KASAN: use-after-free Write in ipgre_header
11 views
Skip to first unread message
syzbot
Aug 4, 2022, 5:58:21 PM8/4/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: b641242202ed Linux 4.14.290
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1717008e080000
kernel config: https://syzkaller.appspot.com/x/.config?x=d2165c966db95316
dashboard link: https://syzkaller.appspot.com/bug?extid=01568647ffd3d8a466a1
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=173274bc080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b8613e080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+015686...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
syz-executor366 (8184) used greatest stack depth: 24576 bytes left
syz-executor366 (8185) used greatest stack depth: 24496 bytes left
==================================================================
BUG: KASAN: use-after-free in ipgre_header+0x32e/0x340 net/ipv4/ip_gre.c:850
Write of size 2 at addr ffff88816b700836 by task syz-executor366/8187
CPU: 1 PID: 8187 Comm: syz-executor366 Not tainted 4.14.290-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_store_n_noabort+0x6b/0x80 mm/kasan/report.c:446
ipgre_header+0x32e/0x340 net/ipv4/ip_gre.c:850
dev_hard_header include/linux/netdevice.h:2723 [inline]
neigh_connected_output+0x355/0x580 net/core/neighbour.c:1393
neigh_output include/net/neighbour.h:500 [inline]
ip_finish_output2+0xba6/0x1340 net/ipv4/ip_output.c:237
ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325
NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_mc_output+0x220/0xcb0 net/ipv4/ip_output.c:398
dst_output include/net/dst.h:470 [inline]
ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125
iptunnel_xmit+0x5cc/0x950 net/ipv4/ip_tunnel_core.c:91
ip_tunnel_xmit+0xedc/0x33e0 net/ipv4/ip_tunnel.c:799
ipip_tunnel_xmit+0x1ea/0x240 net/ipv4/ipip.c:308
__netdev_start_xmit include/linux/netdevice.h:4054 [inline]
netdev_start_xmit include/linux/netdevice.h:4063 [inline]
xmit_one net/core/dev.c:3005 [inline]
dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021
__dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521
neigh_output include/net/neighbour.h:500 [inline]
ip_finish_output2+0xba6/0x1340 net/ipv4/ip_output.c:237
ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325
NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_mc_output+0x220/0xcb0 net/ipv4/ip_output.c:398
dst_output include/net/dst.h:470 [inline]
ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125
iptunnel_xmit+0x5cc/0x950 net/ipv4/ip_tunnel_core.c:91
ip_tunnel_xmit+0xedc/0x33e0 net/ipv4/ip_tunnel.c:799
ipgre_xmit+0x412/0x780 net/ipv4/ip_gre.c:670
__netdev_start_xmit include/linux/netdevice.h:4054 [inline]
netdev_start_xmit include/linux/netdevice.h:4063 [inline]
xmit_one net/core/dev.c:3005 [inline]
dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021
__dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521
__bpf_tx_skb net/core/filter.c:1715 [inline]
__bpf_redirect_common net/core/filter.c:1754 [inline]
__bpf_redirect+0x5cf/0x9c0 net/core/filter.c:1761
____bpf_clone_redirect net/core/filter.c:1794 [inline]
bpf_clone_redirect+0x1e1/0x2c0 net/core/filter.c:1766
___bpf_prog_run+0x2459/0x5630 kernel/bpf/core.c:1133
The buggy address belongs to the page:
page:ffffea0005adc000 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x57ff00000000000()
raw: 057ff00000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0005adc020 ffffea0005adc020 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88816b700700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88816b700780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88816b700800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88816b700880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88816b700900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: b641242202ed Linux 4.14.290
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1717008e080000
kernel config: https://syzkaller.appspot.com/x/.config?x=d2165c966db95316
dashboard link: https://syzkaller.appspot.com/bug?extid=01568647ffd3d8a466a1
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=173274bc080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b8613e080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+015686...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
syz-executor366 (8184) used greatest stack depth: 24576 bytes left
syz-executor366 (8185) used greatest stack depth: 24496 bytes left
==================================================================
BUG: KASAN: use-after-free in ipgre_header+0x32e/0x340 net/ipv4/ip_gre.c:850
Write of size 2 at addr ffff88816b700836 by task syz-executor366/8187
CPU: 1 PID: 8187 Comm: syz-executor366 Not tainted 4.14.290-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_store_n_noabort+0x6b/0x80 mm/kasan/report.c:446
ipgre_header+0x32e/0x340 net/ipv4/ip_gre.c:850
dev_hard_header include/linux/netdevice.h:2723 [inline]
neigh_connected_output+0x355/0x580 net/core/neighbour.c:1393
neigh_output include/net/neighbour.h:500 [inline]
ip_finish_output2+0xba6/0x1340 net/ipv4/ip_output.c:237
ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325
NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_mc_output+0x220/0xcb0 net/ipv4/ip_output.c:398
dst_output include/net/dst.h:470 [inline]
ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125
iptunnel_xmit+0x5cc/0x950 net/ipv4/ip_tunnel_core.c:91
ip_tunnel_xmit+0xedc/0x33e0 net/ipv4/ip_tunnel.c:799
ipip_tunnel_xmit+0x1ea/0x240 net/ipv4/ipip.c:308
__netdev_start_xmit include/linux/netdevice.h:4054 [inline]
netdev_start_xmit include/linux/netdevice.h:4063 [inline]
xmit_one net/core/dev.c:3005 [inline]
dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021
__dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521
neigh_output include/net/neighbour.h:500 [inline]
ip_finish_output2+0xba6/0x1340 net/ipv4/ip_output.c:237
ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325
NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_mc_output+0x220/0xcb0 net/ipv4/ip_output.c:398
dst_output include/net/dst.h:470 [inline]
ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125
iptunnel_xmit+0x5cc/0x950 net/ipv4/ip_tunnel_core.c:91
ip_tunnel_xmit+0xedc/0x33e0 net/ipv4/ip_tunnel.c:799
ipgre_xmit+0x412/0x780 net/ipv4/ip_gre.c:670
__netdev_start_xmit include/linux/netdevice.h:4054 [inline]
netdev_start_xmit include/linux/netdevice.h:4063 [inline]
xmit_one net/core/dev.c:3005 [inline]
dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021
__dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521
__bpf_tx_skb net/core/filter.c:1715 [inline]
__bpf_redirect_common net/core/filter.c:1754 [inline]
__bpf_redirect+0x5cf/0x9c0 net/core/filter.c:1761
____bpf_clone_redirect net/core/filter.c:1794 [inline]
bpf_clone_redirect+0x1e1/0x2c0 net/core/filter.c:1766
___bpf_prog_run+0x2459/0x5630 kernel/bpf/core.c:1133
The buggy address belongs to the page:
page:ffffea0005adc000 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x57ff00000000000()
raw: 057ff00000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0005adc020 ffffea0005adc020 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88816b700700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88816b700780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88816b700800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88816b700880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88816b700900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages