KASAN: slab-out-of-bounds Read in __dev_queue_xmit
11 views
Skip to first unread message
syzbot
Jan 18, 2018, 6:58:02 PM1/18/18
to andre...@google.com, anoob...@citrix.com, da...@davemloft.net, edum...@google.com, elena.r...@intel.com, kees...@chromium.org, linux-...@vger.kernel.org, mal...@google.com, net...@vger.kernel.org, rami....@intel.com, sowmini....@oracle.com, syzkall...@googlegroups.com, wil...@google.com
Hello,
syzbot hit the following crash on linux-next commit
0e08c463db387a2adcb0243b15ab868a73f87807
So far this crash happened 6 times on linux-next, mmots, upstream.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9da69e...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
device syz0 entered promiscuous mode
audit: type=1400 audit(1514752309.665:10): avc: denied { net_raw } for
pid=3143 comm="syzkaller343753" capability=13
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1514752309.668:11): avc: denied { net_admin } for
pid=3143 comm="syzkaller343753" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in __tcp_hdrlen include/linux/tcp.h:35
[inline]
BUG: KASAN: slab-out-of-bounds in tcp_hdrlen include/linux/tcp.h:40 [inline]
BUG: KASAN: slab-out-of-bounds in qdisc_pkt_len_init net/core/dev.c:3160
[inline]
BUG: KASAN: slab-out-of-bounds in __dev_queue_xmit+0x20d3/0x2200
net/core/dev.c:3465
Read of size 2 at addr ffff8801c85791e0 by task syzkaller343753/3143
CPU: 0 PID: 3143 Comm: syzkaller343753 Not tainted
4.15.0-rc4-next-20171221+ #78
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
__tcp_hdrlen include/linux/tcp.h:35 [inline]
tcp_hdrlen include/linux/tcp.h:40 [inline]
qdisc_pkt_len_init net/core/dev.c:3160 [inline]
__dev_queue_xmit+0x20d3/0x2200 net/core/dev.c:3465
dev_queue_xmit+0x17/0x20 net/core/dev.c:3554
packet_snd net/packet/af_packet.c:2943 [inline]
packet_sendmsg+0x3ad5/0x60a0 net/packet/af_packet.c:2968
sock_sendmsg_nosec net/socket.c:628 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:638
sock_write_iter+0x31a/0x5d0 net/socket.c:907
call_write_iter include/linux/fs.h:1776 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:482
vfs_write+0x189/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x444df9
RSP: 002b:00000000007eff78 EFLAGS: 00000297 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007ffc3d2180f0 RCX: 0000000000444df9
RDX: 00000000000000ce RSI: 0000000020fecf2b RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000297 R12: 00000000004029f0
R13: 0000000000402a80 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 3143:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc_node mm/slab.c:3673 [inline]
__kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3687
__kmalloc_reserve.isra.41+0x41/0xd0 net/core/skbuff.c:137
__alloc_skb+0x13b/0x780 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:983 [inline]
alloc_skb_with_frags+0x10d/0x750 net/core/skbuff.c:5146
sock_alloc_send_pskb+0x787/0x9b0 net/core/sock.c:2088
packet_alloc_skb net/packet/af_packet.c:2802 [inline]
packet_snd net/packet/af_packet.c:2893 [inline]
packet_sendmsg+0x1ec2/0x60a0 net/packet/af_packet.c:2968
sock_sendmsg_nosec net/socket.c:628 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:638
sock_write_iter+0x31a/0x5d0 net/socket.c:907
call_write_iter include/linux/fs.h:1776 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:482
vfs_write+0x189/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8801c8578d80
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 96 bytes to the right of
1024-byte region [ffff8801c8578d80, ffff8801c8579180)
The buggy address belongs to the page:
page:00000000c294763f count:1 mapcount:0 mapping:0000000098a38184 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c8578000 0000000000000000 0000000100000007
raw: ffffea0007252920 ffff8801dac01848 ffff8801dac00ac0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c8579080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c8579100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801c8579180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801c8579200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c8579280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzbot hit the following crash on linux-next commit
0e08c463db387a2adcb0243b15ab868a73f87807
So far this crash happened 6 times on linux-next, mmots, upstream.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9da69e...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
device syz0 entered promiscuous mode
audit: type=1400 audit(1514752309.665:10): avc: denied { net_raw } for
pid=3143 comm="syzkaller343753" capability=13
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1514752309.668:11): avc: denied { net_admin } for
pid=3143 comm="syzkaller343753" capability=12
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in __tcp_hdrlen include/linux/tcp.h:35
[inline]
BUG: KASAN: slab-out-of-bounds in tcp_hdrlen include/linux/tcp.h:40 [inline]
BUG: KASAN: slab-out-of-bounds in qdisc_pkt_len_init net/core/dev.c:3160
[inline]
BUG: KASAN: slab-out-of-bounds in __dev_queue_xmit+0x20d3/0x2200
net/core/dev.c:3465
Read of size 2 at addr ffff8801c85791e0 by task syzkaller343753/3143
CPU: 0 PID: 3143 Comm: syzkaller343753 Not tainted
4.15.0-rc4-next-20171221+ #78
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
__tcp_hdrlen include/linux/tcp.h:35 [inline]
tcp_hdrlen include/linux/tcp.h:40 [inline]
qdisc_pkt_len_init net/core/dev.c:3160 [inline]
__dev_queue_xmit+0x20d3/0x2200 net/core/dev.c:3465
dev_queue_xmit+0x17/0x20 net/core/dev.c:3554
packet_snd net/packet/af_packet.c:2943 [inline]
packet_sendmsg+0x3ad5/0x60a0 net/packet/af_packet.c:2968
sock_sendmsg_nosec net/socket.c:628 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:638
sock_write_iter+0x31a/0x5d0 net/socket.c:907
call_write_iter include/linux/fs.h:1776 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:482
vfs_write+0x189/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x444df9
RSP: 002b:00000000007eff78 EFLAGS: 00000297 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007ffc3d2180f0 RCX: 0000000000444df9
RDX: 00000000000000ce RSI: 0000000020fecf2b RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000297 R12: 00000000004029f0
R13: 0000000000402a80 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 3143:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc_node mm/slab.c:3673 [inline]
__kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3687
__kmalloc_reserve.isra.41+0x41/0xd0 net/core/skbuff.c:137
__alloc_skb+0x13b/0x780 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:983 [inline]
alloc_skb_with_frags+0x10d/0x750 net/core/skbuff.c:5146
sock_alloc_send_pskb+0x787/0x9b0 net/core/sock.c:2088
packet_alloc_skb net/packet/af_packet.c:2802 [inline]
packet_snd net/packet/af_packet.c:2893 [inline]
packet_sendmsg+0x1ec2/0x60a0 net/packet/af_packet.c:2968
sock_sendmsg_nosec net/socket.c:628 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:638
sock_write_iter+0x31a/0x5d0 net/socket.c:907
call_write_iter include/linux/fs.h:1776 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:482
vfs_write+0x189/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8801c8578d80
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 96 bytes to the right of
1024-byte region [ffff8801c8578d80, ffff8801c8579180)
The buggy address belongs to the page:
page:00000000c294763f count:1 mapcount:0 mapping:0000000098a38184 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c8578000 0000000000000000 0000000100000007
raw: ffffea0007252920 ffff8801dac01848 ffff8801dac00ac0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c8579080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c8579100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801c8579180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801c8579200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c8579280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Eric Dumazet
Jan 18, 2018, 7:59:19 PM1/18/18
to syzbot, andre...@google.com, anoob...@citrix.com, da...@davemloft.net, edum...@google.com, elena.r...@intel.com, kees...@chromium.org, linux-...@vger.kernel.org, mal...@google.com, net...@vger.kernel.org, rami....@intel.com, sowmini....@oracle.com, syzkall...@googlegroups.com, wil...@google.com
That has been discussed on netdev@ last days.
Fixes are in progress, first one being :
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=d0c081b49137cd3200f2023c0875723be66e7ce5
Second one is not urgent, but will follow.
Reply all
Reply to author
Forward
0 new messages