KASAN: slab-out-of-bounds Read in __nla_put_nohdr
8 views
Skip to first unread message
syzbot
Jan 27, 2020, 5:05:11 PM1/27/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 9a95f252 Linux 4.14.168
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14371b76e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f10d3210fe1d3aab
dashboard link: https://syzkaller.appspot.com/bug?extid=05a54ad651bb814ba6af
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+05a54a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in __nla_put_nohdr+0x46/0x50 lib/nlattr.c:585
Read of size 8 at addr ffff88809198f880 by task syz-executor.4/7601
CPU: 1 PID: 7601 Comm: syz-executor.4 Not tainted 4.14.168-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
__nla_put_nohdr+0x46/0x50 lib/nlattr.c:585
nla_put_nohdr+0xe8/0x120 lib/nlattr.c:651
tcf_em_tree_dump+0x5d1/0x890 net/sched/ematch.c:474
basic_dump net/sched/cls_basic.c:290 [inline]
basic_dump+0x1bd/0x410 net/sched/cls_basic.c:270
tcf_fill_node+0x536/0x860 net/sched/cls_api.c:453
tfilter_notify+0x11d/0x240 net/sched/cls_api.c:476
tc_ctl_tfilter+0x1048/0x1aba net/sched/cls_api.c:743
rtnetlink_rcv_msg+0x3da/0xb70 net/core/rtnetlink.c:4306
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4318
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b349
RSP: 002b:00007f2734ee5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f2734ee66d4 RCX: 000000000045b349
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bf2c
Allocated by task 7601:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc_track_caller+0x159/0x790 mm/slab.c:3735
kmemdup+0x27/0x60 mm/util.c:118
kmemdup include/linux/string.h:420 [inline]
em_nbyte_change+0xb9/0x130 net/sched/em_nbyte.c:36
tcf_em_validate net/sched/ematch.c:245 [inline]
tcf_em_tree_validate net/sched/ematch.c:362 [inline]
tcf_em_tree_validate+0x922/0xe7e net/sched/ematch.c:304
basic_set_parms net/sched/cls_basic.c:158 [inline]
basic_change+0x451/0xfb0 net/sched/cls_basic.c:222
tc_ctl_tfilter+0xff1/0x1aba net/sched/cls_api.c:738
rtnetlink_rcv_msg+0x3da/0xb70 net/core/rtnetlink.c:4306
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4318
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 7434:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
kvfree+0x4d/0x60 mm/util.c:416
__vunmap+0x24e/0x320 mm/vmalloc.c:1547
vfree+0x50/0xe0 mm/vmalloc.c:1611
copy_entries_to_user net/ipv6/netfilter/ip6_tables.c:885 [inline]
get_entries net/ipv6/netfilter/ip6_tables.c:1044 [inline]
do_ip6t_get_ctl+0x61d/0x820 net/ipv6/netfilter/ip6_tables.c:1713
nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122
ipv6_getsockopt net/ipv6/ipv6_sockglue.c:1369 [inline]
ipv6_getsockopt+0x182/0x1f0 net/ipv6/ipv6_sockglue.c:1349
tcp_getsockopt net/ipv4/tcp.c:3249 [inline]
tcp_getsockopt+0x84/0xd0 net/ipv4/tcp.c:3243
sock_common_getsockopt+0x94/0xd0 net/core/sock.c:2927
SYSC_getsockopt net/socket.c:1896 [inline]
SyS_getsockopt+0x126/0x1e0 net/socket.c:1878
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88809198f880
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff88809198f880, ffff88809198f8a0)
The buggy address belongs to the page:
page:ffffea00024663c0 count:1 mapcount:0 mapping:ffff88809198f000 index:0xffff88809198ffc1
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88809198f000 ffff88809198ffc1 000000010000003f
raw: ffffea00027f53a0 ffffea00027ffde0 ffff8880aa8001c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809198f780: fb fb fb fb fc fc fc fc 05 fc fc fc fc fc fc fc
ffff88809198f800: 05 fc fc fc fc fc fc fc 05 fc fc fc fc fc fc fc
>ffff88809198f880: 04 fc fc fc fc fc fc fc 07 fc fc fc fc fc fc fc
^
ffff88809198f900: 00 00 01 fc fc fc fc fc 00 01 fc fc fc fc fc fc
ffff88809198f980: 00 00 00 00 fc fc fc fc 05 fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 9a95f252 Linux 4.14.168
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14371b76e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f10d3210fe1d3aab
dashboard link: https://syzkaller.appspot.com/bug?extid=05a54ad651bb814ba6af
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+05a54a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in __nla_put_nohdr+0x46/0x50 lib/nlattr.c:585
Read of size 8 at addr ffff88809198f880 by task syz-executor.4/7601
CPU: 1 PID: 7601 Comm: syz-executor.4 Not tainted 4.14.168-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
__nla_put_nohdr+0x46/0x50 lib/nlattr.c:585
nla_put_nohdr+0xe8/0x120 lib/nlattr.c:651
tcf_em_tree_dump+0x5d1/0x890 net/sched/ematch.c:474
basic_dump net/sched/cls_basic.c:290 [inline]
basic_dump+0x1bd/0x410 net/sched/cls_basic.c:270
tcf_fill_node+0x536/0x860 net/sched/cls_api.c:453
tfilter_notify+0x11d/0x240 net/sched/cls_api.c:476
tc_ctl_tfilter+0x1048/0x1aba net/sched/cls_api.c:743
rtnetlink_rcv_msg+0x3da/0xb70 net/core/rtnetlink.c:4306
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4318
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b349
RSP: 002b:00007f2734ee5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f2734ee66d4 RCX: 000000000045b349
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bf2c
Allocated by task 7601:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc_track_caller+0x159/0x790 mm/slab.c:3735
kmemdup+0x27/0x60 mm/util.c:118
kmemdup include/linux/string.h:420 [inline]
em_nbyte_change+0xb9/0x130 net/sched/em_nbyte.c:36
tcf_em_validate net/sched/ematch.c:245 [inline]
tcf_em_tree_validate net/sched/ematch.c:362 [inline]
tcf_em_tree_validate+0x922/0xe7e net/sched/ematch.c:304
basic_set_parms net/sched/cls_basic.c:158 [inline]
basic_change+0x451/0xfb0 net/sched/cls_basic.c:222
tc_ctl_tfilter+0xff1/0x1aba net/sched/cls_api.c:738
rtnetlink_rcv_msg+0x3da/0xb70 net/core/rtnetlink.c:4306
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4318
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 7434:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
kvfree+0x4d/0x60 mm/util.c:416
__vunmap+0x24e/0x320 mm/vmalloc.c:1547
vfree+0x50/0xe0 mm/vmalloc.c:1611
copy_entries_to_user net/ipv6/netfilter/ip6_tables.c:885 [inline]
get_entries net/ipv6/netfilter/ip6_tables.c:1044 [inline]
do_ip6t_get_ctl+0x61d/0x820 net/ipv6/netfilter/ip6_tables.c:1713
nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122
ipv6_getsockopt net/ipv6/ipv6_sockglue.c:1369 [inline]
ipv6_getsockopt+0x182/0x1f0 net/ipv6/ipv6_sockglue.c:1349
tcp_getsockopt net/ipv4/tcp.c:3249 [inline]
tcp_getsockopt+0x84/0xd0 net/ipv4/tcp.c:3243
sock_common_getsockopt+0x94/0xd0 net/core/sock.c:2927
SYSC_getsockopt net/socket.c:1896 [inline]
SyS_getsockopt+0x126/0x1e0 net/socket.c:1878
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88809198f880
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff88809198f880, ffff88809198f8a0)
The buggy address belongs to the page:
page:ffffea00024663c0 count:1 mapcount:0 mapping:ffff88809198f000 index:0xffff88809198ffc1
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88809198f000 ffff88809198ffc1 000000010000003f
raw: ffffea00027f53a0 ffffea00027ffde0 ffff8880aa8001c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809198f780: fb fb fb fb fc fc fc fc 05 fc fc fc fc fc fc fc
ffff88809198f800: 05 fc fc fc fc fc fc fc 05 fc fc fc fc fc fc fc
>ffff88809198f880: 04 fc fc fc fc fc fc fc 07 fc fc fc fc fc fc fc
^
ffff88809198f900: 00 00 01 fc fc fc fc fc 00 01 fc fc fc fc fc fc
ffff88809198f980: 00 00 00 00 fc fc fc fc 05 fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 27, 2020, 5:39:09 PM1/27/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 9a95f252 Linux 4.14.168
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14ed324ee00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12285111e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+05a54a...@syzkaller.appspotmail.com
audit: type=1400 audit(1580164526.071:36): avc: denied { map } for pid=7355 comm="syz-executor935" path="/root/syz-executor935341964" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
IPVS: ftp: loaded support on port[0] = 21
CPU: 0 PID: 7356 Comm: syz-executor935 Not tainted 4.14.168-syzkaller #0
RIP: 0033:0x4410b9
RSP: 002b:00007ffff343aaf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004a28b0 RCX: 00000000004410b9
R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004025c0
R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 7356:
Freed by task 5619:
vfs_getxattr+0xc6/0x110 fs/xattr.c:333
getxattr+0xef/0x2a0 fs/xattr.c:540
path_getxattr+0xa3/0x100 fs/xattr.c:568
SYSC_lgetxattr fs/xattr.c:586 [inline]
SyS_lgetxattr+0x31/0x40 fs/xattr.c:583
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88809fb72f80
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88809fb72000 ffff88809fb72fc1 000000010000003b
raw: ffffea00027e1aa0 ffffea00027d7120 ffff8880aa8001c0 0000000000000000
ffff88809fb72f00: 06 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
>ffff88809fb72f80: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88809fb73000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809fb73080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
==================================================================
HEAD commit: 9a95f252 Linux 4.14.168
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=f10d3210fe1d3aab
dashboard link: https://syzkaller.appspot.com/bug?extid=05a54ad651bb814ba6af
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112f8b35e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=05a54ad651bb814ba6af
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12285111e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+05a54a...@syzkaller.appspotmail.com
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in __nla_put_nohdr+0x46/0x50 lib/nlattr.c:585
Read of size 8 at addr ffff88809fb72f80 by task syz-executor935/7356
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in __nla_put_nohdr+0x46/0x50 lib/nlattr.c:585
CPU: 0 PID: 7356 Comm: syz-executor935 Not tainted 4.14.168-syzkaller #0
RSP: 002b:00007ffff343aaf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004a28b0 RCX: 00000000004410b9
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004025c0
R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 7356:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
xattr_getsecurity+0x104/0x110 fs/xattr.c:253
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
vfs_getxattr+0xc6/0x110 fs/xattr.c:333
getxattr+0xef/0x2a0 fs/xattr.c:540
path_getxattr+0xa3/0x100 fs/xattr.c:568
SYSC_lgetxattr fs/xattr.c:586 [inline]
SyS_lgetxattr+0x31/0x40 fs/xattr.c:583
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88809fb72f80
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff88809fb72f80, ffff88809fb72fa0)
The buggy address is located 0 bytes inside of
The buggy address belongs to the page:
page:ffffea00027edc80 count:1 mapcount:0 mapping:ffff88809fb72000 index:0xffff88809fb72fc1
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88809fb72000 ffff88809fb72fc1 000000010000003b
raw: ffffea00027e1aa0 ffffea00027d7120 ffff8880aa8001c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809fb72e80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
Memory state around the buggy address:
ffff88809fb72f00: 06 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
>ffff88809fb72f80: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88809fb73000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809fb73080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
==================================================================
syzbot
Jan 28, 2020, 7:02:12 PM1/28/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 88d6de67 Linux 4.19.99
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10cf7111e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=bbdca1178922fa69
dashboard link: https://syzkaller.appspot.com/bug?extid=c47bbdd0fc4eea31a787
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=175cff69e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c47bbd...@syzkaller.appspotmail.com
audit: type=1400 audit(1580255901.197:36): avc: denied { map } for pid=8161 comm="syz-executor916" path="/root/syz-executor916294225" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
BUG: KASAN: slab-out-of-bounds in __nla_put_nohdr+0x46/0x50 lib/nlattr.c:608
Read of size 8 at addr ffff88809664f480 by task syz-executor916/8162
CPU: 0 PID: 8162 Comm: syz-executor916 Not tainted 4.19.99-syzkaller #0
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__nla_put_nohdr+0x46/0x50 lib/nlattr.c:608
nla_put_nohdr+0xff/0x140 lib/nlattr.c:674
tcf_em_tree_dump+0x67e/0x960 net/sched/ematch.c:474
basic_dump net/sched/cls_basic.c:285 [inline]
basic_dump+0x21e/0x4c0 net/sched/cls_basic.c:265
tcf_fill_node+0x574/0x950 net/sched/cls_api.c:1101
tfilter_notify+0x129/0x270 net/sched/cls_api.c:1125
tc_new_tfilter+0xcc8/0x1790 net/sched/cls_api.c:1326
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4768
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4786
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4410b9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd1d397b08 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc_track_caller+0x159/0x750 mm/slab.c:3742
kmemdup+0x27/0x60 mm/util.c:118
kmemdup include/linux/string.h:421 [inline]
em_nbyte_change+0xd6/0x150 net/sched/em_nbyte.c:36
basic_set_parms net/sched/cls_basic.c:155 [inline]
basic_change+0x126e/0x1370 net/sched/cls_basic.c:212
tc_new_tfilter+0xc54/0x1790 net/sched/cls_api.c:1320
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4768
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4786
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 5714:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
xattr_getsecurity fs/xattr.c:252 [inline]
vfs_getxattr+0x1fa/0x2a0 fs/xattr.c:331
getxattr+0x110/0x2d0 fs/xattr.c:537
path_getxattr+0xd1/0x170 fs/xattr.c:565
__do_sys_lgetxattr fs/xattr.c:583 [inline]
__se_sys_lgetxattr fs/xattr.c:580 [inline]
__x64_sys_lgetxattr+0x9a/0xf0 fs/xattr.c:580
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88809664f480
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea00029852c8 ffff88812c314248 ffff88812c31c1c0
raw: ffff88809664ffc1 ffff88809664f000 000000010000003f 0000000000000000
ffff88809664f400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
>ffff88809664f480: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
^
ffff88809664f500: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
ffff88809664f580: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 88d6de67 Linux 4.19.99
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10cf7111e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=bbdca1178922fa69
dashboard link: https://syzkaller.appspot.com/bug?extid=c47bbdd0fc4eea31a787
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14499bc9e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=175cff69e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
audit: type=1400 audit(1580255901.197:36): avc: denied { map } for pid=8161 comm="syz-executor916" path="/root/syz-executor916294225" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline]
==================================================================
BUG: KASAN: slab-out-of-bounds in __nla_put_nohdr+0x46/0x50 lib/nlattr.c:608
Read of size 8 at addr ffff88809664f480 by task syz-executor916/8162
CPU: 0 PID: 8162 Comm: syz-executor916 Not tainted 4.19.99-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
Call Trace:
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:348 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
__nla_put_nohdr+0x46/0x50 lib/nlattr.c:608
nla_put_nohdr+0xff/0x140 lib/nlattr.c:674
tcf_em_tree_dump+0x67e/0x960 net/sched/ematch.c:474
basic_dump net/sched/cls_basic.c:285 [inline]
basic_dump+0x21e/0x4c0 net/sched/cls_basic.c:265
tcf_fill_node+0x574/0x950 net/sched/cls_api.c:1101
tfilter_notify+0x129/0x270 net/sched/cls_api.c:1125
tc_new_tfilter+0xcc8/0x1790 net/sched/cls_api.c:1326
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4768
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4786
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4410b9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd1d397b08 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004a28b0 RCX: 00000000004410b9
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004025c0
R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 8162:
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004025c0
R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc_track_caller+0x159/0x750 mm/slab.c:3742
kmemdup+0x27/0x60 mm/util.c:118
kmemdup include/linux/string.h:421 [inline]
