KASAN: use-after-free Write in skb_release_data
19 views
Skip to first unread message
syzbot
Jul 29, 2019, 11:00:06 AM7/29/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 54fa720a ANDROID: xfrm: remove in_compat_syscall() checks
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=17fceb64600000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d1497d4b2cea8f4
dashboard link: https://syzkaller.appspot.com/bug?extid=da67ebd08c9fcf9dee54
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+da67eb...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in atomic_sub_return
include/asm-generic/atomic-instrumented.h:258 [inline]
BUG: KASAN: use-after-free in skb_release_data+0x101/0x770
net/core/skbuff.c:563
Write of size 4 at addr ffff8881cafdd764 by task syz-executor.5/8657
CPU: 0 PID: 8657 Comm: syz-executor.5 Not tainted 4.14.134+ #22
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:187
__kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
Allocated by task 8657:
save_stack mm/kasan/common.c:76 [inline]
set_track mm/kasan/common.c:85 [inline]
__kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:495
netlink: 20 bytes leftover after parsing attributes in process
`syz-executor.3'.
slab_post_alloc_hook mm/slab.h:439 [inline]
slab_alloc_node mm/slub.c:2758 [inline]
slab_alloc mm/slub.c:2766 [inline]
__kmalloc_track_caller+0xf1/0x310 mm/slub.c:4333
netlink: 20 bytes leftover after parsing attributes in process
`syz-executor.3'.
__kmalloc_reserve.isra.0+0x2d/0xc0 net/core/skbuff.c:137
__alloc_skb+0x118/0x5c0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:980 [inline]
sock_wmalloc+0xb6/0x110 net/core/sock.c:1925
packet_sendmsg_spkt+0x3bb/0x1210 net/packet/af_packet.c:1962
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb7/0x100 net/socket.c:656
___sys_sendmsg+0x752/0x890 net/socket.c:2062
__sys_sendmsg+0xb6/0x150 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
0xffffffffffffffff
Freed by task 8657:
save_stack mm/kasan/common.c:76 [inline]
set_track mm/kasan/common.c:85 [inline]
__kasan_slab_free+0x164/0x210 mm/kasan/common.c:457
slab_free_hook mm/slub.c:1403 [inline]
slab_free_freelist_hook mm/slub.c:1430 [inline]
slab_free mm/slub.c:3005 [inline]
kfree+0xfa/0x320 mm/slub.c:3942
skb_free_head+0x83/0xa0 net/core/skbuff.c:554
skb_release_data+0x4e5/0x770 net/core/skbuff.c:574
skb_release_all+0x46/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
consume_skb+0xdc/0x360 net/core/skbuff.c:705
packet_rcv+0xdf/0x1290 net/packet/af_packet.c:2178
dev_queue_xmit_nit+0x6e1/0x970 net/core/dev.c:1975
0xffffffffffffffff
The buggy address belongs to the object at ffff8881cafdd680
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 228 bytes inside of
512-byte region [ffff8881cafdd680, ffff8881cafdd880)
The buggy address belongs to the page:
page:ffffea00072bf700 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c
raw: ffffea00068a1a80 0000000800000008 ffff8881da802c00 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881cafdd600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881cafdd680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881cafdd700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881cafdd780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cafdd800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 54fa720a ANDROID: xfrm: remove in_compat_syscall() checks
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=17fceb64600000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d1497d4b2cea8f4
dashboard link: https://syzkaller.appspot.com/bug?extid=da67ebd08c9fcf9dee54
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+da67eb...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in atomic_sub_return
include/asm-generic/atomic-instrumented.h:258 [inline]
BUG: KASAN: use-after-free in skb_release_data+0x101/0x770
net/core/skbuff.c:563
Write of size 4 at addr ffff8881cafdd764 by task syz-executor.5/8657
CPU: 0 PID: 8657 Comm: syz-executor.5 Not tainted 4.14.134+ #22
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:187
__kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
Allocated by task 8657:
save_stack mm/kasan/common.c:76 [inline]
set_track mm/kasan/common.c:85 [inline]
__kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:495
netlink: 20 bytes leftover after parsing attributes in process
`syz-executor.3'.
slab_post_alloc_hook mm/slab.h:439 [inline]
slab_alloc_node mm/slub.c:2758 [inline]
slab_alloc mm/slub.c:2766 [inline]
__kmalloc_track_caller+0xf1/0x310 mm/slub.c:4333
netlink: 20 bytes leftover after parsing attributes in process
`syz-executor.3'.
__kmalloc_reserve.isra.0+0x2d/0xc0 net/core/skbuff.c:137
__alloc_skb+0x118/0x5c0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:980 [inline]
sock_wmalloc+0xb6/0x110 net/core/sock.c:1925
packet_sendmsg_spkt+0x3bb/0x1210 net/packet/af_packet.c:1962
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb7/0x100 net/socket.c:656
___sys_sendmsg+0x752/0x890 net/socket.c:2062
__sys_sendmsg+0xb6/0x150 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
0xffffffffffffffff
Freed by task 8657:
save_stack mm/kasan/common.c:76 [inline]
set_track mm/kasan/common.c:85 [inline]
__kasan_slab_free+0x164/0x210 mm/kasan/common.c:457
slab_free_hook mm/slub.c:1403 [inline]
slab_free_freelist_hook mm/slub.c:1430 [inline]
slab_free mm/slub.c:3005 [inline]
kfree+0xfa/0x320 mm/slub.c:3942
skb_free_head+0x83/0xa0 net/core/skbuff.c:554
skb_release_data+0x4e5/0x770 net/core/skbuff.c:574
skb_release_all+0x46/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
consume_skb+0xdc/0x360 net/core/skbuff.c:705
packet_rcv+0xdf/0x1290 net/packet/af_packet.c:2178
dev_queue_xmit_nit+0x6e1/0x970 net/core/dev.c:1975
0xffffffffffffffff
The buggy address belongs to the object at ffff8881cafdd680
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 228 bytes inside of
512-byte region [ffff8881cafdd680, ffff8881cafdd880)
The buggy address belongs to the page:
page:ffffea00072bf700 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c
raw: ffffea00068a1a80 0000000800000008 ffff8881da802c00 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881cafdd600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881cafdd680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881cafdd700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881cafdd780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cafdd800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Feb 13, 2020, 8:09:07 AM2/13/20
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages