KASAN: slab-out-of-bounds Read in memcpy
4 views
Skip to first unread message
syzbot
Apr 12, 2019, 8:00:51 PM4/12/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: e303a832
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=157eb15e800000
kernel config: https://syzkaller.appspot.com/x/.config?x=b5c7571111d74866
dashboard link: https://syzkaller.appspot.com/bug?extid=6cd4893962034118b585
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13e8bf8e800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11874a81800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6cd489...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read, 103 bits of
entropy available)
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at
addr ffff8800b80a6988
Read of size 8192 by task syzkaller154846/3310
=============================================================================
BUG kmalloc-512 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=5 cpu=1
pid=3310
___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475
__slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504
slab_alloc_node mm/slub.c:2567 [inline]
slab_alloc mm/slub.c:2609 [inline]
__kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118
__kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137
__alloc_skb+0xf5/0x610 net/core/skbuff.c:230
alloc_skb include/linux/skbuff.h:815 [inline]
pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657
sock_sendmsg_nosec net/socket.c:625 [inline]
sock_sendmsg+0xb5/0xf0 net/socket.c:635
___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961
__sys_sendmsg+0xc3/0x160 net/socket.c:1995
SYSC_sendmsg net/socket.c:2006 [inline]
SyS_sendmsg+0xd/0x20 net/socket.c:2002
entry_SYSCALL_64_fastpath+0x16/0x76
INFO: Freed in load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 age=11
cpu=1 pid=3310
__slab_free+0x18c/0x2b0 mm/slub.c:2685
slab_free mm/slub.c:2840 [inline]
kfree+0x24f/0x2d0 mm/slub.c:3714
load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075
search_binary_handler+0x124/0x610 fs/exec.c:1471
exec_binprm fs/exec.c:1513 [inline]
do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635
do_execve fs/exec.c:1679 [inline]
SYSC_execve fs/exec.c:1760 [inline]
SyS_execve+0x35/0x40 fs/exec.c:1755
return_from_execve+0x0/0x23
INFO: Slab 0xffffea0002e02900 objects=20 used=7 fp=0xffff8800b80a4660
flags=0x4000000000004080
INFO: Object 0xffff8800b80a6970 @offset=10608 fp=0x0000000f00000302
Bytes b4 ffff8800b80a6960: 00 00 00 00 6b 07 00 00 f0 8d ff ff 00 00 00
00 ....k...........
Object ffff8800b80a6970: 02 03 00 00 0f 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6980: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00
00 ................
Object ffff8800b80a6990: 0a 00 4e 20 00 00 00 00 00 00 00 00 00 00 00
00 ..N ............
Object ffff8800b80a69a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a69b0: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00
00 ................
Object ffff8800b80a69c0: 05 00 05 00 00 00 00 00 0a 00 4e 20 00 00 00
00 ..........N ....
Object ffff8800b80a69d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a69e0: 00 00 00 00 00 00 00 00 90 01 00 00 00 00 00
00 ................
Object ffff8800b80a69f0: 90 01 40 00 00 00 00 00 90 01 40 00 00 00 00
00 ..@.......@.....
Object ffff8800b80a6a00: 44 00 00 00 00 00 00 00 44 00 00 00 00 00 00 00
D.......D.......
Object ffff8800b80a6a10: 04 00 00 00 00 00 00 00 07 00 00 00 04 00 00
00 ................
Object ffff8800b80a6a20: b8 9e 0c 00 00 00 00 00 b8 9e 6c 00 00 00 00
00 ..........l.....
Object ffff8800b80a6a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6a50: 01 00 00 00 06 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6a80: 10 00 00 00 00 00 00 00 52 e5 74 64 04 00 00
00 ........R.td....
Object ffff8800b80a6a90: b8 9e 0c 00 00 00 00 00 b8 9e 6c 00 00 00 00
00 ..........l.....
Object ffff8800b80a6aa0: b8 9e 6c 00 00 00 00 00 48 01 00 00 00 00 00
00 ..l.....H.......
Object ffff8800b80a6ab0: 48 01 00 00 00 00 00 00 01 00 00 00 00 00 00 00
H...............
Object ffff8800b80a6ac0: 50 e5 74 64 04 00 00 00 b0 d1 0c 00 00 00 00 00
P.td............
Object ffff8800b80a6ad0: b0 d1 4c 00 00 00 00 00 b0 d1 4c 00 00 00 00
00 ..L.......L.....
Object ffff8800b80a6ae0: ac 3c 00 00 00 00 00 00 ac 3c 00 00 00 00 00
00 .<.......<......
Object ffff8800b80a6af0: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00
00 ........Q.td....
Object ffff8800b80a6b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6b20: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00
00 ................
Object ffff8800b80a6b30: 52 e5 74 64 04 00 00 00 c8 4d 0e 00 00 00 00 00
R.td.....M......
Object ffff8800b80a6b40: c8 4d 6e 00 00 00 00 00 c8 4d 6e 00 00 00 00
00 .Mn......Mn.....
Object ffff8800b80a6b50: 38 02 00 00 00 00 00 00 38 02 00 00 00 00 00 00
8.......8.......
Object ffff8800b80a6b60: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
CPU: 1 PID: 3310 Comm: syzkaller154846 Tainted: G B
4.4.105-ge303a83 #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 4bb036a223f67d9f ffff8800b8167708 ffffffff81cc9b4f
ffff8800b80a4010 ffff8800b80a6970 ffff8800b8167738 ffffffff814d3af4
ffff8801da402a00 ffffea0002e02900 ffff8800b80a6970 0000000000000000
Call Trace:
[<ffffffff81cc9b4f>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81cc9b4f>] dump_stack+0x8e/0xcf lib/dump_stack.c:51
[<ffffffff814d3af4>] print_trailer+0x114/0x1a0 mm/slub.c:682
[<ffffffff814d945f>] object_err+0x2f/0x40 mm/slub.c:689
[<ffffffff814db1f7>] print_address_description mm/kasan/report.c:139
[inline]
[<ffffffff814db1f7>] kasan_report_error mm/kasan/report.c:237 [inline]
[<ffffffff814db1f7>] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262
[<ffffffff814db760>] kasan_report+0x20/0x30 mm/kasan/report.c:249
[<ffffffff814da257>] check_memory_region mm/kasan/kasan.c:284 [inline]
[<ffffffff814da257>] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532
[<ffffffff814daa8d>] memcpy+0x1d/0x40 mm/kasan/kasan.c:317
[<ffffffff8340e624>] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline]
[<ffffffff8340e624>] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498
[<ffffffff834134bd>] pfkey_process+0x58d/0x900 net/key/af_key.c:2826
[<ffffffff83414feb>] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670
[<ffffffff82d94005>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82d94005>] sock_sendmsg+0xb5/0xf0 net/socket.c:635
[<ffffffff82d95add>] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961
[<ffffffff82d97863>] __sys_sendmsg+0xc3/0x160 net/socket.c:1995
[<ffffffff82d9790d>] SYSC_sendmsg net/socket.c:2006 [inline]
[<ffffffff82d9790d>] SyS_sendmsg+0xd/0x20 net/socket.c:2002
[<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76
Memory state around the buggy address:
ffff8800b80a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8800b80a6a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8800b80a6b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: e303a832
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=157eb15e800000
kernel config: https://syzkaller.appspot.com/x/.config?x=b5c7571111d74866
dashboard link: https://syzkaller.appspot.com/bug?extid=6cd4893962034118b585
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13e8bf8e800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11874a81800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6cd489...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read, 103 bits of
entropy available)
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at
addr ffff8800b80a6988
Read of size 8192 by task syzkaller154846/3310
=============================================================================
BUG kmalloc-512 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=5 cpu=1
pid=3310
___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475
__slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504
slab_alloc_node mm/slub.c:2567 [inline]
slab_alloc mm/slub.c:2609 [inline]
__kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118
__kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137
__alloc_skb+0xf5/0x610 net/core/skbuff.c:230
alloc_skb include/linux/skbuff.h:815 [inline]
pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657
sock_sendmsg_nosec net/socket.c:625 [inline]
sock_sendmsg+0xb5/0xf0 net/socket.c:635
___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961
__sys_sendmsg+0xc3/0x160 net/socket.c:1995
SYSC_sendmsg net/socket.c:2006 [inline]
SyS_sendmsg+0xd/0x20 net/socket.c:2002
entry_SYSCALL_64_fastpath+0x16/0x76
INFO: Freed in load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 age=11
cpu=1 pid=3310
__slab_free+0x18c/0x2b0 mm/slub.c:2685
slab_free mm/slub.c:2840 [inline]
kfree+0x24f/0x2d0 mm/slub.c:3714
load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075
search_binary_handler+0x124/0x610 fs/exec.c:1471
exec_binprm fs/exec.c:1513 [inline]
do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635
do_execve fs/exec.c:1679 [inline]
SYSC_execve fs/exec.c:1760 [inline]
SyS_execve+0x35/0x40 fs/exec.c:1755
return_from_execve+0x0/0x23
INFO: Slab 0xffffea0002e02900 objects=20 used=7 fp=0xffff8800b80a4660
flags=0x4000000000004080
INFO: Object 0xffff8800b80a6970 @offset=10608 fp=0x0000000f00000302
Bytes b4 ffff8800b80a6960: 00 00 00 00 6b 07 00 00 f0 8d ff ff 00 00 00
00 ....k...........
Object ffff8800b80a6970: 02 03 00 00 0f 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6980: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00
00 ................
Object ffff8800b80a6990: 0a 00 4e 20 00 00 00 00 00 00 00 00 00 00 00
00 ..N ............
Object ffff8800b80a69a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a69b0: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00
00 ................
Object ffff8800b80a69c0: 05 00 05 00 00 00 00 00 0a 00 4e 20 00 00 00
00 ..........N ....
Object ffff8800b80a69d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a69e0: 00 00 00 00 00 00 00 00 90 01 00 00 00 00 00
00 ................
Object ffff8800b80a69f0: 90 01 40 00 00 00 00 00 90 01 40 00 00 00 00
00 ..@.......@.....
Object ffff8800b80a6a00: 44 00 00 00 00 00 00 00 44 00 00 00 00 00 00 00
D.......D.......
Object ffff8800b80a6a10: 04 00 00 00 00 00 00 00 07 00 00 00 04 00 00
00 ................
Object ffff8800b80a6a20: b8 9e 0c 00 00 00 00 00 b8 9e 6c 00 00 00 00
00 ..........l.....
Object ffff8800b80a6a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6a50: 01 00 00 00 06 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6a80: 10 00 00 00 00 00 00 00 52 e5 74 64 04 00 00
00 ........R.td....
Object ffff8800b80a6a90: b8 9e 0c 00 00 00 00 00 b8 9e 6c 00 00 00 00
00 ..........l.....
Object ffff8800b80a6aa0: b8 9e 6c 00 00 00 00 00 48 01 00 00 00 00 00
00 ..l.....H.......
Object ffff8800b80a6ab0: 48 01 00 00 00 00 00 00 01 00 00 00 00 00 00 00
H...............
Object ffff8800b80a6ac0: 50 e5 74 64 04 00 00 00 b0 d1 0c 00 00 00 00 00
P.td............
Object ffff8800b80a6ad0: b0 d1 4c 00 00 00 00 00 b0 d1 4c 00 00 00 00
00 ..L.......L.....
Object ffff8800b80a6ae0: ac 3c 00 00 00 00 00 00 ac 3c 00 00 00 00 00
00 .<.......<......
Object ffff8800b80a6af0: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00
00 ........Q.td....
Object ffff8800b80a6b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff8800b80a6b20: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00
00 ................
Object ffff8800b80a6b30: 52 e5 74 64 04 00 00 00 c8 4d 0e 00 00 00 00 00
R.td.....M......
Object ffff8800b80a6b40: c8 4d 6e 00 00 00 00 00 c8 4d 6e 00 00 00 00
00 .Mn......Mn.....
Object ffff8800b80a6b50: 38 02 00 00 00 00 00 00 38 02 00 00 00 00 00 00
8.......8.......
Object ffff8800b80a6b60: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
CPU: 1 PID: 3310 Comm: syzkaller154846 Tainted: G B
4.4.105-ge303a83 #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 4bb036a223f67d9f ffff8800b8167708 ffffffff81cc9b4f
ffff8800b80a4010 ffff8800b80a6970 ffff8800b8167738 ffffffff814d3af4
ffff8801da402a00 ffffea0002e02900 ffff8800b80a6970 0000000000000000
Call Trace:
[<ffffffff81cc9b4f>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81cc9b4f>] dump_stack+0x8e/0xcf lib/dump_stack.c:51
[<ffffffff814d3af4>] print_trailer+0x114/0x1a0 mm/slub.c:682
[<ffffffff814d945f>] object_err+0x2f/0x40 mm/slub.c:689
[<ffffffff814db1f7>] print_address_description mm/kasan/report.c:139
[inline]
[<ffffffff814db1f7>] kasan_report_error mm/kasan/report.c:237 [inline]
[<ffffffff814db1f7>] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262
[<ffffffff814db760>] kasan_report+0x20/0x30 mm/kasan/report.c:249
[<ffffffff814da257>] check_memory_region mm/kasan/kasan.c:284 [inline]
[<ffffffff814da257>] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532
[<ffffffff814daa8d>] memcpy+0x1d/0x40 mm/kasan/kasan.c:317
[<ffffffff8340e624>] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline]
[<ffffffff8340e624>] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498
[<ffffffff834134bd>] pfkey_process+0x58d/0x900 net/key/af_key.c:2826
[<ffffffff83414feb>] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670
[<ffffffff82d94005>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82d94005>] sock_sendmsg+0xb5/0xf0 net/socket.c:635
[<ffffffff82d95add>] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961
[<ffffffff82d97863>] __sys_sendmsg+0xc3/0x160 net/socket.c:1995
[<ffffffff82d9790d>] SYSC_sendmsg net/socket.c:2006 [inline]
[<ffffffff82d9790d>] SyS_sendmsg+0xd/0x20 net/socket.c:2002
[<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76
Memory state around the buggy address:
ffff8800b80a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8800b80a6a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8800b80a6b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages