KASAN: use-after-free Write in ip_check_defrag
42 views
Skip to first unread message
syzbot
Apr 10, 2019, 8:00:14 PM4/10/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 2aee898f Merge 4.14.92 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=127dbb9b400000
kernel config: https://syzkaller.appspot.com/x/.config?x=9ed317eef2eaa25
dashboard link: https://syzkaller.appspot.com/bug?extid=5d3fd175a41000b3bdc5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1653b7bb400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17fb1b9b400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5d3fd1...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1547061050.992:7): avc: denied { map } for
pid=1771 comm="syz-executor180" path="/root/syz-executor180789414"
dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in skb_clear_hash include/linux/skbuff.h:1128
[inline]
BUG: KASAN: use-after-free in ip_check_defrag net/ipv4/ip_fragment.c:747
[inline]
BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523
net/ipv4/ip_fragment.c:712
Write of size 4 at addr ffff8881cfafd31c by task syz-executor180/1773
CPU: 0 PID: 1773 Comm: syz-executor180 Not tainted 4.14.92+ #4
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x10e lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0x88/0x2a5 mm/kasan/report.c:393
Allocated by task 1773:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc_node mm/slub.c:2723 [inline]
slab_alloc mm/slub.c:2731 [inline]
kmem_cache_alloc+0xd2/0x2d0 mm/slub.c:2736
skb_clone+0x126/0x310 net/core/skbuff.c:1278
skb_share_check include/linux/skbuff.h:1538 [inline]
ip_check_defrag net/ipv4/ip_fragment.c:734 [inline]
ip_check_defrag+0x2bc/0x523 net/ipv4/ip_fragment.c:712
packet_rcv_fanout+0x4d1/0x5e0 net/packet/af_packet.c:1463
deliver_skb net/core/dev.c:1881 [inline]
dev_queue_xmit_nit+0x21a/0x960 net/core/dev.c:1937
Freed by task 1773:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kmem_cache_free+0xc4/0x330 mm/slub.c:2988
kfree_skbmem net/core/skbuff.c:582 [inline]
kfree_skbmem+0xa0/0x100 net/core/skbuff.c:576
__kfree_skb net/core/skbuff.c:642 [inline]
kfree_skb+0xcd/0x350 net/core/skbuff.c:659
ip_frag_queue net/ipv4/ip_fragment.c:507 [inline]
ip_defrag+0x5f4/0x3b50 net/ipv4/ip_fragment.c:699
ip_check_defrag net/ipv4/ip_fragment.c:745 [inline]
ip_check_defrag+0x39b/0x523 net/ipv4/ip_fragment.c:712
packet_rcv_fanout+0x4d1/0x5e0 net/packet/af_packet.c:1463
deliver_skb net/core/dev.c:1881 [inline]
dev_queue_xmit_nit+0x21a/0x960 net/core/dev.c:1937
The buggy address belongs to the object at ffff8881cfafd280
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 156 bytes inside of
224-byte region [ffff8881cfafd280, ffff8881cfafd360)
The buggy address belongs to the page:
page:ffffea00073ebf40 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881cfafd200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881cfafd280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881cfafd300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff8881cfafd380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881cfafd400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 2aee898f Merge 4.14.92 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=127dbb9b400000
kernel config: https://syzkaller.appspot.com/x/.config?x=9ed317eef2eaa25
dashboard link: https://syzkaller.appspot.com/bug?extid=5d3fd175a41000b3bdc5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1653b7bb400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17fb1b9b400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5d3fd1...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1547061050.992:7): avc: denied { map } for
pid=1771 comm="syz-executor180" path="/root/syz-executor180789414"
dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in skb_clear_hash include/linux/skbuff.h:1128
[inline]
BUG: KASAN: use-after-free in ip_check_defrag net/ipv4/ip_fragment.c:747
[inline]
BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523
net/ipv4/ip_fragment.c:712
Write of size 4 at addr ffff8881cfafd31c by task syz-executor180/1773
CPU: 0 PID: 1773 Comm: syz-executor180 Not tainted 4.14.92+ #4
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x10e lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0x88/0x2a5 mm/kasan/report.c:393
Allocated by task 1773:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc_node mm/slub.c:2723 [inline]
slab_alloc mm/slub.c:2731 [inline]
kmem_cache_alloc+0xd2/0x2d0 mm/slub.c:2736
skb_clone+0x126/0x310 net/core/skbuff.c:1278
skb_share_check include/linux/skbuff.h:1538 [inline]
ip_check_defrag net/ipv4/ip_fragment.c:734 [inline]
ip_check_defrag+0x2bc/0x523 net/ipv4/ip_fragment.c:712
packet_rcv_fanout+0x4d1/0x5e0 net/packet/af_packet.c:1463
deliver_skb net/core/dev.c:1881 [inline]
dev_queue_xmit_nit+0x21a/0x960 net/core/dev.c:1937
Freed by task 1773:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kmem_cache_free+0xc4/0x330 mm/slub.c:2988
kfree_skbmem net/core/skbuff.c:582 [inline]
kfree_skbmem+0xa0/0x100 net/core/skbuff.c:576
__kfree_skb net/core/skbuff.c:642 [inline]
kfree_skb+0xcd/0x350 net/core/skbuff.c:659
ip_frag_queue net/ipv4/ip_fragment.c:507 [inline]
ip_defrag+0x5f4/0x3b50 net/ipv4/ip_fragment.c:699
ip_check_defrag net/ipv4/ip_fragment.c:745 [inline]
ip_check_defrag+0x39b/0x523 net/ipv4/ip_fragment.c:712
packet_rcv_fanout+0x4d1/0x5e0 net/packet/af_packet.c:1463
deliver_skb net/core/dev.c:1881 [inline]
dev_queue_xmit_nit+0x21a/0x960 net/core/dev.c:1937
The buggy address belongs to the object at ffff8881cfafd280
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 156 bytes inside of
224-byte region [ffff8881cfafd280, ffff8881cfafd360)
The buggy address belongs to the page:
page:ffffea00073ebf40 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881cfafd200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881cfafd280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881cfafd300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff8881cfafd380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881cfafd400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 11, 2019, 4:44:37 AM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: ed0b11d2 Merge 4.9.149 into android-4.9
syzbot found the following crash on:
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=120fad10c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=593db1e2f5c3d537
dashboard link: https://syzkaller.appspot.com/bug?extid=fc5e94e70cb64d1042eb
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142b5d80c00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10c18a4f400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KASAN: use-after-free in skb_clear_hash include/linux/skbuff.h:1062
[inline]
BUG: KASAN: use-after-free in ip_check_defrag net/ipv4/ip_fragment.c:738
[inline]
BUG: KASAN: use-after-free in ip_check_defrag+0x571/0x5b0
net/ipv4/ip_fragment.c:703
Write of size 4 at addr ffff8801d26e6e5c by task syz-executor527/2206
CPU: 1 PID: 2206 Comm: syz-executor527 Not tainted 4.9.149+ #4
ffff8801cc03f658 ffffffff81b46481 0000000000000001 ffffea000749b980
ffff8801d26e6e5c 0000000000000004 ffffffff824a2fe1 ffff8801cc03f690
ffffffff815020d5 0000000000000001 ffff8801d26e6e5c ffff8801d26e6e5c
Call Trace:
[<ffffffff81b46481>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b46481>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff815020d5>] print_address_description+0x6f/0x238
mm/kasan/report.c:256
[<ffffffff8150232a>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff8150232a>] kasan_report mm/kasan/report.c:412 [inline]
[<ffffffff8150232a>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
[<ffffffff814f45a7>] __asan_report_store4_noabort+0x17/0x20
mm/kasan/report.c:437
[<ffffffff824a2fe1>] skb_clear_hash include/linux/skbuff.h:1062 [inline]
[<ffffffff824a2fe1>] ip_check_defrag net/ipv4/ip_fragment.c:738 [inline]
[<ffffffff824a2fe1>] ip_check_defrag+0x571/0x5b0 net/ipv4/ip_fragment.c:703
[<ffffffff827d933e>] packet_rcv_fanout+0x51e/0x5f0
net/packet/af_packet.c:1458
[<ffffffff822fac80>] dev_queue_xmit_nit+0x5e0/0x800 net/core/dev.c:1950
[<ffffffff823150a7>] xmit_one net/core/dev.c:2973 [inline]
[<ffffffff823150a7>] dev_hard_start_xmit+0xa7/0x8b0 net/core/dev.c:2993
[<ffffffff82316d53>] __dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473
[<ffffffff82317798>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3506
[<ffffffff827d31e8>] packet_snd net/packet/af_packet.c:2966 [inline]
[<ffffffff827d31e8>] packet_sendmsg+0x2778/0x4840
net/packet/af_packet.c:2991
[<ffffffff822a1dfe>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff822a1dfe>] sock_sendmsg+0xbe/0x110 net/socket.c:658
[<ffffffff822a5e01>] SYSC_sendto net/socket.c:1683 [inline]
[<ffffffff822a5e01>] SyS_sendto+0x201/0x340 net/socket.c:1651
[<ffffffff810056bd>] do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
[<ffffffff828146d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Allocated by task 2206:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:609
kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:594
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:547
slab_post_alloc_hook mm/slab.h:417 [inline]
slab_alloc_node mm/slub.c:2715 [inline]
slab_alloc mm/slub.c:2723 [inline]
kmem_cache_alloc+0xd5/0x2b0 mm/slub.c:2728
skb_clone+0x122/0x2a0 net/core/skbuff.c:1034
dev_queue_xmit_nit+0x2d2/0x800 net/core/dev.c:1919
xmit_one net/core/dev.c:2973 [inline]
dev_hard_start_xmit+0xa7/0x8b0 net/core/dev.c:2993
__dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473
dev_queue_xmit+0x18/0x20 net/core/dev.c:3506
packet_snd net/packet/af_packet.c:2966 [inline]
packet_sendmsg+0x2778/0x4840 net/packet/af_packet.c:2991
sock_sendmsg_nosec net/socket.c:648 [inline]
sock_sendmsg+0xbe/0x110 net/socket.c:658
SYSC_sendto net/socket.c:1683 [inline]
SyS_sendto+0x201/0x340 net/socket.c:1651
do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 2206:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kmem_cache_free+0xbe/0x310 mm/slub.c:2980
kfree_skbmem+0x9f/0x100 net/core/skbuff.c:623
__kfree_skb net/core/skbuff.c:685 [inline]
kfree_skb+0xd4/0x350 net/core/skbuff.c:705
ip_frag_queue net/ipv4/ip_fragment.c:505 [inline]
ip_defrag+0x620/0x3bc0 net/ipv4/ip_fragment.c:690
ip_check_defrag net/ipv4/ip_fragment.c:736 [inline]
ip_check_defrag+0x3d6/0x5b0 net/ipv4/ip_fragment.c:703
packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458
dev_queue_xmit_nit+0x5e0/0x800 net/core/dev.c:1950
xmit_one net/core/dev.c:2973 [inline]
dev_hard_start_xmit+0xa7/0x8b0 net/core/dev.c:2993
__dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473
dev_queue_xmit+0x18/0x20 net/core/dev.c:3506
packet_snd net/packet/af_packet.c:2966 [inline]
packet_sendmsg+0x2778/0x4840 net/packet/af_packet.c:2991
sock_sendmsg_nosec net/socket.c:648 [inline]
sock_sendmsg+0xbe/0x110 net/socket.c:658
SYSC_sendto net/socket.c:1683 [inline]
SyS_sendto+0x201/0x340 net/socket.c:1651
do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the object at ffff8801d26e6dc0
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 156 bytes inside of
224-byte region [ffff8801d26e6dc0, ffff8801d26e6ea0)
The buggy address is located 156 bytes inside of
The buggy address belongs to the page:
page:ffffea000749b980 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000080(slab)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d26e6d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
Memory state around the buggy address:
ffff8801d26e6d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8801d26e6e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801d26e6e80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801d26e6f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Reply all
Reply to author
Forward
0 new messages