em_nbyte_change+0xd6/0x150 net/sched/em_nbyte.c:36
tcf_em_validate net/sched/ematch.c:245 [inline]
tcf_em_tree_validate net/sched/ematch.c:362 [inline]
tcf_em_tree_validate+0x9a9/0xf30 net/sched/ematch.c:304
tcf_em_tree_validate net/sched/ematch.c:362 [inline]
basic_set_parms net/sched/cls_basic.c:155 [inline]
basic_change+0x126e/0x1370 net/sched/cls_basic.c:212
tc_new_tfilter+0xc54/0x1790 net/sched/cls_api.c:1320
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4768
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4786
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 5714:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
xattr_getsecurity fs/xattr.c:252 [inline]
vfs_getxattr+0x1fa/0x2a0 fs/xattr.c:331
getxattr+0x110/0x2d0 fs/xattr.c:537
path_getxattr+0xd1/0x170 fs/xattr.c:565
__do_sys_lgetxattr fs/xattr.c:583 [inline]
__se_sys_lgetxattr fs/xattr.c:580 [inline]
__x64_sys_lgetxattr+0x9a/0xf0 fs/xattr.c:580
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88809664f480
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff88809664f480, ffff88809664f4a0)
The buggy address is located 0 bytes inside of
The buggy address belongs to the page:
page:ffffea00025993c0 count:1 mapcount:0 mapping:ffff88812c31c1c0 index:0xffff88809664ffc1
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea00029852c8 ffff88812c314248 ffff88812c31c1c0
raw: ffff88809664ffc1 ffff88809664f000 000000010000003f 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809664f380: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc
Memory state around the buggy address:
ffff88809664f400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
>ffff88809664f480: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
^
ffff88809664f500: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
ffff88809664f580: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
https://goo.gl/tpsmEJ#testing-patches
syzbot
Feb 26, 2020, 9:21:03 PM2/26/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit c5fd8a37e97100254a2178e470e9641c51e91dbb
Author: Jouni Hogander <jouni.h...@unikie.com>
Date: Mon Jan 20 07:51:03 2020 +0000
net-sysfs: Fix reference count leak
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=110158f9e00000
start commit: 9a95f252 Linux 4.14.168
git tree: linux-4.14.y
#syz fix: net-sysfs: Fix reference count leak
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit c5fd8a37e97100254a2178e470e9641c51e91dbb
Author: Jouni Hogander <jouni.h...@unikie.com>
Date: Mon Jan 20 07:51:03 2020 +0000
net-sysfs: Fix reference count leak
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=110158f9e00000
start commit: 9a95f252 Linux 4.14.168
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=f10d3210fe1d3aab
dashboard link: https://syzkaller.appspot.com/bug?extid=05a54ad651bb814ba6af
dashboard link: https://syzkaller.appspot.com/bug?extid=05a54ad651bb814ba6af
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112f8b35e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12285111e00000
If the result looks correct, please mark the bug fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12285111e00000
#syz fix: net-sysfs: Fix reference count leak
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Feb 27, 2020, 10:50:03 PM2/27/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 66ac8ee96faa582a252ae19510f35529c9143670
Author: Cong Wang <xiyou.w...@gmail.com>
Date: Wed Jan 22 23:42:02 2020 +0000
net_sched: fix datalen for ematch
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1049f8f9e00000
start commit: 88d6de67 Linux 4.19.99
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=bbdca1178922fa69
dashboard link: https://syzkaller.appspot.com/bug?extid=c47bbdd0fc4eea31a787
dashboard link: https://syzkaller.appspot.com/bug?extid=c47bbdd0fc4eea31a787
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14499bc9e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=175cff69e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=175cff69e00000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: net_sched: fix datalen for ematch
Reply all
Reply to author
Forward
0 new messages