KASAN: use-after-free Read in skb_copy_datagram_iter
19 views
Skip to first unread message
syzbot
Jun 5, 2019, 3:05:07 PM6/5/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 50f99a65 Revert "x86/build: Move _etext to actual end of ...
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=16de4336a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7e5a33f0ac76f52
dashboard link: https://syzkaller.appspot.com/bug?extid=6b10f49ea84a4741012d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6b10f4...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in skb_copy_datagram_iter+0x8b9/0x8f0
net/core/datagram.c:442
Read of size 1 at addr ffff8881a3825c42 by task syz-executor.5/4793
CPU: 0 PID: 4793 Comm: syz-executor.5 Not tainted 4.14.123+ #5
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x10e lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xae/0x2d5 mm/kasan/report.c:393
Allocated by task 4842:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc_node mm/slub.c:2723 [inline]
slab_alloc mm/slub.c:2731 [inline]
__kmalloc_track_caller+0xf1/0x310 mm/slub.c:4288
__kmalloc_reserve.isra.0+0x2d/0xc0 net/core/skbuff.c:137
__alloc_skb+0x105/0x550 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:980 [inline]
sock_wmalloc+0xa5/0xf0 net/core/sock.c:1928
packet_sendmsg_spkt+0x3bb/0x1210 net/packet/af_packet.c:1962
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb7/0x100 net/socket.c:656
___sys_sendmsg+0x368/0x890 net/socket.c:2062
__sys_sendmmsg+0x13c/0x360 net/socket.c:2152
SYSC_sendmmsg net/socket.c:2183 [inline]
SyS_sendmmsg+0x2f/0x50 net/socket.c:2178
do_syscall_64+0x19b/0x510 arch/x86/entry/common.c:292
Freed by task 4842:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kfree+0xf5/0x310 mm/slub.c:3897
skb_free_head+0x83/0xa0 net/core/skbuff.c:554
skb_release_data+0x4ae/0x730 net/core/skbuff.c:574
skb_release_all+0x46/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
kfree_skb+0xc5/0x350 net/core/skbuff.c:663
ip6_tnl_start_xmit+0x7ef/0x1b00 net/ipv6/ip6_tunnel.c:1419
__netdev_start_xmit include/linux/netdevice.h:4033 [inline]
netdev_start_xmit include/linux/netdevice.h:4042 [inline]
xmit_one net/core/dev.c:3009 [inline]
dev_hard_start_xmit+0x18e/0x890 net/core/dev.c:3025
__dev_queue_xmit+0x11b1/0x1cd0 net/core/dev.c:3525
The buggy address belongs to the object at ffff8881a3825b80
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 194 bytes inside of
512-byte region [ffff8881a3825b80, ffff8881a3825d80)
The buggy address belongs to the page:
page:ffffea00068e0900 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c
raw: 0000000000000000 0000000b00000001 ffff8881da802c00 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881a3825b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881a3825b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881a3825c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
audit: type=1326 audit(2000000318.990:2423): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=4820
comm="syz-executor.4" exe="/root/syz-executor.4" sig=9 arch=c000003e
syscall=228 compat=0 ip=0x45c0ba code=0x0
^
ffff8881a3825c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881a3825d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 50f99a65 Revert "x86/build: Move _etext to actual end of ...
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=16de4336a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7e5a33f0ac76f52
dashboard link: https://syzkaller.appspot.com/bug?extid=6b10f49ea84a4741012d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6b10f4...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in skb_copy_datagram_iter+0x8b9/0x8f0
net/core/datagram.c:442
Read of size 1 at addr ffff8881a3825c42 by task syz-executor.5/4793
CPU: 0 PID: 4793 Comm: syz-executor.5 Not tainted 4.14.123+ #5
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x10e lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xae/0x2d5 mm/kasan/report.c:393
Allocated by task 4842:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc_node mm/slub.c:2723 [inline]
slab_alloc mm/slub.c:2731 [inline]
__kmalloc_track_caller+0xf1/0x310 mm/slub.c:4288
__kmalloc_reserve.isra.0+0x2d/0xc0 net/core/skbuff.c:137
__alloc_skb+0x105/0x550 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:980 [inline]
sock_wmalloc+0xa5/0xf0 net/core/sock.c:1928
packet_sendmsg_spkt+0x3bb/0x1210 net/packet/af_packet.c:1962
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb7/0x100 net/socket.c:656
___sys_sendmsg+0x368/0x890 net/socket.c:2062
__sys_sendmmsg+0x13c/0x360 net/socket.c:2152
SYSC_sendmmsg net/socket.c:2183 [inline]
SyS_sendmmsg+0x2f/0x50 net/socket.c:2178
do_syscall_64+0x19b/0x510 arch/x86/entry/common.c:292
Freed by task 4842:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kfree+0xf5/0x310 mm/slub.c:3897
skb_free_head+0x83/0xa0 net/core/skbuff.c:554
skb_release_data+0x4ae/0x730 net/core/skbuff.c:574
skb_release_all+0x46/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
kfree_skb+0xc5/0x350 net/core/skbuff.c:663
ip6_tnl_start_xmit+0x7ef/0x1b00 net/ipv6/ip6_tunnel.c:1419
__netdev_start_xmit include/linux/netdevice.h:4033 [inline]
netdev_start_xmit include/linux/netdevice.h:4042 [inline]
xmit_one net/core/dev.c:3009 [inline]
dev_hard_start_xmit+0x18e/0x890 net/core/dev.c:3025
__dev_queue_xmit+0x11b1/0x1cd0 net/core/dev.c:3525
The buggy address belongs to the object at ffff8881a3825b80
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 194 bytes inside of
512-byte region [ffff8881a3825b80, ffff8881a3825d80)
The buggy address belongs to the page:
page:ffffea00068e0900 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c
raw: 0000000000000000 0000000b00000001 ffff8881da802c00 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881a3825b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881a3825b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881a3825c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
audit: type=1326 audit(2000000318.990:2423): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=4820
comm="syz-executor.4" exe="/root/syz-executor.4" sig=9 arch=c000003e
syscall=228 compat=0 ip=0x45c0ba code=0x0
^
ffff8881a3825c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881a3825d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 25, 2019, 4:36:08 AM10/25/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages