KASAN: slab-out-of-bounds Read in bpf_skb_change_proto
10 views
Skip to first unread message
syzbot
Jun 10, 2018, 11:27:02 AM6/10/18
to a...@kernel.org, dan...@iogearbox.net, da...@davemloft.net, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: a16afaf7928b Merge tag 'for-v4.18' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1338f6bf800000
kernel config: https://syzkaller.appspot.com/x/.config?x=314f2150f36c16ca
dashboard link: https://syzkaller.appspot.com/bug?extid=d2d729bdde65dee3eae6
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1173381f800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171f90cf800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d2d729...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KASAN: slab-out-of-bounds in bpf_skb_proto_xlat net/core/filter.c:2637
[inline]
BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_proto
net/core/filter.c:2675 [inline]
BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xe37/0x1300
net/core/filter.c:2650
Read of size 2 at addr ffff8801b04646c0 by task syz-executor241/4519
CPU: 0 PID: 4519 Comm: syz-executor241 Not tainted 4.17.0+ #93
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431
bpf_skb_proto_xlat net/core/filter.c:2637 [inline]
____bpf_skb_change_proto net/core/filter.c:2675 [inline]
bpf_skb_change_proto+0xe37/0x1300 net/core/filter.c:2650
Allocated by task 0:
(stack is not available)
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8801b04646c0
which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 0 bytes inside of
232-byte region [ffff8801b04646c0, ffff8801b04647a8)
The buggy address belongs to the page:
page:ffffea0006c11900 count:1 mapcount:0 mapping:ffff8801d9a0d080 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0006c49388 ffffea0006ae5c48 ffff8801d9a0d080
raw: 0000000000000000 ffff8801b0464080 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801b0464580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801b0464600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801b0464680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801b0464700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801b0464780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: a16afaf7928b Merge tag 'for-v4.18' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1338f6bf800000
kernel config: https://syzkaller.appspot.com/x/.config?x=314f2150f36c16ca
dashboard link: https://syzkaller.appspot.com/bug?extid=d2d729bdde65dee3eae6
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1173381f800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171f90cf800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d2d729...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KASAN: slab-out-of-bounds in bpf_skb_proto_xlat net/core/filter.c:2637
[inline]
BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_proto
net/core/filter.c:2675 [inline]
BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xe37/0x1300
net/core/filter.c:2650
Read of size 2 at addr ffff8801b04646c0 by task syz-executor241/4519
CPU: 0 PID: 4519 Comm: syz-executor241 Not tainted 4.17.0+ #93
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431
bpf_skb_proto_xlat net/core/filter.c:2637 [inline]
____bpf_skb_change_proto net/core/filter.c:2675 [inline]
bpf_skb_change_proto+0xe37/0x1300 net/core/filter.c:2650
Allocated by task 0:
(stack is not available)
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8801b04646c0
which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 0 bytes inside of
232-byte region [ffff8801b04646c0, ffff8801b04647a8)
The buggy address belongs to the page:
page:ffffea0006c11900 count:1 mapcount:0 mapping:ffff8801d9a0d080 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0006c49388 ffffea0006ae5c48 ffff8801d9a0d080
raw: 0000000000000000 ffff8801b0464080 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801b0464580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801b0464600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801b0464680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801b0464700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801b0464780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Daniel Borkmann
Jun 11, 2018, 5:43:03 AM6/11/18
to syzbot, a...@kernel.org, da...@davemloft.net, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
On 06/10/2018 05:27 PM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: a16afaf7928b Merge tag 'for-v4.18' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1338f6bf800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=314f2150f36c16ca
> dashboard link: https://syzkaller.appspot.com/bug?extid=d2d729bdde65dee3eae6
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1173381f800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171f90cf800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+d2d729...@syzkaller.appspotmail.com
#syz fix: bpf: reject passing modified ctx to helper functions
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: a16afaf7928b Merge tag 'for-v4.18' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1338f6bf800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=314f2150f36c16ca
> dashboard link: https://syzkaller.appspot.com/bug?extid=d2d729bdde65dee3eae6
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1173381f800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171f90cf800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+d2d729...@syzkaller.appspotmail.com
Dmitry Vyukov
Jun 11, 2018, 5:52:22 AM6/11/18
to Daniel Borkmann, syzbot, Alexei Starovoitov, David Miller, LKML, netdev, syzkaller-bugs
bpf_skb_change_proto. I think the "net.core.bpf_jit_kallsyms = 1"
sysctl should have been reached syzbot by the time of crash. Are you
sure that's the only thing requires? We are using frame pointer
unwinder just in case.
Daniel Borkmann
Jun 11, 2018, 6:31:40 AM6/11/18
to Dmitry Vyukov, syzbot, Alexei Starovoitov, David Miller, LKML, netdev, syzkaller-bugs
Thanks,
Daniel
Reply all
Reply to author
Forward
0 new messages