KASAN: use-after-free Read in skb_network_protocol
8 views
Skip to first unread message
syzbot
Apr 14, 2019, 4:51:33 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 38f41ec1 Merge 4.4.125 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=111daf47800000
kernel config: https://syzkaller.appspot.com/x/.config?x=d3227609e1874daa
dashboard link: https://syzkaller.appspot.com/bug?extid=6fa257825cf6f87ed2db
compiler: gcc (GCC) 7.1.1 20170620
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17fec527800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6fa257...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
==================================================================
BUG: KASAN: use-after-free in skb_network_protocol+0x462/0x4a0
net/core/dev.c:2519
Read of size 2 at addr ffff8801c978bb8b by task syz-executor0/4095
CPU: 1 PID: 4095 Comm: syz-executor0 Not tainted 4.4.125-g38f41ec #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 6d2f812ce534b1f1 ffff8800bb317708 ffffffff81d067bd
ffffea000725e2c0 ffff8801c978bb8b 0000000000000000 ffff8801c978bb8b
0000000000005865 ffff8800bb317740 ffffffff814fea83 ffff8801c978bb8b
Call Trace:
[<ffffffff81d067bd>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d067bd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff814fea83>] print_address_description+0x73/0x260
mm/kasan/report.c:252
[<ffffffff814fef95>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff814fef95>] kasan_report+0x285/0x370 mm/kasan/report.c:408
[<ffffffff814ff1cf>] __asan_report_load_n_noabort+0xf/0x20
mm/kasan/report.c:439
[<ffffffff82e5ae42>] skb_network_protocol+0x462/0x4a0 net/core/dev.c:2519
[<ffffffff82e5bbf9>] harmonize_features net/core/dev.c:2688 [inline]
[<ffffffff82e5bbf9>] netif_skb_features+0x369/0x6a0 net/core/dev.c:2744
[<ffffffff82e5bf58>] validate_xmit_skb.isra.101.part.102+0x28/0x970
net/core/dev.c:2809
[<ffffffff82e5c94e>] validate_xmit_skb net/core/dev.c:2863 [inline]
[<ffffffff82e5c94e>] validate_xmit_skb_list+0xae/0x110 net/core/dev.c:2865
[<ffffffff8342d345>] packet_direct_xmit+0xa5/0x4f0
net/packet/af_packet.c:260
[<ffffffff834397d2>] packet_snd net/packet/af_packet.c:2828 [inline]
[<ffffffff834397d2>] packet_sendmsg+0x29b2/0x47e0
net/packet/af_packet.c:2853
[<ffffffff82df168a>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82df168a>] sock_sendmsg+0xca/0x110 net/socket.c:635
[<ffffffff82df25d8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1665
[<ffffffff82df4ad0>] SyS_sendto+0x40/0x50 net/socket.c:1633
[<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392
[inline]
[<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0
arch/x86/entry/common.c:459
[<ffffffff8377b2aa>] sysenter_flags_fixed+0xd/0x17
The buggy address belongs to the page:
page:ffffea000725e2c0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x8000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c978ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c978bb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801c978bb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801c978bc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c978bc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 38f41ec1 Merge 4.4.125 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=111daf47800000
kernel config: https://syzkaller.appspot.com/x/.config?x=d3227609e1874daa
dashboard link: https://syzkaller.appspot.com/bug?extid=6fa257825cf6f87ed2db
compiler: gcc (GCC) 7.1.1 20170620
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17fec527800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6fa257...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
==================================================================
BUG: KASAN: use-after-free in skb_network_protocol+0x462/0x4a0
net/core/dev.c:2519
Read of size 2 at addr ffff8801c978bb8b by task syz-executor0/4095
CPU: 1 PID: 4095 Comm: syz-executor0 Not tainted 4.4.125-g38f41ec #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 6d2f812ce534b1f1 ffff8800bb317708 ffffffff81d067bd
ffffea000725e2c0 ffff8801c978bb8b 0000000000000000 ffff8801c978bb8b
0000000000005865 ffff8800bb317740 ffffffff814fea83 ffff8801c978bb8b
Call Trace:
[<ffffffff81d067bd>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d067bd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff814fea83>] print_address_description+0x73/0x260
mm/kasan/report.c:252
[<ffffffff814fef95>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff814fef95>] kasan_report+0x285/0x370 mm/kasan/report.c:408
[<ffffffff814ff1cf>] __asan_report_load_n_noabort+0xf/0x20
mm/kasan/report.c:439
[<ffffffff82e5ae42>] skb_network_protocol+0x462/0x4a0 net/core/dev.c:2519
[<ffffffff82e5bbf9>] harmonize_features net/core/dev.c:2688 [inline]
[<ffffffff82e5bbf9>] netif_skb_features+0x369/0x6a0 net/core/dev.c:2744
[<ffffffff82e5bf58>] validate_xmit_skb.isra.101.part.102+0x28/0x970
net/core/dev.c:2809
[<ffffffff82e5c94e>] validate_xmit_skb net/core/dev.c:2863 [inline]
[<ffffffff82e5c94e>] validate_xmit_skb_list+0xae/0x110 net/core/dev.c:2865
[<ffffffff8342d345>] packet_direct_xmit+0xa5/0x4f0
net/packet/af_packet.c:260
[<ffffffff834397d2>] packet_snd net/packet/af_packet.c:2828 [inline]
[<ffffffff834397d2>] packet_sendmsg+0x29b2/0x47e0
net/packet/af_packet.c:2853
[<ffffffff82df168a>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82df168a>] sock_sendmsg+0xca/0x110 net/socket.c:635
[<ffffffff82df25d8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1665
[<ffffffff82df4ad0>] SyS_sendto+0x40/0x50 net/socket.c:1633
[<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392
[inline]
[<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0
arch/x86/entry/common.c:459
[<ffffffff8377b2aa>] sysenter_flags_fixed+0xd/0x17
The buggy address belongs to the page:
page:ffffea000725e2c0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x8000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c978ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c978bb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801c978bb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801c978bc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c978bc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages