KASAN: global-out-of-bounds Read in nfnetlink_parse_nat_setup
12 views
Skip to first unread message
syzbot
Jan 27, 2020, 10:04:12 PM1/27/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 9a95f252 Linux 4.14.168
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11ac83c9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f10d3210fe1d3aab
dashboard link: https://syzkaller.appspot.com/bug?extid=c488fe3c6974b334dc96
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c488fe...@syzkaller.appspotmail.com
netlink: 20 bytes leftover after parsing attributes in process `syz-executor.3'.
==================================================================
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat net/netfilter/nf_nat_core.c:747 [inline]
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x3a2/0x3b0 net/netfilter/nf_nat_core.c:784
Read of size 8 at addr ffffffff875d0478 by task syz-executor.3/18854
CPU: 1 PID: 18854 Comm: syz-executor.3 Not tainted 4.14.168-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
nfnetlink_parse_nat net/netfilter/nf_nat_core.c:747 [inline]
nfnetlink_parse_nat_setup+0x3a2/0x3b0 net/netfilter/nf_nat_core.c:784
ctnetlink_parse_nat_setup+0x76/0x4a0 net/netfilter/nf_conntrack_netlink.c:1421
ctnetlink_setup_nat net/netfilter/nf_conntrack_netlink.c:1491 [inline]
ctnetlink_create_conntrack+0x468/0x10c0 net/netfilter/nf_conntrack_netlink.c:1840
ctnetlink_new_conntrack+0x4af/0xcc0 net/netfilter/nf_conntrack_netlink.c:1964
nfnetlink_rcv_msg+0xa08/0xc00 net/netfilter/nfnetlink.c:214
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
nfnetlink_rcv+0x1ab/0x1650 net/netfilter/nfnetlink.c:515
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b349
RSP: 002b:00007f68f2a2cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f68f2a2d6d4 RCX: 000000000045b349
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008f6 R14: 00000000004ca45f R15: 000000000075bf2c
The buggy address belongs to the variable:
nft_table_policy+0xd8/0xe0
Memory state around the buggy address:
ffffffff875d0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff875d0380: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
>ffffffff875d0400: 00 00 00 00 fa fa fa fa 00 02 fa fa fa fa fa fa
^
ffffffff875d0480: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
ffffffff875d0500: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 9a95f252 Linux 4.14.168
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11ac83c9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f10d3210fe1d3aab
dashboard link: https://syzkaller.appspot.com/bug?extid=c488fe3c6974b334dc96
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c488fe...@syzkaller.appspotmail.com
netlink: 20 bytes leftover after parsing attributes in process `syz-executor.3'.
==================================================================
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat net/netfilter/nf_nat_core.c:747 [inline]
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x3a2/0x3b0 net/netfilter/nf_nat_core.c:784
Read of size 8 at addr ffffffff875d0478 by task syz-executor.3/18854
CPU: 1 PID: 18854 Comm: syz-executor.3 Not tainted 4.14.168-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
nfnetlink_parse_nat net/netfilter/nf_nat_core.c:747 [inline]
nfnetlink_parse_nat_setup+0x3a2/0x3b0 net/netfilter/nf_nat_core.c:784
ctnetlink_parse_nat_setup+0x76/0x4a0 net/netfilter/nf_conntrack_netlink.c:1421
ctnetlink_setup_nat net/netfilter/nf_conntrack_netlink.c:1491 [inline]
ctnetlink_create_conntrack+0x468/0x10c0 net/netfilter/nf_conntrack_netlink.c:1840
ctnetlink_new_conntrack+0x4af/0xcc0 net/netfilter/nf_conntrack_netlink.c:1964
nfnetlink_rcv_msg+0xa08/0xc00 net/netfilter/nfnetlink.c:214
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
nfnetlink_rcv+0x1ab/0x1650 net/netfilter/nfnetlink.c:515
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b349
RSP: 002b:00007f68f2a2cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f68f2a2d6d4 RCX: 000000000045b349
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008f6 R14: 00000000004ca45f R15: 000000000075bf2c
The buggy address belongs to the variable:
nft_table_policy+0xd8/0xe0
Memory state around the buggy address:
ffffffff875d0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff875d0380: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
>ffffffff875d0400: 00 00 00 00 fa fa fa fa 00 02 fa fa fa fa fa fa
^
ffffffff875d0480: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
ffffffff875d0500: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 27, 2020, 10:20:10 PM1/27/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 9a95f252 Linux 4.14.168
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1103324ee00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140731a5e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c488fe...@syzkaller.appspotmail.com
audit: type=1400 audit(1580181393.134:38): avc: denied { write } for pid=7323 comm="syz-executor073" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
CPU: 0 PID: 7323 Comm: syz-executor073 Not tainted 4.14.168-syzkaller #0
RIP: 0033:0x4401b9
RSP: 002b:00007ffdb5982c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401b9
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
HEAD commit: 9a95f252 Linux 4.14.168
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=f10d3210fe1d3aab
dashboard link: https://syzkaller.appspot.com/bug?extid=c488fe3c6974b334dc96
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16eca1f1e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=c488fe3c6974b334dc96
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140731a5e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c488fe...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat net/netfilter/nf_nat_core.c:747 [inline]
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x3a2/0x3b0 net/netfilter/nf_nat_core.c:784
Read of size 8 at addr ffffffff875d0478 by task syz-executor073/7323
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat net/netfilter/nf_nat_core.c:747 [inline]
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x3a2/0x3b0 net/netfilter/nf_nat_core.c:784
CPU: 0 PID: 7323 Comm: syz-executor073 Not tainted 4.14.168-syzkaller #0
RSP: 002b:00007ffdb5982c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401b9
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a40
R13: 0000000000401ad0 R14: 0000000000000000 R15: 0000000000000000
syzbot
Feb 3, 2020, 5:42:13 PM2/3/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 32ee7492 Linux 4.19.101
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1354ae6ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=928a6b2d3f9b21f8
dashboard link: https://syzkaller.appspot.com/bug?extid=a51591fd9e2ace6423f0
==================================================================
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat net/netfilter/nf_nat_core.c:847 [inline]
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x436/0x450 net/netfilter/nf_nat_core.c:884
Read of size 8 at addr ffffffff884faaf8 by task syz-executor.5/13646
CPU: 0 PID: 13646 Comm: syz-executor.5 Not tainted 4.19.101-syzkaller #0
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x5/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
nfnetlink_parse_nat net/netfilter/nf_nat_core.c:847 [inline]
nfnetlink_parse_nat_setup+0x436/0x450 net/netfilter/nf_nat_core.c:884
ctnetlink_parse_nat_setup+0xc5/0x660 net/netfilter/nf_conntrack_netlink.c:1521
ctnetlink_setup_nat net/netfilter/nf_conntrack_netlink.c:1591 [inline]
ctnetlink_create_conntrack+0x4ea/0x1300 net/netfilter/nf_conntrack_netlink.c:1984
ctnetlink_new_conntrack+0x527/0xe50 net/netfilter/nf_conntrack_netlink.c:2114
nfnetlink_rcv_msg+0xd0d/0xfcf net/netfilter/nfnetlink.c:228
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
nfnetlink_rcv+0x1c0/0x460 net/netfilter/nfnetlink.c:560
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45b399
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8c13d3fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f8c13d406d4 RCX: 000000000045b399
R13: 00000000000008fd R14: 00000000004ca4bf R15: 000000000075bf2c
The buggy address belongs to the variable:
nft_immediate_policy+0x138/0x140
Memory state around the buggy address:
ffffffff884fa980: 00 fa fa fa fa fa fa fa 00 00 00 00 00 00 fa fa
ffffffff884faa00: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff884faa80: 00 00 00 00 fa fa fa fa 04 fa fa fa fa fa fa fa
^
ffffffff884fab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
ffffffff884fab80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
bridge_slave_0: FDB only supports static addresses
bridge_slave_0: FDB only supports static addresses
syzbot found the following crash on:
HEAD commit: 32ee7492 Linux 4.19.101
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1354ae6ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=928a6b2d3f9b21f8
dashboard link: https://syzkaller.appspot.com/bug?extid=a51591fd9e2ace6423f0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a51591...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat net/netfilter/nf_nat_core.c:847 [inline]
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x436/0x450 net/netfilter/nf_nat_core.c:884
Read of size 8 at addr ffffffff884faaf8 by task syz-executor.5/13646
CPU: 0 PID: 13646 Comm: syz-executor.5 Not tainted 4.19.101-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
Call Trace:
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x5/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
nfnetlink_parse_nat net/netfilter/nf_nat_core.c:847 [inline]
nfnetlink_parse_nat_setup+0x436/0x450 net/netfilter/nf_nat_core.c:884
ctnetlink_parse_nat_setup+0xc5/0x660 net/netfilter/nf_conntrack_netlink.c:1521
ctnetlink_setup_nat net/netfilter/nf_conntrack_netlink.c:1591 [inline]
ctnetlink_create_conntrack+0x4ea/0x1300 net/netfilter/nf_conntrack_netlink.c:1984
ctnetlink_new_conntrack+0x527/0xe50 net/netfilter/nf_conntrack_netlink.c:2114
nfnetlink_rcv_msg+0xd0d/0xfcf net/netfilter/nfnetlink.c:228
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
nfnetlink_rcv+0x1c0/0x460 net/netfilter/nfnetlink.c:560
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45b399
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8c13d3fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f8c13d406d4 RCX: 000000000045b399
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008fd R14: 00000000004ca4bf R15: 000000000075bf2c
The buggy address belongs to the variable:
Memory state around the buggy address:
ffffffff884faa00: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff884faa80: 00 00 00 00 fa fa fa fa 04 fa fa fa fa fa fa fa
^
ffffffff884fab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
ffffffff884fab80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
bridge_slave_0: FDB only supports static addresses
bridge_slave_0: FDB only supports static addresses
syzbot
Feb 3, 2020, 5:58:12 PM2/3/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 32ee7492 Linux 4.19.101
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1455bda5e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16c52dbee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a51591...@syzkaller.appspotmail.com
audit: type=1400 audit(1580770493.776:38): avc: denied { write } for pid=8312 comm="syz-executor464" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
CPU: 0 PID: 8312 Comm: syz-executor464 Not tainted 4.19.101-syzkaller #0
RIP: 0033:0x4401a9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd12dfb4f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401a9
R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000
HEAD commit: 32ee7492 Linux 4.19.101
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=928a6b2d3f9b21f8
dashboard link: https://syzkaller.appspot.com/bug?extid=a51591fd9e2ace6423f0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bccd01e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=a51591fd9e2ace6423f0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16c52dbee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a51591...@syzkaller.appspotmail.com
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat net/netfilter/nf_nat_core.c:847 [inline]
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x436/0x450 net/netfilter/nf_nat_core.c:884
Read of size 8 at addr ffffffff884faaf8 by task syz-executor464/8312
BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x436/0x450 net/netfilter/nf_nat_core.c:884
CPU: 0 PID: 8312 Comm: syz-executor464 Not tainted 4.19.101-syzkaller #0
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd12dfb4f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401a9
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a30
R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000
Reply all
Reply to author
Forward
0 new messages