KASAN: slab-out-of-bounds Read in ip6_tnl_parse_tlv_enc_lim
5 views
Skip to first unread message
syzbot
Apr 13, 2019, 8:02:20 PM4/13/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: a3ac63b1 Revert "FROMGIT: crypto: speck - add support for ..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=10bf1f95400000
kernel config: https://syzkaller.appspot.com/x/.config?x=7acec4778e485bac
dashboard link: https://syzkaller.appspot.com/bug?extid=d3016cc4c37e33afef3e
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d3016c...@syzkaller.appspotmail.com
audit: type=1400 audit(2000000314.075:81743): avc: denied { search } for
pid=190 comm="udevd" name="/" dev="sysfs" ino=1
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=dir permissive=1
audit: type=1400 audit(2000000314.085:81744): avc: denied { search } for
pid=31620 comm="udevd" name="/" dev="sysfs" ino=1
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=dir permissive=1
protocol 86dd is buggy, dev ip6tnl1
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_tnl_parse_tlv_enc_lim+0x4b7/0x550
net/ipv6/ip6_tunnel.c:449
Read of size 1 at addr ffff88019ba78487 by task syz-executor4/9164
CPU: 1 PID: 9164 Comm: syz-executor4 Not tainted 4.14.78+ #23
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
print_address_description+0x60/0x22b mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
ip6_tnl_parse_tlv_enc_lim+0x4b7/0x550 net/ipv6/ip6_tunnel.c:449
ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1339 [inline]
ip6_tnl_start_xmit+0xfe5/0x1aa0 net/ipv6/ip6_tunnel.c:1403
__netdev_start_xmit include/linux/netdevice.h:4030 [inline]
netdev_start_xmit include/linux/netdevice.h:4039 [inline]
xmit_one net/core/dev.c:3009 [inline]
dev_hard_start_xmit+0x191/0x890 net/core/dev.c:3025
__dev_queue_xmit+0x13d9/0x1f40 net/core/dev.c:3525
__bpf_tx_skb net/core/filter.c:1708 [inline]
__bpf_redirect_common net/core/filter.c:1746 [inline]
__bpf_redirect+0x5b0/0x990 net/core/filter.c:1753
____bpf_clone_redirect net/core/filter.c:1786 [inline]
bpf_clone_redirect+0x1d4/0x2b0 net/core/filter.c:1758
___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012
Allocated by task 9164:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
__kmalloc+0x153/0x340 mm/slub.c:3760
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:661 [inline]
bpf_test_init.isra.1+0x52/0xc0 net/bpf/test_run.c:81
bpf_prog_test_run_skb+0xfb/0x8c0 net/bpf/test_run.c:103
bpf_prog_test_run kernel/bpf/syscall.c:1330 [inline]
SYSC_bpf kernel/bpf/syscall.c:1602 [inline]
SyS_bpf+0x79d/0x3640 kernel/bpf/syscall.c:1547
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 8044:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kfree+0xf5/0x310 mm/slub.c:3897
skb_free_head+0x83/0xa0 net/core/skbuff.c:550
skb_release_data+0x495/0x610 net/core/skbuff.c:570
skb_release_all+0x46/0x60 net/core/skbuff.c:627
__kfree_skb net/core/skbuff.c:641 [inline]
consume_skb+0xc1/0x330 net/core/skbuff.c:701
netlink_broadcast_filtered+0x2b7/0xa30 net/netlink/af_netlink.c:1488
kobject_uevent_env+0x793/0xc40 lib/kobject_uevent.c:492
loop_clr_fd+0x49f/0xac0 drivers/block/loop.c:1059
lo_ioctl+0x6e6/0x17d0 drivers/block/loop.c:1383
__blkdev_driver_ioctl block/ioctl.c:297 [inline]
blkdev_ioctl+0x57d/0x18c0 block/ioctl.c:594
block_ioctl+0xd9/0x120 fs/block_dev.c:1873
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88019ba78280
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 7 bytes to the right of
512-byte region [ffff88019ba78280, ffff88019ba78480)
The buggy address belongs to the page:
page:ffffea00066e9e00 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000008100(slab|head)
raw: 4000000000008100 0000000000000000 0000000000000000 00000001000c000c
raw: ffffea000679b200 0000000a0000000a ffff8801da802c00 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88019ba78380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88019ba78400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88019ba78480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88019ba78500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88019ba78580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: a3ac63b1 Revert "FROMGIT: crypto: speck - add support for ..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=10bf1f95400000
kernel config: https://syzkaller.appspot.com/x/.config?x=7acec4778e485bac
dashboard link: https://syzkaller.appspot.com/bug?extid=d3016cc4c37e33afef3e
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d3016c...@syzkaller.appspotmail.com
audit: type=1400 audit(2000000314.075:81743): avc: denied { search } for
pid=190 comm="udevd" name="/" dev="sysfs" ino=1
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=dir permissive=1
audit: type=1400 audit(2000000314.085:81744): avc: denied { search } for
pid=31620 comm="udevd" name="/" dev="sysfs" ino=1
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=dir permissive=1
protocol 86dd is buggy, dev ip6tnl1
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_tnl_parse_tlv_enc_lim+0x4b7/0x550
net/ipv6/ip6_tunnel.c:449
Read of size 1 at addr ffff88019ba78487 by task syz-executor4/9164
CPU: 1 PID: 9164 Comm: syz-executor4 Not tainted 4.14.78+ #23
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
print_address_description+0x60/0x22b mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
ip6_tnl_parse_tlv_enc_lim+0x4b7/0x550 net/ipv6/ip6_tunnel.c:449
ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1339 [inline]
ip6_tnl_start_xmit+0xfe5/0x1aa0 net/ipv6/ip6_tunnel.c:1403
__netdev_start_xmit include/linux/netdevice.h:4030 [inline]
netdev_start_xmit include/linux/netdevice.h:4039 [inline]
xmit_one net/core/dev.c:3009 [inline]
dev_hard_start_xmit+0x191/0x890 net/core/dev.c:3025
__dev_queue_xmit+0x13d9/0x1f40 net/core/dev.c:3525
__bpf_tx_skb net/core/filter.c:1708 [inline]
__bpf_redirect_common net/core/filter.c:1746 [inline]
__bpf_redirect+0x5b0/0x990 net/core/filter.c:1753
____bpf_clone_redirect net/core/filter.c:1786 [inline]
bpf_clone_redirect+0x1d4/0x2b0 net/core/filter.c:1758
___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012
Allocated by task 9164:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
__kmalloc+0x153/0x340 mm/slub.c:3760
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:661 [inline]
bpf_test_init.isra.1+0x52/0xc0 net/bpf/test_run.c:81
bpf_prog_test_run_skb+0xfb/0x8c0 net/bpf/test_run.c:103
bpf_prog_test_run kernel/bpf/syscall.c:1330 [inline]
SYSC_bpf kernel/bpf/syscall.c:1602 [inline]
SyS_bpf+0x79d/0x3640 kernel/bpf/syscall.c:1547
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 8044:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kfree+0xf5/0x310 mm/slub.c:3897
skb_free_head+0x83/0xa0 net/core/skbuff.c:550
skb_release_data+0x495/0x610 net/core/skbuff.c:570
skb_release_all+0x46/0x60 net/core/skbuff.c:627
__kfree_skb net/core/skbuff.c:641 [inline]
consume_skb+0xc1/0x330 net/core/skbuff.c:701
netlink_broadcast_filtered+0x2b7/0xa30 net/netlink/af_netlink.c:1488
kobject_uevent_env+0x793/0xc40 lib/kobject_uevent.c:492
loop_clr_fd+0x49f/0xac0 drivers/block/loop.c:1059
lo_ioctl+0x6e6/0x17d0 drivers/block/loop.c:1383
__blkdev_driver_ioctl block/ioctl.c:297 [inline]
blkdev_ioctl+0x57d/0x18c0 block/ioctl.c:594
block_ioctl+0xd9/0x120 fs/block_dev.c:1873
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88019ba78280
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 7 bytes to the right of
512-byte region [ffff88019ba78280, ffff88019ba78480)
The buggy address belongs to the page:
page:ffffea00066e9e00 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000008100(slab|head)
raw: 4000000000008100 0000000000000000 0000000000000000 00000001000c000c
raw: ffffea000679b200 0000000a0000000a ffff8801da802c00 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88019ba78380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88019ba78400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88019ba78480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88019ba78500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88019ba78580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Apr 27, 2019, 8:03:04 PM4/27/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages