KASAN: use-after-free Read in erspan_build_header
5 views
Skip to first unread message
syzbot
Apr 11, 2019, 9:23:13 AM4/11/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 1ec8f1f0 Linux 4.14.111
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17e984d3200000
kernel config: https://syzkaller.appspot.com/x/.config?x=fdadf290ea9fc6f9
dashboard link: https://syzkaller.appspot.com/bug?extid=c55520aef43a00617448
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=126d38d3200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11e0efab200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c55520...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KASAN: use-after-free in erspan_build_header+0x392/0x3b0
net/ipv4/ip_gre.c:706
Read of size 2 at addr ffff8880a4fb568b by task syz-executor201/7088
CPU: 1 PID: 7088 Comm: syz-executor201 Not tainted 4.14.111 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
erspan_build_header+0x392/0x3b0 net/ipv4/ip_gre.c:706
erspan_xmit net/ipv4/ip_gre.c:748 [inline]
erspan_xmit+0x3ec/0x11c0 net/ipv4/ip_gre.c:725
__netdev_start_xmit include/linux/netdevice.h:4033 [inline]
netdev_start_xmit include/linux/netdevice.h:4042 [inline]
packet_direct_xmit+0x438/0x640 net/packet/af_packet.c:269
packet_snd net/packet/af_packet.c:2969 [inline]
packet_sendmsg+0x31e1/0x5990 net/packet/af_packet.c:2994
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xd0/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x442249
RSP: 002b:00007ffc99a67dc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442249
RDX: 000000000000000e RSI: 0000000020000180 RDI: 0000000000000003
RBP: 00000000004a9450 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403150
R13: 00000000004031e0 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea000293ed40 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a4fb5580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880a4fb5600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8880a4fb5680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880a4fb5700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880a4fb5780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 1ec8f1f0 Linux 4.14.111
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17e984d3200000
kernel config: https://syzkaller.appspot.com/x/.config?x=fdadf290ea9fc6f9
dashboard link: https://syzkaller.appspot.com/bug?extid=c55520aef43a00617448
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=126d38d3200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11e0efab200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c55520...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KASAN: use-after-free in erspan_build_header+0x392/0x3b0
net/ipv4/ip_gre.c:706
Read of size 2 at addr ffff8880a4fb568b by task syz-executor201/7088
CPU: 1 PID: 7088 Comm: syz-executor201 Not tainted 4.14.111 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
erspan_build_header+0x392/0x3b0 net/ipv4/ip_gre.c:706
erspan_xmit net/ipv4/ip_gre.c:748 [inline]
erspan_xmit+0x3ec/0x11c0 net/ipv4/ip_gre.c:725
__netdev_start_xmit include/linux/netdevice.h:4033 [inline]
netdev_start_xmit include/linux/netdevice.h:4042 [inline]
packet_direct_xmit+0x438/0x640 net/packet/af_packet.c:269
packet_snd net/packet/af_packet.c:2969 [inline]
packet_sendmsg+0x31e1/0x5990 net/packet/af_packet.c:2994
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xd0/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x442249
RSP: 002b:00007ffc99a67dc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442249
RDX: 000000000000000e RSI: 0000000020000180 RDI: 0000000000000003
RBP: 00000000004a9450 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403150
R13: 00000000004031e0 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea000293ed40 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a4fb5580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880a4fb5600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8880a4fb5680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880a4fb5700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880a4fb5780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Nov 30, 2019, 2:42:01 AM11/30/19
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 1d629bf9b5767cdbe902f32b058ae8c99df72516
Author: William Tu <u901...@gmail.com>
Date: Wed Jan 24 01:01:29 2018 +0000
net: erspan: fix use-after-free
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10603882e00000
start commit: 1ec8f1f0 Linux 4.14.111
git tree: linux-4.14.y
#syz fix: net: erspan: fix use-after-free
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 1d629bf9b5767cdbe902f32b058ae8c99df72516
Author: William Tu <u901...@gmail.com>
Date: Wed Jan 24 01:01:29 2018 +0000
net: erspan: fix use-after-free
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10603882e00000
start commit: 1ec8f1f0 Linux 4.14.111
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=fdadf290ea9fc6f9
dashboard link: https://syzkaller.appspot.com/bug?extid=c55520aef43a00617448
dashboard link: https://syzkaller.appspot.com/bug?extid=c55520aef43a00617448
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=126d38d3200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11e0efab200000
If the result looks correct, please mark the bug fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11e0efab200000
#syz fix: net: erspan: fix use-after-free
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages