KASAN: slab-out-of-bounds Read in string
6 views
Skip to first unread message
syzbot
Apr 12, 2019, 8:00:37 PM4/12/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: e9dabe69 Merge 4.9.78 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=14f56c15800000
kernel config: https://syzkaller.appspot.com/x/.config?x=17a1b85c764db343
dashboard link: https://syzkaller.appspot.com/bug?extid=73f69d5e72ddfb632a22
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c29745800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10053d05800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+73f69d...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 lib/vsprintf.c:592
Read of size 1 at addr ffff8801c8ea9350 by task syzkaller453322/3332
CPU: 1 PID: 3332 Comm: syzkaller453322 Not tainted 4.9.78-ge9dabe6 #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801c16f7740 ffffffff81d943a9 ffffea000723aa40 ffff8801c8ea9350
0000000000000000 ffff8801c8ea9350 ffff8801c16f799c ffff8801c16f7778
ffffffff8153dc23 ffff8801c8ea9350 0000000000000001 0000000000000000
Call Trace:
[<ffffffff81d943a9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d943a9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff8153dc23>] print_address_description+0x73/0x280
mm/kasan/report.c:252
[<ffffffff8153e145>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff8153e145>] kasan_report+0x275/0x360 mm/kasan/report.c:408
[<ffffffff8153e244>] __asan_report_load1_noabort+0x14/0x20
mm/kasan/report.c:426
[<ffffffff81db6388>] string+0x1e8/0x200 lib/vsprintf.c:592
[<ffffffff81dbf31d>] vsnprintf+0x7ad/0x16d0 lib/vsprintf.c:2044
[<ffffffff8117a65f>] __request_module+0x14f/0x750 kernel/kmod.c:146
[<ffffffff8313beeb>] xt_request_find_target+0x8b/0xb0
net/netfilter/x_tables.c:256
[<ffffffff8338465a>] find_check_entry net/ipv4/netfilter/ip_tables.c:567
[inline]
[<ffffffff8338465a>] translate_table+0x177a/0x1e30
net/ipv4/netfilter/ip_tables.c:745
[<ffffffff810002b8>] ? 0xffffffff810002b8
[<ffffffff83386eee>] do_replace net/ipv4/netfilter/ip_tables.c:1151
[inline]
[<ffffffff83386eee>] do_ipt_set_ctl+0x2be/0x470
net/ipv4/netfilter/ip_tables.c:1687
[<ffffffff830a1a67>] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
[<ffffffff830a1a67>] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
[<ffffffff83211b81>] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1248
[<ffffffff832bf075>] udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2083
[<ffffffff82ede275>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706
[<ffffffff82edb230>] SYSC_setsockopt net/socket.c:1772 [inline]
[<ffffffff82edb230>] SyS_setsockopt+0x160/0x250 net/socket.c:1751
[<ffffffff838b2c6e>] entry_SYSCALL_64_fastpath+0x29/0xe8
Allocated by task 3332:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609
__kmalloc+0x11d/0x310 mm/slub.c:3741
kmalloc include/linux/slab.h:495 [inline]
xt_alloc_table_info+0x71/0x100 net/netfilter/x_tables.c:959
do_replace net/ipv4/netfilter/ip_tables.c:1140 [inline]
do_ipt_set_ctl+0x242/0x470 net/ipv4/netfilter/ip_tables.c:1687
nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1248
udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2083
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706
SYSC_setsockopt net/socket.c:1772 [inline]
SyS_setsockopt+0x160/0x250 net/socket.c:1751
entry_SYSCALL_64_fastpath+0x29/0xe8
Freed by task 1915:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0x103/0x300 mm/slub.c:3878
free_bprm+0x19d/0x200 fs/exec.c:1395
do_execveat_common.isra.37+0x17df/0x1f10 fs/exec.c:1795
do_execve fs/exec.c:1830 [inline]
SYSC_execve fs/exec.c:1911 [inline]
SyS_execve+0x42/0x50 fs/exec.c:1906
do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280
return_from_SYSCALL_64+0x0/0x7e
The buggy address belongs to the object at ffff8801c8ea9280
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 208 bytes inside of
256-byte region [ffff8801c8ea9280, ffff8801c8ea9380)
The buggy address belongs to the page:
page:ffffea000723aa40 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x8000000000000080(slab)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c8ea9200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8801c8ea9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801c8ea9300: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
^
ffff8801c8ea9380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff8801c8ea9400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: e9dabe69 Merge 4.9.78 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=14f56c15800000
kernel config: https://syzkaller.appspot.com/x/.config?x=17a1b85c764db343
dashboard link: https://syzkaller.appspot.com/bug?extid=73f69d5e72ddfb632a22
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c29745800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10053d05800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+73f69d...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 lib/vsprintf.c:592
Read of size 1 at addr ffff8801c8ea9350 by task syzkaller453322/3332
CPU: 1 PID: 3332 Comm: syzkaller453322 Not tainted 4.9.78-ge9dabe6 #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801c16f7740 ffffffff81d943a9 ffffea000723aa40 ffff8801c8ea9350
0000000000000000 ffff8801c8ea9350 ffff8801c16f799c ffff8801c16f7778
ffffffff8153dc23 ffff8801c8ea9350 0000000000000001 0000000000000000
Call Trace:
[<ffffffff81d943a9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d943a9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff8153dc23>] print_address_description+0x73/0x280
mm/kasan/report.c:252
[<ffffffff8153e145>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff8153e145>] kasan_report+0x275/0x360 mm/kasan/report.c:408
[<ffffffff8153e244>] __asan_report_load1_noabort+0x14/0x20
mm/kasan/report.c:426
[<ffffffff81db6388>] string+0x1e8/0x200 lib/vsprintf.c:592
[<ffffffff81dbf31d>] vsnprintf+0x7ad/0x16d0 lib/vsprintf.c:2044
[<ffffffff8117a65f>] __request_module+0x14f/0x750 kernel/kmod.c:146
[<ffffffff8313beeb>] xt_request_find_target+0x8b/0xb0
net/netfilter/x_tables.c:256
[<ffffffff8338465a>] find_check_entry net/ipv4/netfilter/ip_tables.c:567
[inline]
[<ffffffff8338465a>] translate_table+0x177a/0x1e30
net/ipv4/netfilter/ip_tables.c:745
[<ffffffff810002b8>] ? 0xffffffff810002b8
[<ffffffff83386eee>] do_replace net/ipv4/netfilter/ip_tables.c:1151
[inline]
[<ffffffff83386eee>] do_ipt_set_ctl+0x2be/0x470
net/ipv4/netfilter/ip_tables.c:1687
[<ffffffff830a1a67>] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
[<ffffffff830a1a67>] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
[<ffffffff83211b81>] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1248
[<ffffffff832bf075>] udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2083
[<ffffffff82ede275>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706
[<ffffffff82edb230>] SYSC_setsockopt net/socket.c:1772 [inline]
[<ffffffff82edb230>] SyS_setsockopt+0x160/0x250 net/socket.c:1751
[<ffffffff838b2c6e>] entry_SYSCALL_64_fastpath+0x29/0xe8
Allocated by task 3332:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609
__kmalloc+0x11d/0x310 mm/slub.c:3741
kmalloc include/linux/slab.h:495 [inline]
xt_alloc_table_info+0x71/0x100 net/netfilter/x_tables.c:959
do_replace net/ipv4/netfilter/ip_tables.c:1140 [inline]
do_ipt_set_ctl+0x242/0x470 net/ipv4/netfilter/ip_tables.c:1687
nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1248
udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2083
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706
SYSC_setsockopt net/socket.c:1772 [inline]
SyS_setsockopt+0x160/0x250 net/socket.c:1751
entry_SYSCALL_64_fastpath+0x29/0xe8
Freed by task 1915:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0x103/0x300 mm/slub.c:3878
free_bprm+0x19d/0x200 fs/exec.c:1395
do_execveat_common.isra.37+0x17df/0x1f10 fs/exec.c:1795
do_execve fs/exec.c:1830 [inline]
SYSC_execve fs/exec.c:1911 [inline]
SyS_execve+0x42/0x50 fs/exec.c:1906
do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280
return_from_SYSCALL_64+0x0/0x7e
The buggy address belongs to the object at ffff8801c8ea9280
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 208 bytes inside of
256-byte region [ffff8801c8ea9280, ffff8801c8ea9380)
The buggy address belongs to the page:
page:ffffea000723aa40 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x8000000000000080(slab)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c8ea9200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8801c8ea9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801c8ea9300: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
^
ffff8801c8ea9380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff8801c8ea9400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages