffff822a063b>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff822a063b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
[<ffffffff822a209a>] ___sys_sendmsg+0x47a/0x840 net/socket.c:1982
[<ffffffff822a55a1>] __sys_sendmmsg+0x161/0x3d0 net/socket.c:2072
[<ffffffff822a5845>] SYSC_sendmmsg net/socket.c:2103 [inline]
[<ffffffff822a5845>] SyS_sendmmsg+0x35/0x60 net/socket.c:2098
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the page:
page:ffffea000637b900 count:0 mapcount:-127 mapping: (null)
index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88018dee3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88018dee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff88018dee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88018dee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88018dee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=14f9de77600000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=b37bf8c6f9f9a98f8a4f
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b37bf8...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ifname_compare_aligned
include/linux/netfilter/x_tables.h:369 [inline]
BUG: KASAN: use-after-free in ip6_packet_match
net/ipv6/netfilter/ip6_tables.c:89 [inline]
BUG: KASAN: use-after-free in ip6t_do_table+0x14e2/0x17e0
net/ipv6/netfilter/ip6_tables.c:333
Read of size 8 at addr ffff88018dee4000 by task syz-executor.0/21852
CPU: 0 PID: 21852 Comm: syz-executor.0 Not tainted 4.9.141+ #1
ffff88018f75f080 ffffffff81b42e79 ffffea000637b900 ffff88018dee4000
0000000000000000 ffff88018dee4000 dffffc0000000000 ffff88018f75f0b8
ffffffff815009b8 ffff88018dee4000 0000000000000008 0000000000000000
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff815009b8>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814f3074>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:433
[<ffffffff8277f202>] ifname_compare_aligned
include/linux/netfilter/x_tables.h:369 [inline]
[<ffffffff8277f202>] ip6_packet_match net/ipv6/netfilter/ip6_tables.c:89
[inline]
[<ffffffff8277f202>] ip6t_do_table+0x14e2/0x17e0
net/ipv6/netfilter/ip6_tables.c:333
[<ffffffff82787695>] ip6table_filter_hook+0x65/0x80
net/ipv6/netfilter/ip6table_filter.c:41
[<ffffffff823ddae6>] nf_iterate+0x126/0x310 net/netfilter/core.c:324
[<ffffffff823ddde4>] nf_hook_slow+0x114/0x1e0 net/netfilter/core.c:355
[<ffffffff827bcbe4>] nf_hook_thresh include/linux/netfilter.h:191 [inline]
[<ffffffff827bcbe4>] nf_hook include/linux/netfilter.h:203 [inline]
[<ffffffff827bcbe4>] __ip6_local_out+0x484/0x620 net/ipv6/output_core.c:164
[<ffffffff827bcda9>] ip6_local_out+0x29/0x180 net/ipv6/output_core.c:174
[<ffffffff826a4891>] ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1751
[<ffffffff82706689>] udp_v6_send_skb+0x429/0xe70 net/ipv6/udp.c:974
[<ffffffff827072fd>] udp_v6_push_pending_frames+0x22d/0x340
net/ipv6/udp.c:1007
[<ffffffff827092b1>] udpv6_sendmsg+0x1dc1/0x2430 net/ipv6/udp.c:1273
[<ffffffff825952f3>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770
[<ffffffff822a063b>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff822a063b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
[<ffffffff822a209a>] ___sys_sendmsg+0x47a/0x840 net/socket.c:1982
[<ffffffff822a55a1>] __sys_sendmmsg+0x161/0x3d0 net/socket.c:2072
[<ffffffff822a5845>] SYSC_sendmmsg net/socket.c:2103 [inline]
[<ffffffff822a5845>] SyS_sendmmsg+0x35/0x60 net/socket.c:2098
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the page:
page:ffffea000637b900 count:0 mapcount:-127 mapping: (null)
index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88018dee3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88018dee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff88018dee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88018dee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88018dee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 13, 2019, 10:44:08 PM10/13/19
to syzkaller-a...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 7fe05eed Merge 4.9.194 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=16cc4707600000
kernel config: https://syzkaller.appspot.com/x/.config?x=c6d462552c77f021
dashboard link: https://syzkaller.appspot.com/bug?extid=b37bf8c6f9f9a98f8a4f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17a41ed7600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17603808e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b37bf8...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ifname_compare_aligned
include/linux/netfilter/x_tables.h:369 [inline]
BUG: KASAN: use-after-free in ip6_packet_match
net/ipv6/netfilter/ip6_tables.c:89 [inline]
BUG: KASAN: use-after-free in ip6t_do_table+0x1545/0x1860
net/ipv6/netfilter/ip6_tables.c:333
Read of size 8 at addr ffff8801c55b4000 by task syz-executor767/12939
CPU: 0 PID: 12939 Comm: syz-executor767 Not tainted 4.9.194+ #0
ffff8801cdeef058 ffffffff81b67001 0000000000000000 ffffea0007156d00
ffff8801c55b4000 0000000000000008 ffffffff82795bb5 ffff8801cdeef090
ffffffff8150c4f1 0000000000000000 ffff8801c55b4000 ffff8801c55b4000
Call Trace:
[<00000000f2e5b72f>] __dump_stack lib/dump_stack.c:15 [inline]
[<00000000f2e5b72f>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<00000000970048f1>] print_address_description+0x6f/0x23a
mm/kasan/report.c:256
[<00000000f26e3890>] kasan_report_error mm/kasan/report.c:355 [inline]
[<00000000f26e3890>] kasan_report mm/kasan/report.c:413 [inline]
[<00000000f26e3890>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
[<00000000ebdfaa76>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:434
[<00000000e049409b>] ifname_compare_aligned
include/linux/netfilter/x_tables.h:369 [inline]
[<00000000e049409b>] ip6_packet_match net/ipv6/netfilter/ip6_tables.c:89
[inline]
[<00000000e049409b>] ip6t_do_table+0x1545/0x1860
net/ipv6/netfilter/ip6_tables.c:333
[<00000000a05f4379>] ip6t_mangle_out
net/ipv6/netfilter/ip6table_mangle.c:63 [inline]
[<00000000a05f4379>] ip6table_mangle_hook+0x2dc/0x6d0
net/ipv6/netfilter/ip6table_mangle.c:85
[<00000000f3f0f236>] nf_iterate+0x12e/0x310 net/netfilter/core.c:324
[<00000000e410a366>] nf_hook_slow+0x114/0x1f0 net/netfilter/core.c:355
[<0000000095e7aeca>] nf_hook_thresh include/linux/netfilter.h:191 [inline]
[<0000000095e7aeca>] nf_hook include/linux/netfilter.h:203 [inline]
[<0000000095e7aeca>] __ip6_local_out+0x498/0x630 net/ipv6/output_core.c:166
[<000000001c35d7ac>] ip6_local_out+0x29/0x180 net/ipv6/output_core.c:176
[<000000000bb7c638>] ip6_send_skb+0xa2/0x340 net/ipv6/ip6_output.c:1753
[<000000007308b9d0>] udp_v6_send_skb+0x438/0xe90 net/ipv6/udp.c:974
[<000000004e5dfeb8>] udp_v6_push_pending_frames+0x245/0x360
net/ipv6/udp.c:1007
[<0000000051e4d6b2>] udpv6_sendmsg+0x19b0/0x2430 net/ipv6/udp.c:1273
[<00000000d568c061>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766
[<00000000dbb9d027>] sock_sendmsg_nosec net/socket.c:649 [inline]
[<00000000dbb9d027>] sock_sendmsg+0xbe/0x110 net/socket.c:659
[<0000000041ae27c7>] ___sys_sendmsg+0x387/0x8b0 net/socket.c:1983
[<000000005803d8e7>] __sys_sendmmsg+0x164/0x3d0 net/socket.c:2073
[<0000000059eb1f4b>] SYSC_sendmmsg net/socket.c:2104 [inline]
[<0000000059eb1f4b>] SyS_sendmmsg+0x35/0x60 net/socket.c:2099
[<00000000578f7694>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
[<000000007bba6546>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the page:
page:ffffea0007156d00 count:0 mapcount:-127 mapping: (null)
ffff8801c55b3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801c55b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801c55b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c55b4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
HEAD commit: 7fe05eed Merge 4.9.194 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=16cc4707600000
kernel config: https://syzkaller.appspot.com/x/.config?x=c6d462552c77f021
dashboard link: https://syzkaller.appspot.com/bug?extid=b37bf8c6f9f9a98f8a4f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17a41ed7600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17603808e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b37bf8...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ifname_compare_aligned
include/linux/netfilter/x_tables.h:369 [inline]
BUG: KASAN: use-after-free in ip6_packet_match
net/ipv6/netfilter/ip6_tables.c:89 [inline]
net/ipv6/netfilter/ip6_tables.c:333
Read of size 8 at addr ffff8801c55b4000 by task syz-executor767/12939
CPU: 0 PID: 12939 Comm: syz-executor767 Not tainted 4.9.194+ #0
ffff8801cdeef058 ffffffff81b67001 0000000000000000 ffffea0007156d00
ffff8801c55b4000 0000000000000008 ffffffff82795bb5 ffff8801cdeef090
ffffffff8150c4f1 0000000000000000 ffff8801c55b4000 ffff8801c55b4000
Call Trace:
[<00000000f2e5b72f>] __dump_stack lib/dump_stack.c:15 [inline]
[<00000000f2e5b72f>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<00000000970048f1>] print_address_description+0x6f/0x23a
mm/kasan/report.c:256
[<00000000f26e3890>] kasan_report_error mm/kasan/report.c:355 [inline]
[<00000000f26e3890>] kasan_report mm/kasan/report.c:413 [inline]
[<00000000f26e3890>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
[<00000000ebdfaa76>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:434
[<00000000e049409b>] ifname_compare_aligned
include/linux/netfilter/x_tables.h:369 [inline]
[<00000000e049409b>] ip6_packet_match net/ipv6/netfilter/ip6_tables.c:89
[inline]
[<00000000e049409b>] ip6t_do_table+0x1545/0x1860
net/ipv6/netfilter/ip6_tables.c:333
[<00000000a05f4379>] ip6t_mangle_out
net/ipv6/netfilter/ip6table_mangle.c:63 [inline]
[<00000000a05f4379>] ip6table_mangle_hook+0x2dc/0x6d0
net/ipv6/netfilter/ip6table_mangle.c:85
[<00000000f3f0f236>] nf_iterate+0x12e/0x310 net/netfilter/core.c:324
[<00000000e410a366>] nf_hook_slow+0x114/0x1f0 net/netfilter/core.c:355
[<0000000095e7aeca>] nf_hook_thresh include/linux/netfilter.h:191 [inline]
[<0000000095e7aeca>] nf_hook include/linux/netfilter.h:203 [inline]
[<0000000095e7aeca>] __ip6_local_out+0x498/0x630 net/ipv6/output_core.c:166
[<000000001c35d7ac>] ip6_local_out+0x29/0x180 net/ipv6/output_core.c:176
[<000000000bb7c638>] ip6_send_skb+0xa2/0x340 net/ipv6/ip6_output.c:1753
[<000000007308b9d0>] udp_v6_send_skb+0x438/0xe90 net/ipv6/udp.c:974
[<000000004e5dfeb8>] udp_v6_push_pending_frames+0x245/0x360
net/ipv6/udp.c:1007
[<0000000051e4d6b2>] udpv6_sendmsg+0x19b0/0x2430 net/ipv6/udp.c:1273
[<00000000d568c061>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766
[<00000000dbb9d027>] sock_sendmsg_nosec net/socket.c:649 [inline]
[<00000000dbb9d027>] sock_sendmsg+0xbe/0x110 net/socket.c:659
[<0000000041ae27c7>] ___sys_sendmsg+0x387/0x8b0 net/socket.c:1983
[<000000005803d8e7>] __sys_sendmmsg+0x164/0x3d0 net/socket.c:2073
[<0000000059eb1f4b>] SYSC_sendmmsg net/socket.c:2104 [inline]
[<0000000059eb1f4b>] SyS_sendmmsg+0x35/0x60 net/socket.c:2099
[<00000000578f7694>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
[<000000007bba6546>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the page:
index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c55b3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c55b3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801c55b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801c55b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c55b4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Reply all
Reply to author
Forward
0 new messages