KASAN: slab-out-of-bounds Write in __internal_add_timer (2)
9 views
Skip to first unread message
syzbot
Feb 12, 2021, 9:56:20 PM2/12/21
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 57b3f483 BACKPORT: bpf: add bpf_ktime_get_boot_ns()
git tree: android12-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=13b8ba4cd00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5b365ba984b508e1
dashboard link: https://syzkaller.appspot.com/bug?extid=55a40ef0654a2ff5911d
compiler: Debian clang version 11.0.1-2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+55a40e...@syzkaller.appspotmail.com
BUG: KASAN: slab-out-of-bounds in hlist_add_head include/linux/list.h:787 [inline]
BUG: KASAN: slab-out-of-bounds in enqueue_timer kernel/time/timer.c:541 [inline]
BUG: KASAN: slab-out-of-bounds in __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554
Write of size 8 at addr ffff8881ee3fb1c8 by task syz-executor.4/555
CPU: 0 PID: 555 Comm: syz-executor.4 Not tainted 5.4.97-syzkaller-00250-g57b3f4830fb6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x24e lib/dump_stack.c:118
print_address_description+0x9b/0x650 mm/kasan/report.c:376
__kasan_report+0x182/0x250 mm/kasan/report.c:508
kasan_report+0x30/0x60 mm/kasan/common.c:641
hlist_add_head include/linux/list.h:787 [inline]
enqueue_timer kernel/time/timer.c:541 [inline]
__internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554
internal_add_timer kernel/time/timer.c:604 [inline]
__mod_timer+0xab9/0x1c70 kernel/time/timer.c:1065
tun_flow_init drivers/net/tun.c:1368 [inline]
tun_set_iff drivers/net/tun.c:2840 [inline]
__tun_chr_ioctl+0x337d/0x4bd0 drivers/net/tun.c:3096
do_vfs_ioctl+0x76a/0x1720 fs/ioctl.c:47
ksys_ioctl fs/ioctl.c:742 [inline]
__do_sys_ioctl fs/ioctl.c:749 [inline]
__se_sys_ioctl fs/ioctl.c:747 [inline]
__x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x465d99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f368cc93188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465d99
RDX: 0000000020000000 RSI: 00000000400454ca RDI: 0000000000000005
RBP: 00000000004bcf27 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffdc742169f R14: 00007f368cc93300 R15: 0000000000022000
Allocated by task 0:
(stack is not available)
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8881ee3fad00
which belongs to the cache UNIX of size 1152
The buggy address is located 72 bytes to the right of
1152-byte region [ffff8881ee3fad00, ffff8881ee3fb180)
The buggy address belongs to the page:
page:ffffea0007b8fe00 refcount:1 mapcount:0 mapping:ffff8881f4320c80 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f4320c80
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881ee3fb080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881ee3fb100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881ee3fb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8881ee3fb200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881ee3fb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 57b3f483 BACKPORT: bpf: add bpf_ktime_get_boot_ns()
git tree: android12-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=13b8ba4cd00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5b365ba984b508e1
dashboard link: https://syzkaller.appspot.com/bug?extid=55a40ef0654a2ff5911d
compiler: Debian clang version 11.0.1-2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+55a40e...@syzkaller.appspotmail.com
BUG: KASAN: slab-out-of-bounds in hlist_add_head include/linux/list.h:787 [inline]
BUG: KASAN: slab-out-of-bounds in enqueue_timer kernel/time/timer.c:541 [inline]
BUG: KASAN: slab-out-of-bounds in __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554
Write of size 8 at addr ffff8881ee3fb1c8 by task syz-executor.4/555
CPU: 0 PID: 555 Comm: syz-executor.4 Not tainted 5.4.97-syzkaller-00250-g57b3f4830fb6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x24e lib/dump_stack.c:118
print_address_description+0x9b/0x650 mm/kasan/report.c:376
__kasan_report+0x182/0x250 mm/kasan/report.c:508
kasan_report+0x30/0x60 mm/kasan/common.c:641
hlist_add_head include/linux/list.h:787 [inline]
enqueue_timer kernel/time/timer.c:541 [inline]
__internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554
internal_add_timer kernel/time/timer.c:604 [inline]
__mod_timer+0xab9/0x1c70 kernel/time/timer.c:1065
tun_flow_init drivers/net/tun.c:1368 [inline]
tun_set_iff drivers/net/tun.c:2840 [inline]
__tun_chr_ioctl+0x337d/0x4bd0 drivers/net/tun.c:3096
do_vfs_ioctl+0x76a/0x1720 fs/ioctl.c:47
ksys_ioctl fs/ioctl.c:742 [inline]
__do_sys_ioctl fs/ioctl.c:749 [inline]
__se_sys_ioctl fs/ioctl.c:747 [inline]
__x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x465d99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f368cc93188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465d99
RDX: 0000000020000000 RSI: 00000000400454ca RDI: 0000000000000005
RBP: 00000000004bcf27 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffdc742169f R14: 00007f368cc93300 R15: 0000000000022000
Allocated by task 0:
(stack is not available)
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8881ee3fad00
which belongs to the cache UNIX of size 1152
The buggy address is located 72 bytes to the right of
1152-byte region [ffff8881ee3fad00, ffff8881ee3fb180)
The buggy address belongs to the page:
page:ffffea0007b8fe00 refcount:1 mapcount:0 mapping:ffff8881f4320c80 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f4320c80
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881ee3fb080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881ee3fb100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881ee3fb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8881ee3fb200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881ee3fb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Dec 5, 2021, 1:45:17 AM12/5/21
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages