[syzbot] [net?] KASAN: use-after-free Read in __skb_flow

syzbot

unread,

Jan 1, 2024, 12:18:18 PMJan 1

to da...@davemloft.net, edum...@google.com, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com

Hello,

syzbot found the following issue on:

HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1650e3d9e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=da1c95d4e55dda83
dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17e61d95e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-f5837722.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/148f0f94b7b6/vmlinux-f5837722.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d63ba20405f3/bzImage-f5837722.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bfde3b...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170
Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191

CPU: 1 PID: 5191 Comm: syz-executor183 Not tainted 6.7.0-rc7-syzkaller-00016-gf5837722ffec #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
__skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170
skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]
___skb_get_hash net/core/flow_dissector.c:1791 [inline]
__skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856
skb_get_hash include/linux/skbuff.h:1556 [inline]
ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748
ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308
__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
netdev_start_xmit include/linux/netdevice.h:4954 [inline]
xmit_one net/core/dev.c:3548 [inline]
dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564
__dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349
dev_queue_xmit include/linux/netdevice.h:3134 [inline]
neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592
neigh_output include/net/neighbour.h:542 [inline]
ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235
__ip_finish_output net/ipv4/ip_output.c:313 [inline]
__ip_finish_output+0x38b/0x650 net/ipv4/ip_output.c:295
ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip_mc_output+0x1dd/0x6a0 net/ipv4/ip_output.c:420
dst_output include/net/dst.h:451 [inline]
ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129
iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82
ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831
ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665
__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
netdev_start_xmit include/linux/netdevice.h:4954 [inline]
xmit_one net/core/dev.c:3548 [inline]
dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564
__dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349
dev_queue_xmit include/linux/netdevice.h:3134 [inline]
__bpf_tx_skb net/core/filter.c:2133 [inline]
__bpf_redirect_no_mac net/core/filter.c:2163 [inline]
__bpf_redirect+0x6f1/0xf10 net/core/filter.c:2186
____bpf_clone_redirect net/core/filter.c:2457 [inline]
bpf_clone_redirect+0x2b2/0x420 net/core/filter.c:2429
___bpf_prog_run+0x3e44/0xabc0 kernel/bpf/core.c:1962
__bpf_prog_run512+0xb7/0xf0 kernel/bpf/core.c:2203
bpf_dispatcher_nop_func include/linux/bpf.h:1196 [inline]
__bpf_prog_run include/linux/filter.h:651 [inline]
bpf_prog_run include/linux/filter.h:658 [inline]
bpf_test_run+0x3d3/0x9c0 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0xb75/0x1dd0 net/bpf/test_run.c:1045
bpf_prog_test_run kernel/bpf/syscall.c:4040 [inline]
__sys_bpf+0x11bf/0x4910 kernel/bpf/syscall.c:5401
__do_sys_bpf kernel/bpf/syscall.c:5487 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5485 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5485
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f8b086e9d69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff09b0b818 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8b086e9d69
RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a
RBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000
R10: 0000000100000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>

The buggy address belongs to the physical page:
page:ffffea0004bed000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12fb40
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 057ff00000000000 ffffea0004bed008 ffffea0004bed008 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
ffff88812fb3ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88812fb3ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88812fb40000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88812fb40080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88812fb40100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Hillf Danton

unread,

Jan 17, 2024, 6:23:37 AMJan 17

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 01 Jan 2024 09:18:16 -0800

> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/net/ipv4/ipip.c
+++ y/net/ipv4/ipip.c
@@ -277,8 +277,9 @@ static netdev_tx_t ipip_tunnel_xmit(stru
struct ip_tunnel *tunnel = netdev_priv(dev);
const struct iphdr *tiph = &tunnel->parms.iph;
u8 ipproto;
+ int pull_len = tunnel->hlen + sizeof(struct iphdr);

- if (!pskb_inet_may_pull(skb))
+ if (!pskb_network_may_pull(skb, pull_len))
goto tx_error;

switch (skb->protocol) {
--

syzbot

unread,

Jan 17, 2024, 6:58:08 AMJan 17

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in __skb_flow_dissect

==================================================================
BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170

Read of size 1 at addr ffff88812fa2000e by task syz-executor.0/5486

CPU: 2 PID: 5486 Comm: syz-executor.0 Not tainted 6.7.0-syzkaller-g052d534373b7-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106

print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601
__skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170
skb_flow_dissect_flow_keys include/linux/skbuff.h:1524 [inline]

___skb_get_hash net/core/flow_dissector.c:1791 [inline]
__skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856

skb_get_hash include/linux/skbuff.h:1566 [inline]
ip_tunnel_xmit+0x1843/0x33b0 net/ipv4/ip_tunnel.c:748
ipip_tunnel_xmit+0x3da/0x450 net/ipv4/ipip.c:309
__netdev_start_xmit include/linux/netdevice.h:4989 [inline]
netdev_start_xmit include/linux/netdevice.h:5003 [inline]
xmit_one net/core/dev.c:3547 [inline]
dev_hard_start_xmit+0x137/0x6d0 net/core/dev.c:3563
__dev_queue_xmit+0x7b6/0x3ed0 net/core/dev.c:4351
dev_queue_xmit include/linux/netdevice.h:3171 [inline]
neigh_connected_output+0x426/0x5d0 net/core/neighbour.c:1592
neigh_output include/net/neighbour.h:542 [inline]
ip_finish_output2+0x82d/0x2540 net/ipv4/ip_output.c:235

__ip_finish_output net/ipv4/ip_output.c:313 [inline]
__ip_finish_output+0x38b/0x650 net/ipv4/ip_output.c:295
ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip_mc_output+0x1dd/0x6a0 net/ipv4/ip_output.c:420
dst_output include/net/dst.h:451 [inline]
ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129
iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82

ip_tunnel_xmit+0x1daa/0x33b0 net/ipv4/ip_tunnel.c:831
ipgre_xmit+0x49b/0x980 net/ipv4/ip_gre.c:665
__netdev_start_xmit include/linux/netdevice.h:4989 [inline]
netdev_start_xmit include/linux/netdevice.h:5003 [inline]
xmit_one net/core/dev.c:3547 [inline]
dev_hard_start_xmit+0x137/0x6d0 net/core/dev.c:3563
__dev_queue_xmit+0x7b6/0x3ed0 net/core/dev.c:4351
dev_queue_xmit include/linux/netdevice.h:3171 [inline]
__bpf_tx_skb net/core/filter.c:2135 [inline]
__bpf_redirect_no_mac net/core/filter.c:2165 [inline]
__bpf_redirect+0x6f1/0xf10 net/core/filter.c:2188
____bpf_clone_redirect net/core/filter.c:2459 [inline]
bpf_clone_redirect+0x2b2/0x420 net/core/filter.c:2431
___bpf_prog_run+0x3e44/0xabc0 kernel/bpf/core.c:1986
__bpf_prog_run512+0xb7/0xf0 kernel/bpf/core.c:2227
bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]

__bpf_prog_run include/linux/filter.h:651 [inline]
bpf_prog_run include/linux/filter.h:658 [inline]
bpf_test_run+0x3d3/0x9c0 net/bpf/test_run.c:423

bpf_prog_test_run_skb+0xb75/0x1dd0 net/bpf/test_run.c:1056
bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
__sys_bpf+0x11bf/0x4a00 kernel/bpf/syscall.c:5475
__do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5559
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f0d1707cce9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0d17d400c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f0d1719bf80 RCX: 00007f0d1707cce9

RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a

RBP: 00007f0d170c947a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f0d1719bf80 R15: 00007ffe9da52338

</TASK>

The buggy address belongs to the physical page:

page:ffffea0004be8800 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12fa20

flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 057ff00000000000 ffffea0004be8808 ffffea0004be8808 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:

ffff88812fa1ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88812fa1ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88812fa20000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88812fa20080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88812fa20100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Tested on:

commit: 052d5343 Merge tag 'exfat-for-6.8-rc1' of git://git.ke..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=15f97d0be80000
kernel config: https://syzkaller.appspot.com/x/.config?x=f882e406a6225284

dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=13f77913e80000

Hillf Danton

unread,

Jan 17, 2024, 8:14:43 AMJan 17

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 01 Jan 2024 09:18:16 -0800

> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/net/core/flow_dissector.c
+++ y/net/core/flow_dissector.c
@@ -1164,9 +1164,11 @@ proto_again:
switch (proto) {
case htons(ETH_P_IP): {
const struct iphdr *iph;
- struct iphdr _iph;

- iph = __skb_header_pointer(skb, nhoff, sizeof(_iph), data, hlen, &_iph);
+ if (pskb_network_may_pull(skb, sizeof(struct iphdr)))
+ iph = skb_network_header(skb);
+ else
+ iph = NULL;
if (!iph || iph->ihl < 5) {
fdret = FLOW_DISSECT_RET_OUT_BAD;
break;
--

syzbot

unread,

Jan 17, 2024, 8:35:08 AMJan 17

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

net/core/flow_dissector.c:1169:29: error: assignment to 'const struct iphdr *' from incompatible pointer type 'unsigned char *' [-Werror=incompatible-pointer-types]

Tested on:

commit: 052d5343 Merge tag 'exfat-for-6.8-rc1' of git://git.ke..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

kernel config: https://syzkaller.appspot.com/x/.config?x=da1c95d4e55dda83

dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15ed3ab9e80000

Hillf Danton

unread,

Jan 17, 2024, 5:51:30 PMJan 17

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 01 Jan 2024 09:18:16 -0800

> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/net/core/flow_dissector.c
+++ y/net/core/flow_dissector.c
@@ -1164,9 +1164,11 @@ proto_again:
switch (proto) {
case htons(ETH_P_IP): {
const struct iphdr *iph;
- struct iphdr _iph;

- iph = __skb_header_pointer(skb, nhoff, sizeof(_iph), data, hlen, &_iph);
+ if (pskb_network_may_pull(skb, sizeof(struct iphdr)))

+ iph = (void *) skb_network_header(skb);

syzbot

unread,

Jan 17, 2024, 6:16:05 PMJan 17

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: use-after-free Read in get_l4proto

==================================================================
BUG: KASAN: use-after-free in ipv4_get_l4proto net/netfilter/nf_conntrack_core.c:358 [inline]
BUG: KASAN: use-after-free in get_l4proto+0x3f6/0x520 net/netfilter/nf_conntrack_core.c:407
Read of size 2 at addr ffff88813d890000 by task syz-executor.0/5489

CPU: 0 PID: 5489 Comm: syz-executor.0 Not tainted 6.7.0-syzkaller-g82fd5ee9d8a5-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601

ipv4_get_l4proto net/netfilter/nf_conntrack_core.c:358 [inline]
get_l4proto+0x3f6/0x520 net/netfilter/nf_conntrack_core.c:407
nf_conntrack_in+0x1e3/0x1850 net/netfilter/nf_conntrack_core.c:1977
ipv4_conntrack_local+0x160/0x260 net/netfilter/nf_conntrack_proto.c:229
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xbb/0x1f0 net/netfilter/core.c:626
nf_hook+0x386/0x6c0 include/linux/netfilter.h:269
__ip_local_out+0x33b/0x640 net/ipv4/ip_output.c:118
ip_local_out+0x2a/0x1a0 net/ipv4/ip_output.c:127

iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82
ip_tunnel_xmit+0x1daa/0x33b0 net/ipv4/ip_tunnel.c:831

ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308

RIP: 0033:0x7fe1ad67cce9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fe1ae3d80c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fe1ad79bf80 RCX: 00007fe1ad67cce9

RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a

RBP: 00007fe1ad6c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007fe1ad79bf80 R15: 00007ffdca27b398

</TASK>

The buggy address belongs to the physical page:

page:ffffea0004f62400 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13d890

flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 057ff00000000000 ffffea0004f62408 ffffea0004f62408 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:

ffff88813d88ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813d88ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88813d890000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88813d890080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813d890100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Tested on:

commit: 82fd5ee9 Merge tag 'for-linus-6.8-rc1-tag' of git://gi..

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=15b35ba3e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=9cd0a945c0f757a8

dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=16dc3a57e80000

Hillf Danton

unread,

Jan 17, 2024, 6:43:21 PMJan 17

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 01 Jan 2024 09:18:16 -0800

> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/net/core/flow_dissector.c
+++ y/net/core/flow_dissector.c
@@ -1164,9 +1164,11 @@ proto_again:
switch (proto) {
case htons(ETH_P_IP): {
const struct iphdr *iph;
- struct iphdr _iph;

- iph = __skb_header_pointer(skb, nhoff, sizeof(_iph), data, hlen, &_iph);
+ if (pskb_network_may_pull(skb, sizeof(struct iphdr)))
+ iph = (void *) skb_network_header(skb);
+ else
+ iph = NULL;
if (!iph || iph->ihl < 5) {
fdret = FLOW_DISSECT_RET_OUT_BAD;
break;

--- x/net/netfilter/nf_conntrack_core.c
+++ y/net/netfilter/nf_conntrack_core.c
@@ -346,9 +346,11 @@ static int ipv4_get_l4proto(const struct
{
int dataoff = -1;

const struct iphdr *iph;
- struct iphdr _iph;

- iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);

+ if (pskb_network_may_pull(skb, sizeof(struct iphdr)))
+ iph = (void *) skb_network_header(skb);
+ else
+ iph = NULL;

if (!iph)
return -1;

--

syzbot

unread,

Jan 17, 2024, 7:18:05 PMJan 17

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: use-after-free Read in nf_ct_get_tuple

==================================================================
BUG: KASAN: use-after-free in nf_ct_get_tuple+0x773/0x790 net/netfilter/nf_conntrack_core.c:301
Read of size 4 at addr ffff88813de50006 by task syz-executor.0/5493

CPU: 1 PID: 5493 Comm: syz-executor.0 Not tainted 6.7.0-syzkaller-gd8e6ba025f5e-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601

nf_ct_get_tuple+0x773/0x790 net/netfilter/nf_conntrack_core.c:301
resolve_normal_ct net/netfilter/nf_conntrack_core.c:1824 [inline]
nf_conntrack_in+0x48f/0x1850 net/netfilter/nf_conntrack_core.c:1998

RIP: 0033:0x7f178307cce9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f1783e5b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f178319bf80 RCX: 00007f178307cce9

RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a

RBP: 00007f17830c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f178319bf80 R15: 00007ffc443b33a8

</TASK>

The buggy address belongs to the physical page:

page:ffffea0004f79400 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13de50

flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 057ff00000000000 ffffea0004f79408 ffffea0004f79408 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:

ffff88813de4ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813de4ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88813de50000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88813de50080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813de50100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Tested on:

commit: d8e6ba02 Merge tag 'thermal-6.8-rc1-2' of git://git.ke..

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=12911a0be80000
kernel config: https://syzkaller.appspot.com/x/.config?x=58b05ac7ce94e73a

dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=101a3dcde80000

Hillf Danton

unread,

Jan 17, 2024, 9:34:06 PMJan 17

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 01 Jan 2024 09:18:16 -0800

> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/net/core/filter.c
+++ y/net/core/filter.c
@@ -2147,6 +2147,10 @@ static int __bpf_redirect_no_mac(struct
kfree_skb(skb);
return -ERANGE;
}
+ if (skb_headlen(skb) <= mlen + sizeof(struct iphdr)) {
+ kfree_skb(skb);
+ return -ERANGE;
+ }

if (mlen) {
__skb_pull(skb, mlen);
--

syzbot

unread,

Jan 17, 2024, 9:55:05 PMJan 17

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: use-after-free Read in __skb_flow_dissect

==================================================================

BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170

Read of size 1 at addr ffff88813da6000e by task syz-executor.0/5482

CPU: 0 PID: 5482 Comm: syz-executor.0 Not tainted 6.7.0-syzkaller-g296455ade1fd-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601

__skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170
skb_flow_dissect_flow_keys include/linux/skbuff.h:1524 [inline]
___skb_get_hash net/core/flow_dissector.c:1791 [inline]
__skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856
skb_get_hash include/linux/skbuff.h:1566 [inline]
ip_tunnel_xmit+0x1843/0x33b0 net/ipv4/ip_tunnel.c:748

__bpf_redirect_no_mac net/core/filter.c:2169 [inline]
__bpf_redirect+0x764/0xf40 net/core/filter.c:2192
____bpf_clone_redirect net/core/filter.c:2463 [inline]
bpf_clone_redirect+0x2b2/0x420 net/core/filter.c:2435

___bpf_prog_run+0x3e44/0xabc0 kernel/bpf/core.c:1986
__bpf_prog_run512+0xb7/0xf0 kernel/bpf/core.c:2227
bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
__bpf_prog_run include/linux/filter.h:651 [inline]
bpf_prog_run include/linux/filter.h:658 [inline]
bpf_test_run+0x3d3/0x9c0 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0xb75/0x1dd0 net/bpf/test_run.c:1056
bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
__sys_bpf+0x11bf/0x4a00 kernel/bpf/syscall.c:5475
__do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5559
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f02f287cce9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f02f35200c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f02f299bf80 RCX: 00007f02f287cce9

RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a

RBP: 00007f02f28c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f02f299bf80 R15: 00007ffdf31f6258

</TASK>

The buggy address belongs to the physical page:

page:ffffea0004f69800 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13da60

flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 057ff00000000000 ffffea0004f69808 ffffea0004f69808 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:

ffff88813da5ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813da5ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88813da60000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88813da60080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813da60100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Tested on:

commit: 296455ad Merge tag 'char-misc-6.8-rc1' of git://git.ke..

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=13727293e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e5a3077efcfd8745

dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11829877e80000

Hillf Danton

unread,

Jan 17, 2024, 11:34:23 PMJan 17

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 01 Jan 2024 09:18:16 -0800

> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/net/core/filter.c
+++ y/net/core/filter.c

@@ -2159,6 +2159,10 @@ static int __bpf_redirect_no_mac(struct
if (!skb_at_tc_ingress(skb))
skb_postpull_rcsum(skb, skb_mac_header(skb), mlen);
}
+ if (skb->tail - skb->data <= sizeof(struct iphdr)) {

+ kfree_skb(skb);
+ return -ERANGE;
+ }

skb_pop_mac_header(skb);
skb_reset_mac_len(skb);
return flags & BPF_F_INGRESS ?
--

syzbot

unread,

Jan 17, 2024, 11:47:06 PMJan 17

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

net/core/filter.c:2162:23: error: invalid operands to binary - (have 'sk_buff_data_t' {aka 'unsigned int'} and 'unsigned char *')

Tested on:

commit: 296455ad Merge tag 'char-misc-6.8-rc1' of git://git.ke..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

kernel config: https://syzkaller.appspot.com/x/.config?x=da1c95d4e55dda83

dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1049e9dde80000

Hillf Danton

unread,

Jan 18, 2024, 6:18:10 AMJan 18

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 01 Jan 2024 09:18:16 -0800

> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/net/core/filter.c
+++ y/net/core/filter.c

@@ -2431,7 +2431,7 @@ enum {
BPF_CALL_3(bpf_clone_redirect, struct sk_buff *, skb, u32, ifindex, u64, flags)
{
struct net_device *dev;
- struct sk_buff *clone;
+ struct sk_buff *buf;
int ret;

if (unlikely(flags & (~(BPF_F_INGRESS) | BPF_F_REDIRECT_INTERNAL)))
@@ -2441,22 +2441,11 @@ BPF_CALL_3(bpf_clone_redirect, struct sk
if (unlikely(!dev))
return -EINVAL;

- clone = skb_clone(skb, GFP_ATOMIC);
- if (unlikely(!clone))
+ buf = skb_copy(skb, GFP_ATOMIC);
+ if (unlikely(!buf))
return -ENOMEM;

- /* For direct write, we need to keep the invariant that the skbs
- * we're dealing with need to be uncloned. Should uncloning fail
- * here, we need to free the just generated clone to unclone once
- * again.
- */
- ret = bpf_try_make_head_writable(skb);
- if (unlikely(ret)) {
- kfree_skb(clone);
- return -ENOMEM;
- }
-
- return __bpf_redirect(clone, dev, flags);
+ return __bpf_redirect(buf, dev, flags);
}

static const struct bpf_func_proto bpf_clone_redirect_proto = {
--

syzbot

unread,

Jan 18, 2024, 6:47:06 AMJan 18

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in __skb_flow_dissect

==================================================================
BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170

Read of size 1 at addr ffff88813c20000e by task syz-executor.0/5497

CPU: 2 PID: 5497 Comm: syz-executor.0 Not tainted 6.7.0-syzkaller-g296455ade1fd-dirty #0

__bpf_redirect_no_mac net/core/filter.c:2165 [inline]
__bpf_redirect+0x6f1/0xf10 net/core/filter.c:2188

____bpf_clone_redirect net/core/filter.c:2448 [inline]
bpf_clone_redirect+0xbe/0x110 net/core/filter.c:2431

___bpf_prog_run+0x3e44/0xabc0 kernel/bpf/core.c:1986
__bpf_prog_run512+0xb7/0xf0 kernel/bpf/core.c:2227
bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
__bpf_prog_run include/linux/filter.h:651 [inline]
bpf_prog_run include/linux/filter.h:658 [inline]
bpf_test_run+0x3d3/0x9c0 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0xb75/0x1dd0 net/bpf/test_run.c:1056
bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
__sys_bpf+0x11bf/0x4a00 kernel/bpf/syscall.c:5475
__do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5559
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7faa48c7cce9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007faa487ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007faa48d9bf80 RCX: 00007faa48c7cce9

RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a

RBP: 00007faa48cc947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007faa48d9bf80 R15: 00007ffe833226f8

</TASK>

The buggy address belongs to the physical page:

page:ffffea0004f08000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13c200

flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 057ff00000000000 ffffea0004f08008 ffffea0004f08008 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:

ffff88813c1fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813c1fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88813c200000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88813c200080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813c200100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Tested on:

commit: 296455ad Merge tag 'char-misc-6.8-rc1' of git://git.ke..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=165683fbe80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e5a3077efcfd8745

dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=14178e63e80000

Hillf Danton

unread,

Jan 18, 2024, 7:08:30 AMJan 18

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 01 Jan 2024 09:18:16 -0800

> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/net/core/filter.c
+++ y/net/core/filter.c

@@ -2144,6 +2144,7 @@ static int __bpf_redirect_no_mac(struct
unsigned int mlen = skb_network_offset(skb);

if (unlikely(skb->len <= mlen)) {
+out:
kfree_skb(skb);
return -ERANGE;
}
@@ -2159,6 +2160,8 @@ static int __bpf_redirect_no_mac(struct

if (!skb_at_tc_ingress(skb))
skb_postpull_rcsum(skb, skb_mac_header(skb), mlen);
}

+ if (skb->len <= sizeof(struct iphdr))
+ goto out;

skb_pop_mac_header(skb);
skb_reset_mac_len(skb);
return flags & BPF_F_INGRESS ?

@@ -2431,7 +2434,7 @@ enum {

BPF_CALL_3(bpf_clone_redirect, struct sk_buff *, skb, u32, ifindex, u64, flags)
{
struct net_device *dev;
- struct sk_buff *clone;
+ struct sk_buff *buf;
int ret;

if (unlikely(flags & (~(BPF_F_INGRESS) | BPF_F_REDIRECT_INTERNAL)))

@@ -2441,22 +2444,11 @@ BPF_CALL_3(bpf_clone_redirect, struct sk

syzbot

unread,

Jan 18, 2024, 7:31:03 AMJan 18

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in __skb_flow_dissect

==================================================================
BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170

Read of size 1 at addr ffff88813dcc000e by task syz-executor.0/5486

CPU: 2 PID: 5486 Comm: syz-executor.0 Not tainted 6.7.0-syzkaller-g296455ade1fd-dirty #0

__bpf_redirect_no_mac net/core/filter.c:2168 [inline]
__bpf_redirect+0x71b/0xf10 net/core/filter.c:2191
____bpf_clone_redirect net/core/filter.c:2451 [inline]
bpf_clone_redirect+0xbe/0x110 net/core/filter.c:2434

___bpf_prog_run+0x3e44/0xabc0 kernel/bpf/core.c:1986
__bpf_prog_run512+0xb7/0xf0 kernel/bpf/core.c:2227
bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
__bpf_prog_run include/linux/filter.h:651 [inline]
bpf_prog_run include/linux/filter.h:658 [inline]
bpf_test_run+0x3d3/0x9c0 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0xb75/0x1dd0 net/bpf/test_run.c:1056
bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
__sys_bpf+0x11bf/0x4a00 kernel/bpf/syscall.c:5475
__do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5559
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f839287cce9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f83935280c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f839299bf80 RCX: 00007f839287cce9

RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a

RBP: 00007f83928c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f839299bf80 R15: 00007fffb21981d8

</TASK>

The buggy address belongs to the physical page:

page:ffffea0004f73000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13dcc0

flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 057ff00000000000 ffffea0004f73008 ffffea0004f73008 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:

ffff88813dcbff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813dcbff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88813dcc0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88813dcc0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813dcc0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

==================================================================

Tested on:

commit: 296455ad Merge tag 'char-misc-6.8-rc1' of git://git.ke..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=12325163e80000

kernel config: https://syzkaller.appspot.com/x/.config?x=e5a3077efcfd8745
dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=16d07b83e80000

Hillf Danton

unread,

Jan 18, 2024, 8:18:10 AMJan 18

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 01 Jan 2024 09:18:16 -0800

> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/net/core/flow_dissector.c
+++ y/net/core/flow_dissector.c
@@ -1163,10 +1163,8 @@ proto_again:

switch (proto) {
case htons(ETH_P_IP): {
- const struct iphdr *iph;
- struct iphdr _iph;
+ const struct iphdr *iph = (struct iphdr *) skb_network_header(skb);

- iph = __skb_header_pointer(skb, nhoff, sizeof(_iph), data, hlen, &_iph);

syzbot

unread,

Jan 18, 2024, 8:40:08 AMJan 18

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: use-after-free Read in get_l4proto

==================================================================

BUG: KASAN: use-after-free in ipv4_get_l4proto net/netfilter/nf_conntrack_core.c:358 [inline]
BUG: KASAN: use-after-free in get_l4proto+0x3f6/0x520 net/netfilter/nf_conntrack_core.c:407

Read of size 2 at addr ffff88813d810000 by task syz-executor.0/5510

CPU: 2 PID: 5510 Comm: syz-executor.0 Not tainted 6.7.0-syzkaller-g296455ade1fd-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601

ipv4_get_l4proto net/netfilter/nf_conntrack_core.c:358 [inline]
get_l4proto+0x3f6/0x520 net/netfilter/nf_conntrack_core.c:407
nf_conntrack_in+0x1e3/0x1850 net/netfilter/nf_conntrack_core.c:1977

ipv4_conntrack_local+0x160/0x260 net/netfilter/nf_conntrack_proto.c:229
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xbb/0x1f0 net/netfilter/core.c:626
nf_hook+0x386/0x6c0 include/linux/netfilter.h:269
__ip_local_out+0x33b/0x640 net/ipv4/ip_output.c:118
ip_local_out+0x2a/0x1a0 net/ipv4/ip_output.c:127

__bpf_redirect_no_mac net/core/filter.c:2165 [inline]
__bpf_redirect+0x6f1/0xf10 net/core/filter.c:2188

____bpf_clone_redirect net/core/filter.c:2459 [inline]
bpf_clone_redirect+0x2b2/0x420 net/core/filter.c:2431

___bpf_prog_run+0x3e44/0xabc0 kernel/bpf/core.c:1986
__bpf_prog_run512+0xb7/0xf0 kernel/bpf/core.c:2227
bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
__bpf_prog_run include/linux/filter.h:651 [inline]
bpf_prog_run include/linux/filter.h:658 [inline]
bpf_test_run+0x3d3/0x9c0 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0xb75/0x1dd0 net/bpf/test_run.c:1056
bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
__sys_bpf+0x11bf/0x4a00 kernel/bpf/syscall.c:5475
__do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5559
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f69b887cce9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f69b958b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f69b899bf80 RCX: 00007f69b887cce9

RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a

RBP: 00007f69b88c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f69b899bf80 R15: 00007fffebba7a48

</TASK>

The buggy address belongs to the physical page:

page:ffffea0004f60400 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13d810

flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 057ff00000000000 ffffea0004f60408 ffffea0004f60408 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:

ffff88813d80ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813d80ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88813d810000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88813d810080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813d810100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

==================================================================

Tested on:

commit: 296455ad Merge tag 'char-misc-6.8-rc1' of git://git.ke..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=156f278fe80000

kernel config: https://syzkaller.appspot.com/x/.config?x=e5a3077efcfd8745
dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17d251b3e80000

Hillf Danton

unread,

Jan 18, 2024, 5:16:11 PMJan 18

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 01 Jan 2024 09:18:16 -0800

> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/net/core/filter.c
+++ y/net/core/filter.c
@@ -2148,17 +2148,6 @@ static int __bpf_redirect_no_mac(struct
return -ERANGE;
}

- if (mlen) {
- __skb_pull(skb, mlen);
-
- /* At ingress, the mac header has already been pulled once.
- * At egress, skb_pospull_rcsum has to be done in case that
- * the skb is originated from ingress (i.e. a forwarded skb)
- * to ensure that rcsum starts at net header.
- */
- if (!skb_at_tc_ingress(skb))
- skb_postpull_rcsum(skb, skb_mac_header(skb), mlen);
- }

skb_pop_mac_header(skb);
skb_reset_mac_len(skb);
return flags & BPF_F_INGRESS ?

--

syzbot

unread,

Jan 18, 2024, 5:34:07 PMJan 18

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: use-after-free Read in __skb_flow_dissect

==================================================================

BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170

Read of size 1 at addr ffff88813c90000e by task syz-executor.0/5479

CPU: 0 PID: 5479 Comm: syz-executor.0 Not tainted 6.7.0-syzkaller-gb0d326da462e-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601

__skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170
skb_flow_dissect_flow_keys include/linux/skbuff.h:1524 [inline]
___skb_get_hash net/core/flow_dissector.c:1791 [inline]
__skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856
skb_get_hash include/linux/skbuff.h:1566 [inline]
ip_tunnel_xmit+0x1843/0x33b0 net/ipv4/ip_tunnel.c:748

__bpf_redirect_no_mac net/core/filter.c:2154 [inline]
__bpf_redirect+0x797/0xad0 net/core/filter.c:2177
____bpf_clone_redirect net/core/filter.c:2448 [inline]
bpf_clone_redirect+0x2b2/0x420 net/core/filter.c:2420

___bpf_prog_run+0x3e44/0xabc0 kernel/bpf/core.c:1986
__bpf_prog_run512+0xb7/0xf0 kernel/bpf/core.c:2227
bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
__bpf_prog_run include/linux/filter.h:651 [inline]
bpf_prog_run include/linux/filter.h:658 [inline]
bpf_test_run+0x3d3/0x9c0 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0xb75/0x1dd0 net/bpf/test_run.c:1056
bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
__sys_bpf+0x11bf/0x4a00 kernel/bpf/syscall.c:5475
__do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5559
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f1f1107cce9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f1f11d050c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f1f1119bf80 RCX: 00007f1f1107cce9

RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a

RBP: 00007f1f110c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f1f1119bf80 R15: 00007ffc4749ef18

</TASK>

The buggy address belongs to the physical page:

page:ffffea0004f24000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13c900

flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 057ff00000000000 ffffea0004f24008 ffffea0004f24008 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:

ffff88813c8fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813c8fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88813c900000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88813c900080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813c900100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Tested on:

commit: b0d326da Merge tag 'sched-urgent-2024-01-18' of git://..

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=1031cb63e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=9a5b728734a30ba3

dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=13167e57e80000

Hillf Danton

unread,

Jan 18, 2024, 11:50:14 PMJan 18

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 01 Jan 2024 09:18:16 -0800

> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/net/core/flow_dissector.c
+++ y/net/core/flow_dissector.c
@@ -1165,9 +1165,13 @@ proto_again:

case htons(ETH_P_IP): {
const struct iphdr *iph;

struct iphdr _iph;
+ const unsigned char *buf = data;
+
+ if (2 != buf[0])
+ _iph.ihl = 1;

iph = __skb_header_pointer(skb, nhoff, sizeof(_iph), data, hlen, &_iph);

- if (!iph || iph->ihl < 5) {
+ if (nhoff < 0 || !iph || iph->ihl < 5) {

syzbot

unread,

Jan 19, 2024, 12:22:05 AMJan 19

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in __skb_flow_dissect

==================================================================

BUG: KASAN: use-after-free in __skb_flow_dissect+0x1992/0x7b60 net/core/flow_dissector.c:1170
Read of size 1 at addr ffff888124e0000e by task syz-executor.0/5476

CPU: 1 PID: 5476 Comm: syz-executor.0 Not tainted 6.7.0-syzkaller-g9d1694dc91ce-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601

__skb_flow_dissect+0x1992/0x7b60 net/core/flow_dissector.c:1170
skb_flow_dissect_flow_keys include/linux/skbuff.h:1524 [inline]
___skb_get_hash net/core/flow_dissector.c:1795 [inline]
__skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1860

__bpf_redirect_no_mac net/core/filter.c:2165 [inline]
__bpf_redirect+0x6f1/0xf10 net/core/filter.c:2188
____bpf_clone_redirect net/core/filter.c:2459 [inline]
bpf_clone_redirect+0x2b2/0x420 net/core/filter.c:2431

___bpf_prog_run+0x3e44/0xabc0 kernel/bpf/core.c:1986
__bpf_prog_run512+0xb7/0xf0 kernel/bpf/core.c:2227
bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
__bpf_prog_run include/linux/filter.h:651 [inline]
bpf_prog_run include/linux/filter.h:658 [inline]
bpf_test_run+0x3d3/0x9c0 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0xb75/0x1dd0 net/bpf/test_run.c:1056
bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
__sys_bpf+0x11bf/0x4a00 kernel/bpf/syscall.c:5475
__do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5559
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f36b107cce9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f36b1e270c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f36b119bf80 RCX: 00007f36b107cce9

RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a

RBP: 00007f36b10c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f36b119bf80 R15: 00007ffcb895ffc8

</TASK>

The buggy address belongs to the physical page:

page:ffffea0004938000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x124e00

flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 057ff00000000000 ffffea0004938008 ffffea0004938008 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:

ffff888124dfff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888124dfff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888124e00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888124e00080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888124e00100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Tested on:

commit: 9d1694dc Merge tag 'for-6.8/block-2024-01-18' of git:/..

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=11c3d5afe80000
kernel config: https://syzkaller.appspot.com/x/.config?x=70f4213b9a7b4f3a

dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=13c7c2abe80000

Hillf Danton

unread,

Jan 19, 2024, 2:39:11 AMJan 19

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 01 Jan 2024 09:18:16 -0800

> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/net/core/filter.c
+++ y/net/core/filter.c
@@ -2161,6 +2161,10 @@ static int __bpf_redirect_no_mac(struct
}
skb_pop_mac_header(skb);
skb_reset_mac_len(skb);
+
+ if (skb->data[0] < 2)
+ flags = 0;
+

return flags & BPF_F_INGRESS ?

__bpf_rx_skb_no_mac(dev, skb) : __bpf_tx_skb(dev, skb);
}
--

syzbot

unread,

Jan 19, 2024, 3:01:05 AMJan 19

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in __skb_flow_dissect

==================================================================

BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170
Read of size 1 at addr ffff88813adc000e by task syz-executor.0/5473

CPU: 1 PID: 5473 Comm: syz-executor.0 Not tainted 6.7.0-syzkaller-g9d1694dc91ce-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601

__skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170
skb_flow_dissect_flow_keys include/linux/skbuff.h:1524 [inline]

___skb_get_hash net/core/flow_dissector.c:1791 [inline]
__skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856

__bpf_redirect_no_mac net/core/filter.c:2169 [inline]
__bpf_redirect+0x745/0xf90 net/core/filter.c:2192

____bpf_clone_redirect net/core/filter.c:2463 [inline]
bpf_clone_redirect+0x2b2/0x420 net/core/filter.c:2435

___bpf_prog_run+0x3e44/0xabc0 kernel/bpf/core.c:1986
__bpf_prog_run512+0xb7/0xf0 kernel/bpf/core.c:2227
bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
__bpf_prog_run include/linux/filter.h:651 [inline]
bpf_prog_run include/linux/filter.h:658 [inline]
bpf_test_run+0x3d3/0x9c0 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0xb75/0x1dd0 net/bpf/test_run.c:1056
bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
__sys_bpf+0x11bf/0x4a00 kernel/bpf/syscall.c:5475
__do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5559
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f7be367cce9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f7be42ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f7be379bf80 RCX: 00007f7be367cce9

RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a

RBP: 00007f7be36c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f7be379bf80 R15: 00007ffc63da1898

</TASK>

The buggy address belongs to the physical page:

page:ffffea0004eb7000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13adc0

flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 057ff00000000000 ffffea0004eb7008 ffffea0004eb7008 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:

ffff88813adbff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813adbff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88813adc0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88813adc0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88813adc0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

==================================================================

Tested on:

commit: 9d1694dc Merge tag 'for-6.8/block-2024-01-18' of git:/..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=14e7c2abe80000

kernel config: https://syzkaller.appspot.com/x/.config?x=70f4213b9a7b4f3a
dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1351cbdbe80000

Hillf Danton

unread,

Jan 19, 2024, 5:31:21 AMJan 19

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 01 Jan 2024 09:18:16 -0800

> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/net/core/filter.c
+++ y/net/core/filter.c
@@ -2161,6 +2161,10 @@ static int __bpf_redirect_no_mac(struct
}
skb_pop_mac_header(skb);
skb_reset_mac_len(skb);
+
+ if (skb->data[0] < 2)
+ flags = 0;
+
return flags & BPF_F_INGRESS ?
__bpf_rx_skb_no_mac(dev, skb) : __bpf_tx_skb(dev, skb);
}

--- x/net/ipv4/ipip.c
+++ y/net/ipv4/ipip.c
@@ -281,6 +281,9 @@ static netdev_tx_t ipip_tunnel_xmit(stru
if (!pskb_inet_may_pull(skb))
goto tx_error;

+ if (skb->data[0] < 2)

+ DEV_STATS_INC(dev, tx_errors);
+
switch (skb->protocol) {
case htons(ETH_P_IP):
ipproto = IPPROTO_IPIP;
@@ -302,6 +305,9 @@ static netdev_tx_t ipip_tunnel_xmit(stru

skb_set_inner_ipproto(skb, ipproto);

+ if (skb->data[0] < 2)

+ DEV_STATS_INC(dev, tx_errors);
+
if (tunnel->collect_md)
ip_md_tunnel_xmit(skb, dev, ipproto, 0);
else
--- x/net/ipv4/ip_tunnel.c
+++ y/net/ipv4/ip_tunnel.c
@@ -745,6 +745,9 @@ void ip_tunnel_xmit(struct sk_buff *skb,

}
}

+ if (skb->data[0] < 2)

+ DEV_STATS_INC(dev, tx_errors);
+
ip_tunnel_init_flow(&fl4, protocol, dst, tnl_params->saddr,
tunnel->parms.o_key, RT_TOS(tos),
dev_net(dev), tunnel->parms.link,
@@ -828,6 +831,9 @@ void ip_tunnel_xmit(struct sk_buff *skb,
return;

}

+ if (skb->data[0] < 2)

+ DEV_STATS_INC(dev, tx_errors);
+
iptunnel_xmit(NULL, rt, skb, fl4.saddr, fl4.daddr, protocol, tos, ttl,
df, !net_eq(tunnel->net, dev_net(dev)));
return;
--

syzbot

unread,

Jan 19, 2024, 5:47:05 AMJan 19

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: use-after-free Read in ipip_tunnel_xmit

==================================================================
BUG: KASAN: use-after-free in ipip_tunnel_xmit+0x580/0x610 net/ipv4/ipip.c:284
Read of size 1 at addr ffff888122e2000e by task syz-executor.0/5483

CPU: 3 PID: 5483 Comm: syz-executor.0 Not tainted 6.7.0-syzkaller-g9d1694dc91ce-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601

ipip_tunnel_xmit+0x580/0x610 net/ipv4/ipip.c:284

__netdev_start_xmit include/linux/netdevice.h:4989 [inline]
netdev_start_xmit include/linux/netdevice.h:5003 [inline]
xmit_one net/core/dev.c:3547 [inline]
dev_hard_start_xmit+0x137/0x6d0 net/core/dev.c:3563
__dev_queue_xmit+0x7b6/0x3ed0 net/core/dev.c:4351
dev_queue_xmit include/linux/netdevice.h:3171 [inline]
neigh_connected_output+0x426/0x5d0 net/core/neighbour.c:1592
neigh_output include/net/neighbour.h:542 [inline]
ip_finish_output2+0x82d/0x2540 net/ipv4/ip_output.c:235
__ip_finish_output net/ipv4/ip_output.c:313 [inline]
__ip_finish_output+0x38b/0x650 net/ipv4/ip_output.c:295
ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip_mc_output+0x1dd/0x6a0 net/ipv4/ip_output.c:420
dst_output include/net/dst.h:451 [inline]
ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129
iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82

ip_tunnel_xmit+0x1e2d/0x34c0 net/ipv4/ip_tunnel.c:837

RIP: 0033:0x7fdcb227cce9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fdcb30990c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fdcb239bf80 RCX: 00007fdcb227cce9

RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a

RBP: 00007fdcb22c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007fdcb239bf80 R15: 00007ffca7f31938

</TASK>

The buggy address belongs to the physical page:

page:ffffea00048b8800 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x122e20

flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 057ff00000000000 ffffea00048b8808 ffffea00048b8808 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:

ffff888122e1ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888122e1ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888122e20000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888122e20080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888122e20100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

==================================================================

Tested on:

commit: 9d1694dc Merge tag 'for-6.8/block-2024-01-18' of git:/..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=12390e2de80000

kernel config: https://syzkaller.appspot.com/x/.config?x=70f4213b9a7b4f3a
dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1647beede80000

Hillf Danton

unread,

Jan 19, 2024, 6:48:00 AMJan 19

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

--- x/net/ipv4/ip_tunnel_core.c
+++ y/net/ipv4/ip_tunnel_core.c
@@ -57,6 +57,8 @@ void iptunnel_xmit(struct sock *sk, stru
struct iphdr *iph;
int err;

+ if (skb->data[0] < 2)

+ err = 0;
skb_scrub_packet(skb, xnet);

skb_clear_hash_if_not_l4(skb);
@@ -67,6 +69,8 @@ void iptunnel_xmit(struct sock *sk, stru
skb_push(skb, sizeof(struct iphdr));
skb_reset_network_header(skb);

+ if (skb->data[0] < 2)

+ err = 0;
iph = ip_hdr(skb);

iph->version = 4;
@@ -79,6 +83,8 @@ void iptunnel_xmit(struct sock *sk, stru
iph->ttl = ttl;
__ip_select_ident(net, iph, skb_shinfo(skb)->gso_segs ?: 1);

+ if (skb->data[0] < 2)

+ err = 0;
err = ip_local_out(net, sk, skb);

if (dev) {
--

syzbot

unread,

Jan 19, 2024, 7:07:05 AMJan 19

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ipip_tunnel_xmit

==================================================================
BUG: KASAN: use-after-free in ipip_tunnel_xmit+0x580/0x610 net/ipv4/ipip.c:284

Read of size 1 at addr ffff88812130000e by task syz-executor.0/5530

CPU: 2 PID: 5530 Comm: syz-executor.0 Not tainted 6.7.0-syzkaller-g9d1694dc91ce-dirty #0

iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:88

RIP: 0033:0x7f886727cce9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f8867f380c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f886739bf80 RCX: 00007f886727cce9

RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a

RBP: 00007f88672c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f886739bf80 R15: 00007fff1deea708

</TASK>

The buggy address belongs to the physical page:

page:ffffea000484c000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121300

flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 057ff00000000000 ffffea000484c008 ffffea000484c008 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:

ffff8881212fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881212fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888121300000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888121300080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888121300100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

==================================================================

Tested on:

commit: 9d1694dc Merge tag 'for-6.8/block-2024-01-18' of git:/..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=126c4f1be80000

kernel config: https://syzkaller.appspot.com/x/.config?x=70f4213b9a7b4f3a
dashboard link: https://syzkaller.appspot.com/bug?extid=bfde3bef047a81b8fde6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=148fbdc7e80000

syzbot

unread,

Feb 20, 2024, 8:05:14 AMFeb 20

to linux-...@vger.kernel.org, syzkall...@googlegroups.com

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: KASAN: use-after-free Read in __skb_flow_dissect
Author: f...@strlen.de

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/fwestphal/nf.git gre_cap_headroom

Reply all

Reply to author

Forward

[syzbot] [net?] KASAN: use-after-free Read in __skb_flow_dissect (3)

syzbot

Hillf Danton

syzbot

Hillf Danton

syzbot

Hillf Danton

syzbot

Hillf Danton

syzbot

Hillf Danton

syzbot

Hillf Danton

syzbot

Hillf Danton

syzbot

Hillf Danton

syzbot

Hillf Danton

syzbot

Hillf Danton

syzbot

Hillf Danton

syzbot

Hillf Danton

syzbot

Hillf Danton

syzbot

Hillf Danton

syzbot

syzbot