KASAN: use-after-free Read in __ip6_append_data
13 views
Skip to first unread message
syzbot
Oct 13, 2019, 5:18:09 PM10/13/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1596b79f600000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=3c8c89608d9c4c766724
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3c8c89...@syzkaller.appspotmail.com
audit: type=1400 audit(1570997862.945:119): avc: denied { execute } for
pid=10083 comm="syz-executor.1" path="pipe:[35456]" dev="pipefs" ino=35456
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=fifo_file
permissive=1
==================================================================
BUG: KASAN: use-after-free in __ip6_append_data.isra.3+0x3397/0x3460
net/ipv6/ip6_output.c:1375
Read of size 8 at addr ffff8801c90040f0 by task syz-executor.3/10085
CPU: 0 PID: 10085 Comm: syz-executor.3 Not tainted 4.9.141+ #23
ffff8801a9f3f288 ffffffff81b42e79 ffffea0007240100 ffff8801c90040f0
0000000000000000 ffff8801c90040f0 0000000000000008 ffff8801a9f3f2c0
ffffffff815009b8 ffff8801c90040f0 0000000000000008 0000000000000000
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff815009b8>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814f3074>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:433
[<ffffffff82699877>] __ip6_append_data.isra.3+0x3397/0x3460
net/ipv6/ip6_output.c:1375
[<ffffffff826a4ea1>] ip6_make_skb+0x291/0x480 net/ipv6/ip6_output.c:1831
[<ffffffff82709379>] udpv6_sendmsg+0x1e89/0x2430 net/ipv6/udp.c:1240
[<ffffffff825952f3>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770
[<ffffffff822a063b>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff822a063b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
[<ffffffff822a209a>] ___sys_sendmsg+0x47a/0x840 net/socket.c:1982
[<ffffffff822a567c>] __sys_sendmmsg+0x23c/0x3d0 net/socket.c:2065
[<ffffffff82390192>] C_SYSC_sendmmsg net/compat.c:742 [inline]
[<ffffffff82390192>] compat_SyS_sendmmsg+0x32/0x40 net/compat.c:739
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
The buggy address belongs to the page:
page:ffffea0007240100 count:0 mapcount:-127 mapping: (null)
index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c9003f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c9004000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801c9004080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801c9004100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c9004180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1596b79f600000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=3c8c89608d9c4c766724
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3c8c89...@syzkaller.appspotmail.com
audit: type=1400 audit(1570997862.945:119): avc: denied { execute } for
pid=10083 comm="syz-executor.1" path="pipe:[35456]" dev="pipefs" ino=35456
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=fifo_file
permissive=1
==================================================================
BUG: KASAN: use-after-free in __ip6_append_data.isra.3+0x3397/0x3460
net/ipv6/ip6_output.c:1375
Read of size 8 at addr ffff8801c90040f0 by task syz-executor.3/10085
CPU: 0 PID: 10085 Comm: syz-executor.3 Not tainted 4.9.141+ #23
ffff8801a9f3f288 ffffffff81b42e79 ffffea0007240100 ffff8801c90040f0
0000000000000000 ffff8801c90040f0 0000000000000008 ffff8801a9f3f2c0
ffffffff815009b8 ffff8801c90040f0 0000000000000008 0000000000000000
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff815009b8>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814f3074>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:433
[<ffffffff82699877>] __ip6_append_data.isra.3+0x3397/0x3460
net/ipv6/ip6_output.c:1375
[<ffffffff826a4ea1>] ip6_make_skb+0x291/0x480 net/ipv6/ip6_output.c:1831
[<ffffffff82709379>] udpv6_sendmsg+0x1e89/0x2430 net/ipv6/udp.c:1240
[<ffffffff825952f3>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770
[<ffffffff822a063b>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff822a063b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
[<ffffffff822a209a>] ___sys_sendmsg+0x47a/0x840 net/socket.c:1982
[<ffffffff822a567c>] __sys_sendmmsg+0x23c/0x3d0 net/socket.c:2065
[<ffffffff82390192>] C_SYSC_sendmmsg net/compat.c:742 [inline]
[<ffffffff82390192>] compat_SyS_sendmmsg+0x32/0x40 net/compat.c:739
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
The buggy address belongs to the page:
page:ffffea0007240100 count:0 mapcount:-127 mapping: (null)
index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c9003f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c9004000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801c9004080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801c9004100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c9004180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Nov 22, 2019, 1:38:08 AM11/22/19
to syzkaller-a...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 258971b8 Merge 4.9.202 into android-4.9-q
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=130ebceee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9bd17d9821ccee4f
dashboard link: https://syzkaller.appspot.com/bug?extid=3c8c89608d9c4c766724
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1636c35ae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=155007ace00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3c8c89...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __ip6_append_data.isra.0+0x284f/0x3450
net/ipv6/ip6_output.c:1331
Read of size 2 at addr ffff8801c985023a by task syz-executor343/17861
CPU: 1 PID: 17861 Comm: syz-executor343 Not tainted 4.9.202+ #0
ffff8801c92074c8 ffffffff81b55d2b 0000000000000000 ffffea0007261400
ffff8801c985023a 0000000000000002 ffffffff826a022f ffff8801c9207500
ffffffff8150c321 0000000000000000 ffff8801c985023a ffff8801c985023a
Call Trace:
[<00000000319c1862>] __dump_stack lib/dump_stack.c:15 [inline]
[<00000000319c1862>] dump_stack+0xcb/0x130 lib/dump_stack.c:56
[<00000000d98cee61>] print_address_description+0x6f/0x23a
mm/kasan/report.c:256
[<000000002bf6779b>] kasan_report_error mm/kasan/report.c:355 [inline]
[<000000002bf6779b>] kasan_report mm/kasan/report.c:413 [inline]
[<000000002bf6779b>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
[<00000000eb2acbc8>] __asan_report_load2_noabort+0x14/0x20
mm/kasan/report.c:432
[<000000003dc98037>] __ip6_append_data.isra.0+0x284f/0x3450
net/ipv6/ip6_output.c:1331
[<00000000aab7ba23>] ip6_append_data+0x1dd/0x310 net/ipv6/ip6_output.c:1647
[<00000000a8a7606f>] udpv6_sendmsg+0x1322/0x2430 net/ipv6/udp.c:1267
[<0000000059b80bbd>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766
[<0000000048aaf6e2>] sock_sendmsg_nosec net/socket.c:649 [inline]
[<0000000048aaf6e2>] sock_sendmsg+0xbe/0x110 net/socket.c:659
[<00000000783f5cfb>] ___sys_sendmsg+0x387/0x8b0 net/socket.c:1983
[<00000000634ebece>] __sys_sendmmsg+0x164/0x3d0 net/socket.c:2073
[<000000000f6a65f4>] SYSC_sendmmsg net/socket.c:2104 [inline]
[<000000000f6a65f4>] SyS_sendmmsg+0x35/0x60 net/socket.c:2099
[<00000000fbd08a9a>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
[<000000003fe04d7a>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the page:
page:ffffea0007261400 count:0 mapcount:-127 mapping: (null)
ffff8801c9850180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801c9850200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801c9850280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c9850300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
HEAD commit: 258971b8 Merge 4.9.202 into android-4.9-q
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=130ebceee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9bd17d9821ccee4f
dashboard link: https://syzkaller.appspot.com/bug?extid=3c8c89608d9c4c766724
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1636c35ae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=155007ace00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3c8c89...@syzkaller.appspotmail.com
BUG: KASAN: use-after-free in __ip6_append_data.isra.0+0x284f/0x3450
net/ipv6/ip6_output.c:1331
Read of size 2 at addr ffff8801c985023a by task syz-executor343/17861
CPU: 1 PID: 17861 Comm: syz-executor343 Not tainted 4.9.202+ #0
ffff8801c92074c8 ffffffff81b55d2b 0000000000000000 ffffea0007261400
ffff8801c985023a 0000000000000002 ffffffff826a022f ffff8801c9207500
ffffffff8150c321 0000000000000000 ffff8801c985023a ffff8801c985023a
Call Trace:
[<00000000319c1862>] __dump_stack lib/dump_stack.c:15 [inline]
[<00000000319c1862>] dump_stack+0xcb/0x130 lib/dump_stack.c:56
[<00000000d98cee61>] print_address_description+0x6f/0x23a
mm/kasan/report.c:256
[<000000002bf6779b>] kasan_report_error mm/kasan/report.c:355 [inline]
[<000000002bf6779b>] kasan_report mm/kasan/report.c:413 [inline]
[<000000002bf6779b>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
[<00000000eb2acbc8>] __asan_report_load2_noabort+0x14/0x20
mm/kasan/report.c:432
[<000000003dc98037>] __ip6_append_data.isra.0+0x284f/0x3450
net/ipv6/ip6_output.c:1331
[<00000000aab7ba23>] ip6_append_data+0x1dd/0x310 net/ipv6/ip6_output.c:1647
[<00000000a8a7606f>] udpv6_sendmsg+0x1322/0x2430 net/ipv6/udp.c:1267
[<0000000059b80bbd>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766
[<0000000048aaf6e2>] sock_sendmsg_nosec net/socket.c:649 [inline]
[<0000000048aaf6e2>] sock_sendmsg+0xbe/0x110 net/socket.c:659
[<00000000783f5cfb>] ___sys_sendmsg+0x387/0x8b0 net/socket.c:1983
[<00000000634ebece>] __sys_sendmmsg+0x164/0x3d0 net/socket.c:2073
[<000000000f6a65f4>] SYSC_sendmmsg net/socket.c:2104 [inline]
[<000000000f6a65f4>] SyS_sendmmsg+0x35/0x60 net/socket.c:2099
[<00000000fbd08a9a>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
[<000000003fe04d7a>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the page:
index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c9850100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c9850180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801c9850200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801c9850280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c9850300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Reply all
Reply to author
Forward
0 new messages