KASAN: stack-out-of-bounds Read in xfrm_selector_match
9 views
Skip to first unread message
syzbot
Apr 11, 2019, 4:44:49 AM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 38f41ec1 Merge 4.4.125 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=14d7c6bb800000
kernel config: https://syzkaller.appspot.com/x/.config?x=d3227609e1874daa
dashboard link: https://syzkaller.appspot.com/bug?extid=c8463c5b3015c191734e
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14f4472b800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=168fd7db800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c8463c...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read, 101 bits of
entropy available)
random: sshd: uninitialized urandom read (32 bytes read, 104 bits of
entropy available)
random: sshd: uninitialized urandom read (32 bytes read, 111 bits of
entropy available)
==================================================================
BUG: KASAN: stack-out-of-bounds in memcmp+0x126/0x160 lib/string.c:742
Read of size 1 at addr ffff8801c87678e0 by task syzkaller311351/3732
CPU: 1 PID: 3732 Comm: syzkaller311351 Not tainted 4.4.125-g38f41ec #63
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 847c5155748e9cda ffff8801c8767418 ffffffff81d067bd
ffffea000721d9c0 ffff8801c87678e0 0000000000000000 ffff8801c87678e0
ffff8801c87678c8 ffff8801c8767450 ffffffff814fea83 ffff8801c87678e0
Call Trace:
[<ffffffff81d067bd>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d067bd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff814fea83>] print_address_description+0x73/0x260
mm/kasan/report.c:252
[<ffffffff814fef95>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff814fef95>] kasan_report+0x285/0x370 mm/kasan/report.c:408
[<ffffffff814ff094>] __asan_report_load1_noabort+0x14/0x20
mm/kasan/report.c:426
[<ffffffff81d22bd6>] memcmp+0x126/0x160 lib/string.c:742
[<ffffffff832ae477>] addr_match include/net/xfrm.h:837 [inline]
[<ffffffff832ae477>] __xfrm6_selector_match net/xfrm/xfrm_policy.c:81
[inline]
[<ffffffff832ae477>] xfrm_selector_match+0x1c7/0xe50
net/xfrm/xfrm_policy.c:95
[<ffffffff832af253>] xfrm_sk_policy_lookup+0x153/0x360
net/xfrm/xfrm_policy.c:1236
[<ffffffff832b1fee>] xfrm_lookup+0x1be/0xc10 net/xfrm/xfrm_policy.c:2184
[<ffffffff832b3949>] xfrm_lookup_route+0x39/0x1a0
net/xfrm/xfrm_policy.c:2318
[<ffffffff833084d4>] ip6_dst_lookup_flow+0x1b4/0x2e0
net/ipv6/ip6_output.c:1070
[<ffffffff833ae37e>] tcp_v6_connect+0xade/0x1b90 net/ipv6/tcp_ipv6.c:249
[<ffffffff831d6e26>] __inet_stream_connect+0x2a6/0xc70
net/ipv4/af_inet.c:615
[<ffffffff83126e11>] tcp_sendmsg_fastopen net/ipv4/tcp.c:1092 [inline]
[<ffffffff83126e11>] tcp_sendmsg+0xcc1/0x2b10 net/ipv4/tcp.c:1112
[<ffffffff831dde2c>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755
[<ffffffff82df168a>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82df168a>] sock_sendmsg+0xca/0x110 net/socket.c:635
[<ffffffff82df25d8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1665
[<ffffffff82df4ad0>] SyS_sendto+0x40/0x50 net/socket.c:1633
[<ffffffff83779965>] entry_SYSCALL_64_fastpath+0x22/0x9e
The buggy address belongs to the page:
page:ffffea000721d9c0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x8000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c8767780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c8767800: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f2 f2
> ffff8801c8767880: f2 f2 00 00 00 00 00 00 00 00 00 00 f2 f2 00 00
^
ffff8801c8767900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c8767980: 00 00 00 f1 f1 f1 f1 00 00 00 00 00 f2 f2 f2 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 38f41ec1 Merge 4.4.125 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=14d7c6bb800000
kernel config: https://syzkaller.appspot.com/x/.config?x=d3227609e1874daa
dashboard link: https://syzkaller.appspot.com/bug?extid=c8463c5b3015c191734e
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14f4472b800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=168fd7db800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c8463c...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read, 101 bits of
entropy available)
random: sshd: uninitialized urandom read (32 bytes read, 104 bits of
entropy available)
random: sshd: uninitialized urandom read (32 bytes read, 111 bits of
entropy available)
==================================================================
BUG: KASAN: stack-out-of-bounds in memcmp+0x126/0x160 lib/string.c:742
Read of size 1 at addr ffff8801c87678e0 by task syzkaller311351/3732
CPU: 1 PID: 3732 Comm: syzkaller311351 Not tainted 4.4.125-g38f41ec #63
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 847c5155748e9cda ffff8801c8767418 ffffffff81d067bd
ffffea000721d9c0 ffff8801c87678e0 0000000000000000 ffff8801c87678e0
ffff8801c87678c8 ffff8801c8767450 ffffffff814fea83 ffff8801c87678e0
Call Trace:
[<ffffffff81d067bd>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d067bd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff814fea83>] print_address_description+0x73/0x260
mm/kasan/report.c:252
[<ffffffff814fef95>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff814fef95>] kasan_report+0x285/0x370 mm/kasan/report.c:408
[<ffffffff814ff094>] __asan_report_load1_noabort+0x14/0x20
mm/kasan/report.c:426
[<ffffffff81d22bd6>] memcmp+0x126/0x160 lib/string.c:742
[<ffffffff832ae477>] addr_match include/net/xfrm.h:837 [inline]
[<ffffffff832ae477>] __xfrm6_selector_match net/xfrm/xfrm_policy.c:81
[inline]
[<ffffffff832ae477>] xfrm_selector_match+0x1c7/0xe50
net/xfrm/xfrm_policy.c:95
[<ffffffff832af253>] xfrm_sk_policy_lookup+0x153/0x360
net/xfrm/xfrm_policy.c:1236
[<ffffffff832b1fee>] xfrm_lookup+0x1be/0xc10 net/xfrm/xfrm_policy.c:2184
[<ffffffff832b3949>] xfrm_lookup_route+0x39/0x1a0
net/xfrm/xfrm_policy.c:2318
[<ffffffff833084d4>] ip6_dst_lookup_flow+0x1b4/0x2e0
net/ipv6/ip6_output.c:1070
[<ffffffff833ae37e>] tcp_v6_connect+0xade/0x1b90 net/ipv6/tcp_ipv6.c:249
[<ffffffff831d6e26>] __inet_stream_connect+0x2a6/0xc70
net/ipv4/af_inet.c:615
[<ffffffff83126e11>] tcp_sendmsg_fastopen net/ipv4/tcp.c:1092 [inline]
[<ffffffff83126e11>] tcp_sendmsg+0xcc1/0x2b10 net/ipv4/tcp.c:1112
[<ffffffff831dde2c>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755
[<ffffffff82df168a>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82df168a>] sock_sendmsg+0xca/0x110 net/socket.c:635
[<ffffffff82df25d8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1665
[<ffffffff82df4ad0>] SyS_sendto+0x40/0x50 net/socket.c:1633
[<ffffffff83779965>] entry_SYSCALL_64_fastpath+0x22/0x9e
The buggy address belongs to the page:
page:ffffea000721d9c0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x8000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c8767780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c8767800: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f2 f2
> ffff8801c8767880: f2 f2 00 00 00 00 00 00 00 00 00 00 f2 f2 00 00
^
ffff8801c8767900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c8767980: 00 00 00 f1 f1 f1 f1 00 00 00 00 00 f2 f2 f2 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages