KASAN: slab-out-of-bounds Read in bpf_skb_change_head
9 views
Skip to first unread message
syzbot
Apr 11, 2019, 8:01:03 PM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 5efa5793 Merge 4.14.72 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=16d1fc3a400000
kernel config: https://syzkaller.appspot.com/x/.config?x=a4bc2e53771f6a92
dashboard link: https://syzkaller.appspot.com/bug?extid=25cc165172a72f7091a6
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14f3ec59400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124fdf9e400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+25cc16...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1537992392.006:7): avc: denied { map } for
pid=1810 comm="syz-executor766" path="/root/syz-executor766295278"
dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
audit: type=1400 audit(1537992392.026:8): avc: denied { prog_load } for
pid=1810 comm="syz-executor766"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
audit: type=1400 audit(1537992392.056:9): avc: denied { prog_run } for
pid=1810 comm="syz-executor766"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_head
net/core/filter.c:2422 [inline]
BUG: KASAN: slab-out-of-bounds in bpf_skb_change_head+0x461/0x530
net/core/filter.c:2418
Read of size 4 at addr ffff8801d2fa6378 by task syz-executor766/1810
CPU: 1 PID: 1810 Comm: syz-executor766 Not tainted 4.14.72+ #9
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
print_address_description+0x60/0x22b mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
____bpf_skb_change_head net/core/filter.c:2422 [inline]
bpf_skb_change_head+0x461/0x530 net/core/filter.c:2418
___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012
Allocated by task 1810:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc_node mm/slub.c:2723 [inline]
slab_alloc mm/slub.c:2731 [inline]
kmem_cache_alloc+0xe4/0x2b0 mm/slub.c:2736
kmem_cache_alloc_node include/linux/slab.h:361 [inline]
__alloc_skb+0xd8/0x550 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:980 [inline]
nlmsg_new include/net/netlink.h:511 [inline]
audit_buffer_alloc kernel/audit.c:1626 [inline]
audit_log_start+0x3dd/0x6f0 kernel/audit.c:1740
common_lsm_audit+0xe8/0x1d00 security/lsm_audit.c:450
slow_avc_audit+0x14a/0x1d0 security/selinux/avc.c:771
avc_audit security/selinux/include/avc.h:141 [inline]
avc_has_perm+0x2f2/0x390 security/selinux/avc.c:1146
selinux_bpf+0xb4/0x100 security/selinux/hooks.c:6285
security_bpf+0x7c/0xb0 security/security.c:1714
SYSC_bpf kernel/bpf/syscall.c:1564 [inline]
SyS_bpf+0x153/0x3640 kernel/bpf/syscall.c:1547
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 31:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kmem_cache_free+0x12d/0x350 mm/slub.c:2988
kfree_skbmem+0x9e/0x100 net/core/skbuff.c:582
__kfree_skb net/core/skbuff.c:642 [inline]
kfree_skb+0xd0/0x340 net/core/skbuff.c:659
kauditd_hold_skb+0x115/0x140 kernel/audit.c:543
kauditd_send_queue+0xf9/0x140 kernel/audit.c:702
kauditd_thread+0x4c7/0x660 kernel/audit.c:828
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
The buggy address belongs to the object at ffff8801d2fa6280
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 24 bytes to the right of
224-byte region [ffff8801d2fa6280, ffff8801d2fa6360)
The buggy address belongs to the page:
page:ffffea00074be980 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
raw: dead000000000100 dead000000000200 ffff8801dab4a800 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d2fa6200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801d2fa6280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801d2fa6300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff8801d2fa6380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff8801d2fa6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 5efa5793 Merge 4.14.72 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=16d1fc3a400000
kernel config: https://syzkaller.appspot.com/x/.config?x=a4bc2e53771f6a92
dashboard link: https://syzkaller.appspot.com/bug?extid=25cc165172a72f7091a6
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14f3ec59400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124fdf9e400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+25cc16...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1537992392.006:7): avc: denied { map } for
pid=1810 comm="syz-executor766" path="/root/syz-executor766295278"
dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
audit: type=1400 audit(1537992392.026:8): avc: denied { prog_load } for
pid=1810 comm="syz-executor766"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
audit: type=1400 audit(1537992392.056:9): avc: denied { prog_run } for
pid=1810 comm="syz-executor766"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_head
net/core/filter.c:2422 [inline]
BUG: KASAN: slab-out-of-bounds in bpf_skb_change_head+0x461/0x530
net/core/filter.c:2418
Read of size 4 at addr ffff8801d2fa6378 by task syz-executor766/1810
CPU: 1 PID: 1810 Comm: syz-executor766 Not tainted 4.14.72+ #9
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
print_address_description+0x60/0x22b mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
____bpf_skb_change_head net/core/filter.c:2422 [inline]
bpf_skb_change_head+0x461/0x530 net/core/filter.c:2418
___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012
Allocated by task 1810:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc_node mm/slub.c:2723 [inline]
slab_alloc mm/slub.c:2731 [inline]
kmem_cache_alloc+0xe4/0x2b0 mm/slub.c:2736
kmem_cache_alloc_node include/linux/slab.h:361 [inline]
__alloc_skb+0xd8/0x550 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:980 [inline]
nlmsg_new include/net/netlink.h:511 [inline]
audit_buffer_alloc kernel/audit.c:1626 [inline]
audit_log_start+0x3dd/0x6f0 kernel/audit.c:1740
common_lsm_audit+0xe8/0x1d00 security/lsm_audit.c:450
slow_avc_audit+0x14a/0x1d0 security/selinux/avc.c:771
avc_audit security/selinux/include/avc.h:141 [inline]
avc_has_perm+0x2f2/0x390 security/selinux/avc.c:1146
selinux_bpf+0xb4/0x100 security/selinux/hooks.c:6285
security_bpf+0x7c/0xb0 security/security.c:1714
SYSC_bpf kernel/bpf/syscall.c:1564 [inline]
SyS_bpf+0x153/0x3640 kernel/bpf/syscall.c:1547
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 31:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kmem_cache_free+0x12d/0x350 mm/slub.c:2988
kfree_skbmem+0x9e/0x100 net/core/skbuff.c:582
__kfree_skb net/core/skbuff.c:642 [inline]
kfree_skb+0xd0/0x340 net/core/skbuff.c:659
kauditd_hold_skb+0x115/0x140 kernel/audit.c:543
kauditd_send_queue+0xf9/0x140 kernel/audit.c:702
kauditd_thread+0x4c7/0x660 kernel/audit.c:828
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
The buggy address belongs to the object at ffff8801d2fa6280
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 24 bytes to the right of
224-byte region [ffff8801d2fa6280, ffff8801d2fa6360)
The buggy address belongs to the page:
page:ffffea00074be980 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
raw: dead000000000100 dead000000000200 ffff8801dab4a800 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d2fa6200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801d2fa6280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801d2fa6300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff8801d2fa6380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff8801d2fa6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages