KASAN: use-after-free Read in __netif_receive_skb_core
10 views
Skip to first unread message
syzbot
Oct 8, 2020, 12:31:18 AM10/8/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: a1b977b4 Linux 4.19.150
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=130f5d4f900000
kernel config: https://syzkaller.appspot.com/x/.config?x=c14008c8da1ca4d4
dashboard link: https://syzkaller.appspot.com/bug?extid=9c0e01d331d59bafac92
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1413a668500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9c0e01...@syzkaller.appspotmail.com
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
bond0: caif0 ether type (0) is different from other slaves (1), can not enslave it
==================================================================
bond0: gre0 is up - this may be due to an out of date ifenslave
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:193 [inline]
BUG: KASAN: use-after-free in __netif_receive_skb_core+0x2ce9/0x33c0 net/core/dev.c:4831
Read of size 8 at addr ffff88808bfb6ab0 by task syz-executor.0/8043
CPU: 0 PID: 8043 Comm: syz-executor.0 Not tainted 4.19.150-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x22c/0x33e lib/dump_stack.c:118
print_address_description.cold+0x56/0x25c mm/kasan/report.c:256
kasan_report_error.cold+0x66/0xb9 mm/kasan/report.c:354
bond0: gre0 is up - this may be due to an out of date ifenslave
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__read_once_size include/linux/compiler.h:193 [inline]
__netif_receive_skb_core+0x2ce9/0x33c0 net/core/dev.c:4831
__netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:4952
__netif_receive_skb+0x27/0x1c0 net/core/dev.c:5066
process_backlog+0x261/0x760 net/core/dev.c:5848
napi_poll net/core/dev.c:6272 [inline]
net_rx_action+0x4e5/0x10d0 net/core/dev.c:6338
__do_softirq+0x27d/0xad2 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x22d/0x270 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:544 [inline]
smp_apic_timer_interrupt+0x15f/0x5d0 arch/x86/kernel/apic/apic.c:1094
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:789 [inline]
RIP: 0010:rcu_read_unlock_special+0x4a0/0x10b0 kernel/rcu/tree_plugin.h:601
Code: 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 5e 0b 00 00 48 83 3d f4 74 04 08 00 0f 84 67 06 00 00 48 8b 3c 24 57 9d <0f> 1f 44 00 00 48 83 c4 40 5b 5d 41 5c 41 5d 41 5e 41 5f c3 c3 48
RSP: 0018:ffff888097056f98 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff12c713d RBX: 0000000000000000 RCX: 1ffff110118ee5e7
RDX: dffffc0000000000 RSI: ffff88808c772f40 RDI: 0000000000000286
RBP: ffff88808c7729b4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808c772640
R13: ffff88808c7729b6 R14: ffff88808c7729b5 R15: ffffffff89741080
__rcu_read_unlock+0x158/0x160 kernel/rcu/tree_plugin.h:428
rcu_read_unlock include/linux/rcupdate.h:680 [inline]
is_bpf_text_address+0x119/0x1f0 kernel/bpf/core.c:547
kernel_text_address kernel/extable.c:152 [inline]
kernel_text_address+0xbd/0xf0 kernel/extable.c:122
__kernel_text_address+0x9/0x30 kernel/extable.c:107
unwind_get_return_address+0x51/0x90 arch/x86/kernel/unwind_orc.c:297
__save_stack_trace+0x99/0x100 arch/x86/kernel/stacktrace.c:45
save_stack mm/kasan/kasan.c:448 [inline]
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:553
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc+0x15a/0x4f0 mm/slab.c:3736
kmalloc include/linux/slab.h:520 [inline]
context_struct_to_string+0x3dc/0x7a0 security/selinux/ss/services.c:1253
security_sid_to_context_core+0x2ea/0x440 security/selinux/ss/services.c:1329
selinux_inode_init_security+0x453/0x7e0 security/selinux/hooks.c:3091
security_inode_init_security+0x14b/0x370 security/security.c:487
__ext4_new_inode+0x42e5/0x5e40 fs/ext4/ialloc.c:1165
ext4_create+0x29e/0x5f0 fs/ext4/namei.c:2487
lookup_open+0x86c/0x19c0 fs/namei.c:3235
do_last fs/namei.c:3327 [inline]
path_openat+0x10d6/0x2e90 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45de29
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f63043fac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0000000000022140 RCX: 000000000045de29
RDX: 0000000000000000 RSI: 00000000001013c1 RDI: 00000000200000c0
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffc3fcc965f R14: 00007f63043fb9c0 R15: 000000000118bf2c
Allocated by task 8046:
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc+0x15a/0x4f0 mm/slab.c:3736
kmalloc include/linux/slab.h:520 [inline]
sk_prot_alloc+0x1e2/0x2d0 net/core/sock.c:1466
sk_alloc+0x36/0x1100 net/core/sock.c:1520
packet_create+0x117/0x800 net/packet/af_packet.c:3259
__sock_create+0x495/0x820 net/socket.c:1276
sock_create net/socket.c:1316 [inline]
__sys_socket+0xef/0x200 net/socket.c:1346
__do_sys_socket net/socket.c:1355 [inline]
__se_sys_socket net/socket.c:1353 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1353
do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8044:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x250 mm/slab.c:3822
sk_prot_free net/core/sock.c:1503 [inline]
__sk_destruct+0x61d/0x830 net/core/sock.c:1584
sk_destruct net/core/sock.c:1599 [inline]
__sk_free+0x165/0x3b0 net/core/sock.c:1610
sk_free+0x3b/0x50 net/core/sock.c:1621
sock_put include/net/sock.h:1711 [inline]
packet_release+0x890/0xb70 net/packet/af_packet.c:3088
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x8a0 fs/file_table.c:278
task_work_run+0x141/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x269/0x2c0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x57c/0x670 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88808bfb62c0
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 2032 bytes inside of
2048-byte region [ffff88808bfb62c0, ffff88808bfb6ac0)
The buggy address belongs to the page:
page:ffffea00022fed80 count:1 mapcount:0 mapping:ffff88812c3f6c40 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea00022fba08 ffffea000245c608 ffff88812c3f6c40
raw: 0000000000000000 ffff88808bfb62c0 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808bfb6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88808bfb6a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88808bfb6a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff88808bfb6b00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff88808bfb6b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: a1b977b4 Linux 4.19.150
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=130f5d4f900000
kernel config: https://syzkaller.appspot.com/x/.config?x=c14008c8da1ca4d4
dashboard link: https://syzkaller.appspot.com/bug?extid=9c0e01d331d59bafac92
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1413a668500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9c0e01...@syzkaller.appspotmail.com
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
bond0: caif0 ether type (0) is different from other slaves (1), can not enslave it
==================================================================
bond0: gre0 is up - this may be due to an out of date ifenslave
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:193 [inline]
BUG: KASAN: use-after-free in __netif_receive_skb_core+0x2ce9/0x33c0 net/core/dev.c:4831
Read of size 8 at addr ffff88808bfb6ab0 by task syz-executor.0/8043
CPU: 0 PID: 8043 Comm: syz-executor.0 Not tainted 4.19.150-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x22c/0x33e lib/dump_stack.c:118
print_address_description.cold+0x56/0x25c mm/kasan/report.c:256
kasan_report_error.cold+0x66/0xb9 mm/kasan/report.c:354
bond0: gre0 is up - this may be due to an out of date ifenslave
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__read_once_size include/linux/compiler.h:193 [inline]
__netif_receive_skb_core+0x2ce9/0x33c0 net/core/dev.c:4831
__netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:4952
__netif_receive_skb+0x27/0x1c0 net/core/dev.c:5066
process_backlog+0x261/0x760 net/core/dev.c:5848
napi_poll net/core/dev.c:6272 [inline]
net_rx_action+0x4e5/0x10d0 net/core/dev.c:6338
__do_softirq+0x27d/0xad2 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x22d/0x270 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:544 [inline]
smp_apic_timer_interrupt+0x15f/0x5d0 arch/x86/kernel/apic/apic.c:1094
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:789 [inline]
RIP: 0010:rcu_read_unlock_special+0x4a0/0x10b0 kernel/rcu/tree_plugin.h:601
Code: 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 5e 0b 00 00 48 83 3d f4 74 04 08 00 0f 84 67 06 00 00 48 8b 3c 24 57 9d <0f> 1f 44 00 00 48 83 c4 40 5b 5d 41 5c 41 5d 41 5e 41 5f c3 c3 48
RSP: 0018:ffff888097056f98 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff12c713d RBX: 0000000000000000 RCX: 1ffff110118ee5e7
RDX: dffffc0000000000 RSI: ffff88808c772f40 RDI: 0000000000000286
RBP: ffff88808c7729b4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808c772640
R13: ffff88808c7729b6 R14: ffff88808c7729b5 R15: ffffffff89741080
__rcu_read_unlock+0x158/0x160 kernel/rcu/tree_plugin.h:428
rcu_read_unlock include/linux/rcupdate.h:680 [inline]
is_bpf_text_address+0x119/0x1f0 kernel/bpf/core.c:547
kernel_text_address kernel/extable.c:152 [inline]
kernel_text_address+0xbd/0xf0 kernel/extable.c:122
__kernel_text_address+0x9/0x30 kernel/extable.c:107
unwind_get_return_address+0x51/0x90 arch/x86/kernel/unwind_orc.c:297
__save_stack_trace+0x99/0x100 arch/x86/kernel/stacktrace.c:45
save_stack mm/kasan/kasan.c:448 [inline]
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:553
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc+0x15a/0x4f0 mm/slab.c:3736
kmalloc include/linux/slab.h:520 [inline]
context_struct_to_string+0x3dc/0x7a0 security/selinux/ss/services.c:1253
security_sid_to_context_core+0x2ea/0x440 security/selinux/ss/services.c:1329
selinux_inode_init_security+0x453/0x7e0 security/selinux/hooks.c:3091
security_inode_init_security+0x14b/0x370 security/security.c:487
__ext4_new_inode+0x42e5/0x5e40 fs/ext4/ialloc.c:1165
ext4_create+0x29e/0x5f0 fs/ext4/namei.c:2487
lookup_open+0x86c/0x19c0 fs/namei.c:3235
do_last fs/namei.c:3327 [inline]
path_openat+0x10d6/0x2e90 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45de29
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f63043fac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0000000000022140 RCX: 000000000045de29
RDX: 0000000000000000 RSI: 00000000001013c1 RDI: 00000000200000c0
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffc3fcc965f R14: 00007f63043fb9c0 R15: 000000000118bf2c
Allocated by task 8046:
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc+0x15a/0x4f0 mm/slab.c:3736
kmalloc include/linux/slab.h:520 [inline]
sk_prot_alloc+0x1e2/0x2d0 net/core/sock.c:1466
sk_alloc+0x36/0x1100 net/core/sock.c:1520
packet_create+0x117/0x800 net/packet/af_packet.c:3259
__sock_create+0x495/0x820 net/socket.c:1276
sock_create net/socket.c:1316 [inline]
__sys_socket+0xef/0x200 net/socket.c:1346
__do_sys_socket net/socket.c:1355 [inline]
__se_sys_socket net/socket.c:1353 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1353
do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8044:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x250 mm/slab.c:3822
sk_prot_free net/core/sock.c:1503 [inline]
__sk_destruct+0x61d/0x830 net/core/sock.c:1584
sk_destruct net/core/sock.c:1599 [inline]
__sk_free+0x165/0x3b0 net/core/sock.c:1610
sk_free+0x3b/0x50 net/core/sock.c:1621
sock_put include/net/sock.h:1711 [inline]
packet_release+0x890/0xb70 net/packet/af_packet.c:3088
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x8a0 fs/file_table.c:278
task_work_run+0x141/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x269/0x2c0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x57c/0x670 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88808bfb62c0
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 2032 bytes inside of
2048-byte region [ffff88808bfb62c0, ffff88808bfb6ac0)
The buggy address belongs to the page:
page:ffffea00022fed80 count:1 mapcount:0 mapping:ffff88812c3f6c40 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea00022fba08 ffffea000245c608 ffff88812c3f6c40
raw: 0000000000000000 ffff88808bfb62c0 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808bfb6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88808bfb6a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88808bfb6a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff88808bfb6b00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff88808bfb6b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages