KASAN: stack-out-of-bounds Write in ax25_getname
20 views
Skip to first unread message
syzbot
Apr 25, 2019, 8:27:06 PM4/25/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14d68c62a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=9217858d06d8c49f6936
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=133abc60a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+921785...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
==================================================================
BUG: KASAN: stack-out-of-bounds in memset include/linux/string.h:332
[inline]
BUG: KASAN: stack-out-of-bounds in ax25_getname+0x55/0x7a0
net/ax25/af_ax25.c:1407
Write of size 72 at addr ffff8880870e7cf8 by task syz-executor.0/7195
CPU: 0 PID: 7195 Comm: syz-executor.0 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memset+0x24/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:332 [inline]
ax25_getname+0x55/0x7a0 net/ax25/af_ax25.c:1407
get_raw_socket drivers/vhost/net.c:1039 [inline]
get_socket drivers/vhost/net.c:1096 [inline]
vhost_net_set_backend drivers/vhost/net.c:1131 [inline]
vhost_net_ioctl+0xe96/0x14c0 drivers/vhost/net.c:1307
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7b9/0x1070 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458da9
RSP: 002b:00007ff6ac67ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458da9
RDX: 0000000020d7c000 RSI: 000000004008af30 RDI: 0000000000000003
RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff6ac67b6d4
R13: 00000000004c37d7 R14: 00000000004d6cb0 R15: 00000000ffffffff
The buggy address belongs to the page:
page:ffffea00021c39c0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880870e7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
ffff8880870e7c80: f1 f1 f1 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00
> ffff8880870e7d00: 00 00 00 00 00 04 f3 f3 f3 f3 f3 00 00 00 00 00
^
ffff8880870e7d80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
ffff8880870e7e00: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 f3 f3 f3 f3
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14d68c62a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=9217858d06d8c49f6936
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=133abc60a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+921785...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
==================================================================
BUG: KASAN: stack-out-of-bounds in memset include/linux/string.h:332
[inline]
BUG: KASAN: stack-out-of-bounds in ax25_getname+0x55/0x7a0
net/ax25/af_ax25.c:1407
Write of size 72 at addr ffff8880870e7cf8 by task syz-executor.0/7195
CPU: 0 PID: 7195 Comm: syz-executor.0 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memset+0x24/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:332 [inline]
ax25_getname+0x55/0x7a0 net/ax25/af_ax25.c:1407
get_raw_socket drivers/vhost/net.c:1039 [inline]
get_socket drivers/vhost/net.c:1096 [inline]
vhost_net_set_backend drivers/vhost/net.c:1131 [inline]
vhost_net_ioctl+0xe96/0x14c0 drivers/vhost/net.c:1307
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7b9/0x1070 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458da9
RSP: 002b:00007ff6ac67ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458da9
RDX: 0000000020d7c000 RSI: 000000004008af30 RDI: 0000000000000003
RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff6ac67b6d4
R13: 00000000004c37d7 R14: 00000000004d6cb0 R15: 00000000ffffffff
The buggy address belongs to the page:
page:ffffea00021c39c0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880870e7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
ffff8880870e7c80: f1 f1 f1 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00
> ffff8880870e7d00: 00 00 00 00 00 04 f3 f3 f3 f3 f3 00 00 00 00 00
^
ffff8880870e7d80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
ffff8880870e7e00: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 f3 f3 f3 f3
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 26, 2019, 5:49:06 AM4/26/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: c98875d9 Linux 4.19.36
syzbot found the following crash on:
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=145f0ea8a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5e40ac5fbcc6366d
dashboard link: https://syzkaller.appspot.com/bug?extid=9c7eba5cb11cdd213b8d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13910bd4a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
pid=7978 comm="syz-executor.0" name="syz0"
scontext=unconfined_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
==================================================================
BUG: KASAN: stack-out-of-bounds in memset include/linux/string.h:333
[inline]
BUG: KASAN: stack-out-of-bounds in ax25_getname+0x58/0x7a0
net/ax25/af_ax25.c:1406
Write of size 72 at addr ffff8880920f7c78 by task syz-executor.0/8074
CPU: 1 PID: 8074 Comm: syz-executor.0 Not tainted 4.19.36 #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memset+0x24/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:333 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memset+0x24/0x40 mm/kasan/kasan.c:285
ax25_getname+0x58/0x7a0 net/ax25/af_ax25.c:1406
get_raw_socket drivers/vhost/net.c:1219 [inline]
get_socket drivers/vhost/net.c:1275 [inline]
vhost_net_set_backend drivers/vhost/net.c:1310 [inline]
vhost_net_ioctl+0x120f/0x1900 drivers/vhost/net.c:1501
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd6e/0x1390 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458da9
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fb972151c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458da9
RDX: 0000000020d7c000 RSI: 000000004008af30 RDI: 0000000000000003
RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb9721526d4
RDX: 0000000020d7c000 RSI: 000000004008af30 RDI: 0000000000000003
RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000
R13: 00000000004c37d7 R14: 00000000004d6cb0 R15: 00000000ffffffff
The buggy address belongs to the page:
page:ffffea0002483dc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
The buggy address belongs to the page:
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 ffffffff02480101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880920f7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
Memory state around the buggy address:
ffff8880920f7c00: f1 f1 f1 f1 f1 04 f2 00 f2 f2 f2 00 f2 f2 f2 00
> ffff8880920f7c80: 00 00 00 00 00 04 f3 f3 f3 f3 f3 00 00 00 00 00
^
ffff8880920f7d00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
ffff8880920f7d80: 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
syzbot
Feb 15, 2020, 9:51:13 AM2/15/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 98db2bf2 Linux 4.14.171
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14b019d9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9dc3f6f9d0ff3b98
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=138a4a09e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+921785...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1581778085.897:36): avc: denied { map } for pid=7381 comm="syz-executor393" path="/root/syz-executor393150704" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
Write of size 72 at addr ffff88808e087cf8 by task syz-executor393/7381
CPU: 0 PID: 7381 Comm: syz-executor393 Not tainted 4.14.171-syzkaller #0
get_raw_socket drivers/vhost/net.c:1044 [inline]
get_socket drivers/vhost/net.c:1101 [inline]
vhost_net_set_backend drivers/vhost/net.c:1136 [inline]
vhost_net_ioctl+0xe91/0x14c0 drivers/vhost/net.c:1312
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440259
RSP: 002b:00007fffb18f7ad8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259
RDX: 0000000020f1dff8 RSI: 000000004008af30 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401ae0
R13: 0000000000401b70 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea00023821c0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000000 00000000ffffffff
ffff88808e087c80: f1 f1 f1 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00
>ffff88808e087d00: 00 00 00 00 00 04 f3 f3 f3 f3 f3 00 00 00 00 00
^
ffff88808e087d80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
ffff88808e087e00: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 f3 f3 f3 f3
==================================================================
HEAD commit: 98db2bf2 Linux 4.14.171
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14b019d9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9dc3f6f9d0ff3b98
dashboard link: https://syzkaller.appspot.com/bug?extid=9217858d06d8c49f6936
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14605ae6e00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=138a4a09e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+921785...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1581778085.897:36): avc: denied { map } for pid=7381 comm="syz-executor393" path="/root/syz-executor393150704" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: stack-out-of-bounds in memset include/linux/string.h:332 [inline]
BUG: KASAN: stack-out-of-bounds in ax25_getname+0x55/0x7a0 net/ax25/af_ax25.c:1409
BUG: KASAN: stack-out-of-bounds in memset include/linux/string.h:332 [inline]
Write of size 72 at addr ffff88808e087cf8 by task syz-executor393/7381
CPU: 0 PID: 7381 Comm: syz-executor393 Not tainted 4.14.171-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memset+0x24/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:332 [inline]
ax25_getname+0x55/0x7a0 net/ax25/af_ax25.c:1409
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memset+0x24/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:332 [inline]
get_raw_socket drivers/vhost/net.c:1044 [inline]
get_socket drivers/vhost/net.c:1101 [inline]
vhost_net_set_backend drivers/vhost/net.c:1136 [inline]
vhost_net_ioctl+0xe91/0x14c0 drivers/vhost/net.c:1312
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
file_ioctl fs/ioctl.c:500 [inline]
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440259
RSP: 002b:00007fffb18f7ad8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259
RDX: 0000000020f1dff8 RSI: 000000004008af30 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401ae0
R13: 0000000000401b70 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808e087c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808e087c80: f1 f1 f1 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00
>ffff88808e087d00: 00 00 00 00 00 04 f3 f3 f3 f3 f3 00 00 00 00 00
^
ffff88808e087d80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
ffff88808e087e00: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 f3 f3 f3 f3
==================================================================
syzbot
Feb 15, 2020, 6:31:11 PM2/15/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 9b15f7fa Linux 4.19.104
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=155e2631e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a97eb020c5d0af85
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17bb365ee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9c7eba...@syzkaller.appspotmail.com
kauditd_printk_skb: 5 callbacks suppressed
audit: type=1400 audit(1581809293.273:36): avc: denied { map } for pid=8186 comm="syz-executor852" path="/root/syz-executor852068025" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
Write of size 72 at addr ffff88808f2e7c78 by task syz-executor852/8186
CPU: 0 PID: 8186 Comm: syz-executor852 Not tainted 4.19.104-syzkaller #0
get_raw_socket drivers/vhost/net.c:1206 [inline]
get_socket drivers/vhost/net.c:1262 [inline]
vhost_net_set_backend drivers/vhost/net.c:1297 [inline]
vhost_net_ioctl+0x120a/0x1900 drivers/vhost/net.c:1488
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440259
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff83b7c0a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 ffffffff023c0101 0000000000000000
ffff88808f2e7c00: f1 f1 f1 f1 f1 04 f2 00 f2 f2 f2 00 f2 f2 f2 00
>ffff88808f2e7c80: 00 00 00 00 00 04 f3 f3 f3 f3 f3 00 00 00 00 00
^
ffff88808f2e7d00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
ffff88808f2e7d80: 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
==================================================================
HEAD commit: 9b15f7fa Linux 4.19.104
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=155e2631e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a97eb020c5d0af85
dashboard link: https://syzkaller.appspot.com/bug?extid=9c7eba5cb11cdd213b8d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11e21b11e00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17bb365ee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9c7eba...@syzkaller.appspotmail.com
audit: type=1400 audit(1581809293.273:36): avc: denied { map } for pid=8186 comm="syz-executor852" path="/root/syz-executor852068025" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: stack-out-of-bounds in memset include/linux/string.h:333 [inline]
BUG: KASAN: stack-out-of-bounds in ax25_getname+0x58/0x7a0 net/ax25/af_ax25.c:1408
BUG: KASAN: stack-out-of-bounds in memset include/linux/string.h:333 [inline]
Write of size 72 at addr ffff88808f2e7c78 by task syz-executor852/8186
CPU: 0 PID: 8186 Comm: syz-executor852 Not tainted 4.19.104-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memset+0x24/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:333 [inline]
ax25_getname+0x58/0x7a0 net/ax25/af_ax25.c:1408
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memset+0x24/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:333 [inline]
get_raw_socket drivers/vhost/net.c:1206 [inline]
get_socket drivers/vhost/net.c:1262 [inline]
vhost_net_set_backend drivers/vhost/net.c:1297 [inline]
vhost_net_ioctl+0x120a/0x1900 drivers/vhost/net.c:1488
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
file_ioctl fs/ioctl.c:501 [inline]
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440259
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff83b7c0a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259
RDX: 0000000020f1dff8 RSI: 000000004008af30 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401ae0
R13: 0000000000401b70 R14: 0000000000000000 R15: 0000000000000000
RDX: 0000000020f1dff8 RSI: 000000004008af30 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401ae0
R13: 0000000000401b70 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea00023cb9c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 ffffffff023c0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808f2e7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808f2e7c00: f1 f1 f1 f1 f1 04 f2 00 f2 f2 f2 00 f2 f2 f2 00
>ffff88808f2e7c80: 00 00 00 00 00 04 f3 f3 f3 f3 f3 00 00 00 00 00
^
ffff88808f2e7d00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
ffff88808f2e7d80: 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
==================================================================
syzbot
Mar 16, 2020, 1:40:03 PM3/16/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit ff8e12b0cfe277a54edbab525f068b39c7ed0de3
Author: Eugenio Pérez <eper...@redhat.com>
Date: Thu Mar 5 16:30:05 2020 +0000
vhost: Check docket sk_family instead of call getname
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16e923e3e00000
start commit: 98db2bf2 Linux 4.14.171
git tree: linux-4.14.y
#syz fix: vhost: Check docket sk_family instead of call getname
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit ff8e12b0cfe277a54edbab525f068b39c7ed0de3
Author: Eugenio Pérez <eper...@redhat.com>
Date: Thu Mar 5 16:30:05 2020 +0000
vhost: Check docket sk_family instead of call getname
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16e923e3e00000
start commit: 98db2bf2 Linux 4.14.171
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=9dc3f6f9d0ff3b98
dashboard link: https://syzkaller.appspot.com/bug?extid=9217858d06d8c49f6936
dashboard link: https://syzkaller.appspot.com/bug?extid=9217858d06d8c49f6936
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14605ae6e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=138a4a09e00000
If the result looks correct, please mark the bug fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=138a4a09e00000
#syz fix: vhost: Check docket sk_family instead of call getname
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Mar 16, 2020, 10:35:04 PM3/16/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit ad598a48fe61c6c2407f08a807cb7a2ea83386b3
Author: Eugenio Pérez <eper...@redhat.com>
Date: Fri Feb 21 11:06:56 2020 +0000
vhost: Check docket sk_family instead of call getname
start commit: 9b15f7fa Linux 4.19.104
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=a97eb020c5d0af85
dashboard link: https://syzkaller.appspot.com/bug?extid=9c7eba5cb11cdd213b8d
dashboard link: https://syzkaller.appspot.com/bug?extid=9c7eba5cb11cdd213b8d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11e21b11e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17bb365ee00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17bb365ee00000
Reply all
Reply to author
Forward
0 new messages