KASAN: slab-out-of-bounds Read in bpf_clone_redirect
10 views
Skip to first unread message
syzbot
Apr 11, 2019, 8:01:03 PM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 4ed22187 Revert "ANDROID: Revert "arm64: move ELF_ET_DYN_B..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=117a6be5400000
kernel config: https://syzkaller.appspot.com/x/.config?x=7acec4778e485bac
dashboard link: https://syzkaller.appspot.com/bug?extid=7adf4460f83e0717d66b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a3dfc5400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=108dd999400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7adf44...@syzkaller.appspotmail.com
audit: type=1400 audit(1540861977.088:8): avc: denied { prog_load } for
pid=1795 comm="syz-executor778"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in ____bpf_clone_redirect
net/core/filter.c:1767 [inline]
BUG: KASAN: slab-out-of-bounds in bpf_clone_redirect+0x29a/0x2b0
net/core/filter.c:1758
Read of size 8 at addr ffff8801c4cb8250 by task syz-executor778/1795
CPU: 0 PID: 1795 Comm: syz-executor778 Not tainted 4.14.78+ #26
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
print_address_description+0x60/0x22b mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
____bpf_clone_redirect net/core/filter.c:1767 [inline]
bpf_clone_redirect+0x29a/0x2b0 net/core/filter.c:1758
___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012
Allocated by task 1795:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc_node mm/slub.c:2723 [inline]
slab_alloc mm/slub.c:2731 [inline]
kmem_cache_alloc+0xe4/0x2b0 mm/slub.c:2736
kmem_cache_alloc_node include/linux/slab.h:361 [inline]
__alloc_skb+0xd8/0x550 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:980 [inline]
nlmsg_new include/net/netlink.h:511 [inline]
audit_buffer_alloc kernel/audit.c:1626 [inline]
audit_log_start+0x3dd/0x6f0 kernel/audit.c:1740
common_lsm_audit+0xe8/0x1d00 security/lsm_audit.c:450
slow_avc_audit+0x14a/0x1d0 security/selinux/avc.c:771
avc_audit security/selinux/include/avc.h:141 [inline]
avc_has_perm+0x2f2/0x390 security/selinux/avc.c:1146
selinux_bpf+0xb4/0x100 security/selinux/hooks.c:6285
security_bpf+0x7c/0xb0 security/security.c:1714
SYSC_bpf kernel/bpf/syscall.c:1564 [inline]
SyS_bpf+0x153/0x3640 kernel/bpf/syscall.c:1547
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8801c4cb8140
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 48 bytes to the right of
224-byte region [ffff8801c4cb8140, ffff8801c4cb8220)
The buggy address belongs to the page:
page:ffffea0007132e00 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
raw: dead000000000100 dead000000000200 ffff8801dab70200 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c4cb8100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff8801c4cb8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801c4cb8200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801c4cb8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c4cb8300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 4ed22187 Revert "ANDROID: Revert "arm64: move ELF_ET_DYN_B..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=117a6be5400000
kernel config: https://syzkaller.appspot.com/x/.config?x=7acec4778e485bac
dashboard link: https://syzkaller.appspot.com/bug?extid=7adf4460f83e0717d66b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a3dfc5400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=108dd999400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7adf44...@syzkaller.appspotmail.com
audit: type=1400 audit(1540861977.088:8): avc: denied { prog_load } for
pid=1795 comm="syz-executor778"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in ____bpf_clone_redirect
net/core/filter.c:1767 [inline]
BUG: KASAN: slab-out-of-bounds in bpf_clone_redirect+0x29a/0x2b0
net/core/filter.c:1758
Read of size 8 at addr ffff8801c4cb8250 by task syz-executor778/1795
CPU: 0 PID: 1795 Comm: syz-executor778 Not tainted 4.14.78+ #26
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
print_address_description+0x60/0x22b mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
____bpf_clone_redirect net/core/filter.c:1767 [inline]
bpf_clone_redirect+0x29a/0x2b0 net/core/filter.c:1758
___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012
Allocated by task 1795:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc_node mm/slub.c:2723 [inline]
slab_alloc mm/slub.c:2731 [inline]
kmem_cache_alloc+0xe4/0x2b0 mm/slub.c:2736
kmem_cache_alloc_node include/linux/slab.h:361 [inline]
__alloc_skb+0xd8/0x550 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:980 [inline]
nlmsg_new include/net/netlink.h:511 [inline]
audit_buffer_alloc kernel/audit.c:1626 [inline]
audit_log_start+0x3dd/0x6f0 kernel/audit.c:1740
common_lsm_audit+0xe8/0x1d00 security/lsm_audit.c:450
slow_avc_audit+0x14a/0x1d0 security/selinux/avc.c:771
avc_audit security/selinux/include/avc.h:141 [inline]
avc_has_perm+0x2f2/0x390 security/selinux/avc.c:1146
selinux_bpf+0xb4/0x100 security/selinux/hooks.c:6285
security_bpf+0x7c/0xb0 security/security.c:1714
SYSC_bpf kernel/bpf/syscall.c:1564 [inline]
SyS_bpf+0x153/0x3640 kernel/bpf/syscall.c:1547
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8801c4cb8140
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 48 bytes to the right of
224-byte region [ffff8801c4cb8140, ffff8801c4cb8220)
The buggy address belongs to the page:
page:ffffea0007132e00 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
raw: dead000000000100 dead000000000200 ffff8801dab70200 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c4cb8100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff8801c4cb8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801c4cb8200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801c4cb8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c4cb8300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages