KASAN: use-after-free Read in tls_write_space
9 views
Skip to first unread message
syzbot
Apr 26, 2019, 2:51:06 PM4/26/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10230c14a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=3bf555e71f18e95ca90e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3bf555...@syzkaller.appspotmail.com
audit: type=1800 audit(2000000189.340:275): pid=29823 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op="collect_data" cause="failed(directio)" comm="syz-executor.1"
name="file0" dev="sda1" ino=18002 res=0
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
==================================================================
BUG: KASAN: use-after-free in tls_write_space+0x249/0x2a0
net/tls/tls_main.c:222
Read of size 1 at addr ffff8880a0159e70 by task syz-executor.3/29799
CPU: 0 PID: 29799 Comm: syz-executor.3 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
tls_write_space+0x249/0x2a0 net/tls/tls_main.c:222
tcp_new_space net/ipv4/tcp_input.c:5083 [inline]
tcp_check_space+0x3c0/0x670 net/ipv4/tcp_input.c:5094
tcp_data_snd_check net/ipv4/tcp_input.c:5104 [inline]
tcp_rcv_established+0x635/0x1650 net/ipv4/tcp_input.c:5550
tcp_v6_do_rcv+0x41a/0x1190 net/ipv6/tcp_ipv6.c:1301
sk_backlog_rcv include/net/sock.h:912 [inline]
__release_sock+0x132/0x350 net/core/sock.c:2262
release_sock+0x59/0x1c0 net/core/sock.c:2777
tls_sk_proto_close+0x14a/0x760 net/tls/tls_main.c:294
inet_release+0xf2/0x1c0 net/ipv4/af_inet.c:425
inet6_release+0x53/0x80 net/ipv6/af_inet6.c:450
__sock_release+0xd3/0x2c0 net/socket.c:602
sock_close+0x1b/0x30 net/socket.c:1139
__fput+0x277/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x119/0x190 kernel/task_work.c:113
get_signal+0x1689/0x1a80 kernel/signal.c:2220
do_signal+0x86/0x1980 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x4a9/0x630 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458da9
RSP: 002b:00007f350767cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: 00000000002d48ad RBX: 0000000000000006 RCX: 0000000000458da9
RDX: fffffffffffffe75 RSI: 0000000020000000 RDI: 0000000000000004
RBP: 000000000073bfa0 R08: 0000000000000000 R09: fffffffffffffef1
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f350767d6d4
R13: 00000000004c6732 R14: 00000000004db0f0 R15: 00000000ffffffff
Allocated by task 29799:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
tls_init+0xb9/0x530 net/tls/tls_main.c:518
tcp_set_ulp+0x19c/0x4a7 net/ipv4/tcp_ulp.c:127
do_tcp_setsockopt.isra.0+0x235/0x1db0 net/ipv4/tcp.c:2521
tcp_setsockopt+0xb9/0xe0 net/ipv4/tcp.c:2807
sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2966
SYSC_setsockopt net/socket.c:1865 [inline]
SyS_setsockopt+0x141/0x210 net/socket.c:1844
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 29799:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
tls_ctx_free net/tls/tls_main.c:252 [inline]
tls_ctx_free net/tls/tls_main.c:246 [inline]
tls_sk_proto_close+0x13d/0x760 net/tls/tls_main.c:290
inet_release+0xf2/0x1c0 net/ipv4/af_inet.c:425
inet6_release+0x53/0x80 net/ipv6/af_inet6.c:450
__sock_release+0xd3/0x2c0 net/socket.c:602
sock_close+0x1b/0x30 net/socket.c:1139
__fput+0x277/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x119/0x190 kernel/task_work.c:113
get_signal+0x1689/0x1a80 kernel/signal.c:2220
do_signal+0x86/0x1980 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x4a9/0x630 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880a0159e00
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 112 bytes inside of
192-byte region [ffff8880a0159e00, ffff8880a0159ec0)
The buggy address belongs to the page:
page:ffffea0002805640 count:1 mapcount:0 mapping:ffff8880a0159000 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff8880a0159000 0000000000000000 0000000100000010
raw: ffffea00018b1e20 ffffea00028072e0 ffff8880aa800040 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a0159d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a0159d80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880a0159e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a0159e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880a0159f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10230c14a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=3bf555e71f18e95ca90e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3bf555...@syzkaller.appspotmail.com
audit: type=1800 audit(2000000189.340:275): pid=29823 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op="collect_data" cause="failed(directio)" comm="syz-executor.1"
name="file0" dev="sda1" ino=18002 res=0
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
==================================================================
BUG: KASAN: use-after-free in tls_write_space+0x249/0x2a0
net/tls/tls_main.c:222
Read of size 1 at addr ffff8880a0159e70 by task syz-executor.3/29799
CPU: 0 PID: 29799 Comm: syz-executor.3 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
tls_write_space+0x249/0x2a0 net/tls/tls_main.c:222
tcp_new_space net/ipv4/tcp_input.c:5083 [inline]
tcp_check_space+0x3c0/0x670 net/ipv4/tcp_input.c:5094
tcp_data_snd_check net/ipv4/tcp_input.c:5104 [inline]
tcp_rcv_established+0x635/0x1650 net/ipv4/tcp_input.c:5550
tcp_v6_do_rcv+0x41a/0x1190 net/ipv6/tcp_ipv6.c:1301
sk_backlog_rcv include/net/sock.h:912 [inline]
__release_sock+0x132/0x350 net/core/sock.c:2262
release_sock+0x59/0x1c0 net/core/sock.c:2777
tls_sk_proto_close+0x14a/0x760 net/tls/tls_main.c:294
inet_release+0xf2/0x1c0 net/ipv4/af_inet.c:425
inet6_release+0x53/0x80 net/ipv6/af_inet6.c:450
__sock_release+0xd3/0x2c0 net/socket.c:602
sock_close+0x1b/0x30 net/socket.c:1139
__fput+0x277/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x119/0x190 kernel/task_work.c:113
get_signal+0x1689/0x1a80 kernel/signal.c:2220
do_signal+0x86/0x1980 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x4a9/0x630 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458da9
RSP: 002b:00007f350767cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: 00000000002d48ad RBX: 0000000000000006 RCX: 0000000000458da9
RDX: fffffffffffffe75 RSI: 0000000020000000 RDI: 0000000000000004
RBP: 000000000073bfa0 R08: 0000000000000000 R09: fffffffffffffef1
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f350767d6d4
R13: 00000000004c6732 R14: 00000000004db0f0 R15: 00000000ffffffff
Allocated by task 29799:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
tls_init+0xb9/0x530 net/tls/tls_main.c:518
tcp_set_ulp+0x19c/0x4a7 net/ipv4/tcp_ulp.c:127
do_tcp_setsockopt.isra.0+0x235/0x1db0 net/ipv4/tcp.c:2521
tcp_setsockopt+0xb9/0xe0 net/ipv4/tcp.c:2807
sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2966
SYSC_setsockopt net/socket.c:1865 [inline]
SyS_setsockopt+0x141/0x210 net/socket.c:1844
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 29799:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
tls_ctx_free net/tls/tls_main.c:252 [inline]
tls_ctx_free net/tls/tls_main.c:246 [inline]
tls_sk_proto_close+0x13d/0x760 net/tls/tls_main.c:290
inet_release+0xf2/0x1c0 net/ipv4/af_inet.c:425
inet6_release+0x53/0x80 net/ipv6/af_inet6.c:450
__sock_release+0xd3/0x2c0 net/socket.c:602
sock_close+0x1b/0x30 net/socket.c:1139
__fput+0x277/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x119/0x190 kernel/task_work.c:113
get_signal+0x1689/0x1a80 kernel/signal.c:2220
do_signal+0x86/0x1980 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x4a9/0x630 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880a0159e00
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 112 bytes inside of
192-byte region [ffff8880a0159e00, ffff8880a0159ec0)
The buggy address belongs to the page:
page:ffffea0002805640 count:1 mapcount:0 mapping:ffff8880a0159000 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff8880a0159000 0000000000000000 0000000100000010
raw: ffffea00018b1e20 ffffea00028072e0 ffff8880aa800040 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a0159d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a0159d80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880a0159e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a0159e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880a0159f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 10, 2019, 1:22:07 PM10/10/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 42327896 Linux 4.14.148
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17b80f93600000
kernel config: https://syzkaller.appspot.com/x/.config?x=5238c31ab7201b12
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12467110e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3bf555...@syzkaller.appspotmail.com
net/tls/tls_main.c:222
Read of size 1 at addr ffff8880a1a61d70 by task syz-executor032/22283
CPU: 1 PID: 22283 Comm: syz-executor032 Not tainted 4.14.148 #0
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
tls_write_space+0x243/0x2a0 net/tls/tls_main.c:222
tcp_new_space net/ipv4/tcp_input.c:5099 [inline]
tcp_check_space+0x3bb/0x670 net/ipv4/tcp_input.c:5110
tcp_data_snd_check net/ipv4/tcp_input.c:5120 [inline]
tcp_rcv_established+0x635/0x1650 net/ipv4/tcp_input.c:5566
sk_backlog_rcv include/net/sock.h:912 [inline]
__release_sock+0x12d/0x350 net/core/sock.c:2264
release_sock+0x59/0x1b0 net/core/sock.c:2779
tls_sk_proto_close+0x14a/0x750 net/tls/tls_main.c:294
inet6_release+0x53/0x80 net/ipv6/af_inet6.c:450
__sock_release+0xce/0x2b0 net/socket.c:602
__fput+0x275/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x114/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1da/0x220 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297
RIP: 0033:0x407121
RSP: 002b:00007ffd32da7ce0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003
RBP: 000000000012fa39 R08: 00000001bb1414ac R09: 00000001bb1414ac
R10: 00007ffd32da7d00 R11: 0000000000000293 R12: 00000000006ddc40
R13: 0000000000000064 R14: 0000000000000008 R15: 00000000006ddc4c
Allocated by task 22286:
do_tcp_setsockopt.isra.0+0x22f/0x1e10 net/ipv4/tcp.c:2536
sock_common_setsockopt+0x94/0xd0 net/core/sock.c:2968
SYSC_setsockopt net/socket.c:1865 [inline]
SyS_setsockopt+0x13c/0x210 net/socket.c:1844
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 22283:
inet6_release+0x53/0x80 net/ipv6/af_inet6.c:450
__sock_release+0xce/0x2b0 net/socket.c:602
sock_close+0x1b/0x30 net/socket.c:1139
__fput+0x275/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x114/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1da/0x220 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x42/0xb7
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
The buggy address belongs to the object at ffff8880a1a61d00
raw: 01fffc0000000100 ffff8880a1a61000 0000000000000000 0000000100000010
raw: ffffea000200b660 ffffea000206a860 ffff8880aa800040 0000000000000000
ffff8880a1a61c80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880a1a61d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a1a61d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880a1a61e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HEAD commit: 42327896 Linux 4.14.148
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17b80f93600000
kernel config: https://syzkaller.appspot.com/x/.config?x=5238c31ab7201b12
dashboard link: https://syzkaller.appspot.com/bug?extid=3bf555e71f18e95ca90e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12189bb3600000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12467110e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3bf555...@syzkaller.appspotmail.com
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
==================================================================
BUG: KASAN: use-after-free in tls_write_space+0x243/0x2a0
cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
==================================================================
net/tls/tls_main.c:222
Read of size 1 at addr ffff8880a1a61d70 by task syz-executor032/22283
CPU: 1 PID: 22283 Comm: syz-executor032 Not tainted 4.14.148 #0
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
cookies. Check SNMP counters.
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
cookies. Check SNMP counters.
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
tls_write_space+0x243/0x2a0 net/tls/tls_main.c:222
tcp_new_space net/ipv4/tcp_input.c:5099 [inline]
tcp_check_space+0x3bb/0x670 net/ipv4/tcp_input.c:5110
tcp_data_snd_check net/ipv4/tcp_input.c:5120 [inline]
tcp_rcv_established+0x635/0x1650 net/ipv4/tcp_input.c:5566
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
tcp_v6_do_rcv+0x417/0x1190 net/ipv6/tcp_ipv6.c:1301
cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
sk_backlog_rcv include/net/sock.h:912 [inline]
__release_sock+0x12d/0x350 net/core/sock.c:2264
release_sock+0x59/0x1b0 net/core/sock.c:2779
tls_sk_proto_close+0x14a/0x750 net/tls/tls_main.c:294
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
inet_release+0xec/0x1c0 net/ipv4/af_inet.c:425
cookies. Check SNMP counters.
inet6_release+0x53/0x80 net/ipv6/af_inet6.c:450
__sock_release+0xce/0x2b0 net/socket.c:602
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
sock_close+0x1b/0x30 net/socket.c:1139
cookies. Check SNMP counters.
__fput+0x275/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x114/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1da/0x220 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
entry_SYSCALL_64_after_hwframe+0x42/0xb7
cookies. Check SNMP counters.
RIP: 0033:0x407121
RSP: 002b:00007ffd32da7ce0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000407121
cookies. Check SNMP counters.
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000003
RBP: 000000000012fa39 R08: 00000001bb1414ac R09: 00000001bb1414ac
R10: 00007ffd32da7d00 R11: 0000000000000293 R12: 00000000006ddc40
R13: 0000000000000064 R14: 0000000000000008 R15: 00000000006ddc4c
Allocated by task 22286:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
cookies. Check SNMP counters.
kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
tls_init+0xb9/0x530 net/tls/tls_main.c:518
tcp_set_ulp+0x196/0x4a1 net/ipv4/tcp_ulp.c:127
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
tls_init+0xb9/0x530 net/tls/tls_main.c:518
do_tcp_setsockopt.isra.0+0x22f/0x1e10 net/ipv4/tcp.c:2536
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
tcp_setsockopt+0xb3/0xd0 net/ipv4/tcp.c:2822
cookies. Check SNMP counters.
sock_common_setsockopt+0x94/0xd0 net/core/sock.c:2968
SYSC_setsockopt net/socket.c:1865 [inline]
SyS_setsockopt+0x13c/0x210 net/socket.c:1844
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 22283:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
tls_ctx_free net/tls/tls_main.c:252 [inline]
tls_ctx_free net/tls/tls_main.c:246 [inline]
tls_sk_proto_close+0x13d/0x750 net/tls/tls_main.c:290
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
tls_ctx_free net/tls/tls_main.c:252 [inline]
tls_ctx_free net/tls/tls_main.c:246 [inline]
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
inet_release+0xec/0x1c0 net/ipv4/af_inet.c:425
cookies. Check SNMP counters.
inet6_release+0x53/0x80 net/ipv6/af_inet6.c:450
__sock_release+0xce/0x2b0 net/socket.c:602
sock_close+0x1b/0x30 net/socket.c:1139
__fput+0x275/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x114/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1da/0x220 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x42/0xb7
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 112 bytes inside of
192-byte region [ffff8880a1a61d00, ffff8880a1a61dc0)
The buggy address is located 112 bytes inside of
The buggy address belongs to the page:
page:ffffea0002869840 count:1 mapcount:0 mapping:ffff8880a1a61000 index:0x0
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
flags: 0x1fffc0000000100(slab)
cookies. Check SNMP counters.
raw: 01fffc0000000100 ffff8880a1a61000 0000000000000000 0000000100000010
raw: ffffea000200b660 ffffea000206a860 ffff8880aa800040 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a1a61c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff8880a1a61c80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880a1a61d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a1a61d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880a1a61e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Reply all
Reply to author
Forward
0 new messages