KASAN: use-after-free Read in ccid2_hc_tx_packet_recv (2)
11 views
Skip to first unread message
syzbot
Nov 9, 2019, 4:41:12 PM11/9/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: c9fda4f2 Linux 4.14.152
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10d1e352e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8e71058946820493
dashboard link: https://syzkaller.appspot.com/bug?extid=f82d6c1bfc332d1196b2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10d54352e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1764fd3ae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f82d6c...@syzkaller.appspotmail.com
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000038
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000
dccp_parse_options: DCCP(ffff8880720a0a40): Option 32 (len=7) error=9
==================================================================
BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x1cf3/0x1fa4
net/dccp/ccids/ccid2.c:599
Read of size 1 at addr ffff888080f1b69d by task syz-executor278/6987
CPU: 0 PID: 6987 Comm: syz-executor278 Not tainted 4.14.152 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
ccid2_hc_tx_packet_recv+0x1cf3/0x1fa4 net/dccp/ccids/ccid2.c:599
ccid_hc_tx_packet_recv net/dccp/ccid.h:192 [inline]
dccp_deliver_input_to_ccids+0x1d5/0x250 net/dccp/input.c:186
dccp_rcv_established net/dccp/input.c:378 [inline]
dccp_rcv_established+0x6b/0xb0 net/dccp/input.c:368
dccp_v4_do_rcv+0x122/0x170 net/dccp/ipv4.c:656
sk_backlog_rcv include/net/sock.h:912 [inline]
__release_sock+0x12d/0x350 net/core/sock.c:2264
release_sock+0x59/0x1b0 net/core/sock.c:2779
dccp_sendmsg+0x57e/0x950 net/dccp/proto.c:813
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x349/0x840 net/socket.c:2062
__sys_sendmmsg+0x152/0x3a0 net/socket.c:2152
SYSC_sendmmsg net/socket.c:2183 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2178
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x444279
RSP: 002b:00007ffe668258b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444279
RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000006
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000038
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 6987:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node_track_caller+0x51/0x80 mm/slab.c:3696
__kmalloc_reserve.isra.0+0x40/0xe0 net/core/skbuff.c:137
__alloc_skb+0xcf/0x500 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:980 [inline]
dccp_send_ack+0xc7/0x330 net/dccp/output.c:580
ccid2_hc_rx_packet_recv+0x10e/0x180 net/dccp/ccids/ccid2.c:778
ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
dccp_deliver_input_to_ccids+0xdd/0x250 net/dccp/input.c:180
dccp_rcv_established net/dccp/input.c:378 [inline]
dccp_rcv_established+0x6b/0xb0 net/dccp/input.c:368
dccp_v4_do_rcv+0x122/0x170 net/dccp/ipv4.c:656
sk_backlog_rcv include/net/sock.h:912 [inline]
__sk_receive_skb+0x226/0x950 net/core/sock.c:511
dccp_v4_rcv+0xd47/0x1903 net/dccp/ipv4.c:877
ip_local_deliver_finish+0x25e/0xad0 net/ipv4/ip_input.c:216
NF_HOOK include/linux/netfilter.h:250 [inline]
NF_HOOK include/linux/netfilter.h:244 [inline]
ip_local_deliver+0x1c3/0x4a0 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:468 [inline]
ip_rcv_finish+0x7be/0x1a50 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:250 [inline]
NF_HOOK include/linux/netfilter.h:244 [inline]
ip_rcv+0xaa5/0x112b net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x1eae/0x2ca0 net/core/dev.c:4477
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4515
process_backlog+0x21f/0x730 net/core/dev.c:5197
napi_poll net/core/dev.c:5598 [inline]
net_rx_action+0x490/0xf80 net/core/dev.c:5664
__do_softirq+0x244/0x9a0 kernel/softirq.c:288
Freed by task 6987:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
skb_free_head+0x8b/0xb0 net/core/skbuff.c:554
skb_release_data+0x4af/0x700 net/core/skbuff.c:574
skb_release_all+0x4d/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
kfree_skb+0xb5/0x340 net/core/skbuff.c:663
dccp_v4_do_rcv net/dccp/ipv4.c:691 [inline]
dccp_v4_do_rcv+0x13e/0x170 net/dccp/ipv4.c:651
sk_backlog_rcv include/net/sock.h:912 [inline]
__release_sock+0x12d/0x350 net/core/sock.c:2264
release_sock+0x59/0x1b0 net/core/sock.c:2779
dccp_sendmsg+0x57e/0x950 net/dccp/proto.c:813
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x349/0x840 net/socket.c:2062
__sys_sendmmsg+0x152/0x3a0 net/socket.c:2152
SYSC_sendmmsg net/socket.c:2183 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2178
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff888080f1b200
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1181 bytes inside of
2048-byte region [ffff888080f1b200, ffff888080f1ba00)
The buggy address belongs to the page:
page:ffffea000203c680 count:1 mapcount:0 mapping:ffff888080f1a100 index:0x0
compound_mapcount: 0
flags: 0x1fffc0000008100(slab|head)
raw: 01fffc0000008100 ffff888080f1a100 0000000000000000 0000000100000003
raw: ffffea0001c966a0 ffffea0001c969a0 ffff8880aa800c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888080f1b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888080f1b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888080f1b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888080f1b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888080f1b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: c9fda4f2 Linux 4.14.152
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10d1e352e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8e71058946820493
dashboard link: https://syzkaller.appspot.com/bug?extid=f82d6c1bfc332d1196b2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10d54352e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1764fd3ae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f82d6c...@syzkaller.appspotmail.com
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000038
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000
dccp_parse_options: DCCP(ffff8880720a0a40): Option 32 (len=7) error=9
==================================================================
BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x1cf3/0x1fa4
net/dccp/ccids/ccid2.c:599
Read of size 1 at addr ffff888080f1b69d by task syz-executor278/6987
CPU: 0 PID: 6987 Comm: syz-executor278 Not tainted 4.14.152 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
ccid2_hc_tx_packet_recv+0x1cf3/0x1fa4 net/dccp/ccids/ccid2.c:599
ccid_hc_tx_packet_recv net/dccp/ccid.h:192 [inline]
dccp_deliver_input_to_ccids+0x1d5/0x250 net/dccp/input.c:186
dccp_rcv_established net/dccp/input.c:378 [inline]
dccp_rcv_established+0x6b/0xb0 net/dccp/input.c:368
dccp_v4_do_rcv+0x122/0x170 net/dccp/ipv4.c:656
sk_backlog_rcv include/net/sock.h:912 [inline]
__release_sock+0x12d/0x350 net/core/sock.c:2264
release_sock+0x59/0x1b0 net/core/sock.c:2779
dccp_sendmsg+0x57e/0x950 net/dccp/proto.c:813
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x349/0x840 net/socket.c:2062
__sys_sendmmsg+0x152/0x3a0 net/socket.c:2152
SYSC_sendmmsg net/socket.c:2183 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2178
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x444279
RSP: 002b:00007ffe668258b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444279
RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000006
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000038
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 6987:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node_track_caller+0x51/0x80 mm/slab.c:3696
__kmalloc_reserve.isra.0+0x40/0xe0 net/core/skbuff.c:137
__alloc_skb+0xcf/0x500 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:980 [inline]
dccp_send_ack+0xc7/0x330 net/dccp/output.c:580
ccid2_hc_rx_packet_recv+0x10e/0x180 net/dccp/ccids/ccid2.c:778
ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
dccp_deliver_input_to_ccids+0xdd/0x250 net/dccp/input.c:180
dccp_rcv_established net/dccp/input.c:378 [inline]
dccp_rcv_established+0x6b/0xb0 net/dccp/input.c:368
dccp_v4_do_rcv+0x122/0x170 net/dccp/ipv4.c:656
sk_backlog_rcv include/net/sock.h:912 [inline]
__sk_receive_skb+0x226/0x950 net/core/sock.c:511
dccp_v4_rcv+0xd47/0x1903 net/dccp/ipv4.c:877
ip_local_deliver_finish+0x25e/0xad0 net/ipv4/ip_input.c:216
NF_HOOK include/linux/netfilter.h:250 [inline]
NF_HOOK include/linux/netfilter.h:244 [inline]
ip_local_deliver+0x1c3/0x4a0 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:468 [inline]
ip_rcv_finish+0x7be/0x1a50 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:250 [inline]
NF_HOOK include/linux/netfilter.h:244 [inline]
ip_rcv+0xaa5/0x112b net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x1eae/0x2ca0 net/core/dev.c:4477
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4515
process_backlog+0x21f/0x730 net/core/dev.c:5197
napi_poll net/core/dev.c:5598 [inline]
net_rx_action+0x490/0xf80 net/core/dev.c:5664
__do_softirq+0x244/0x9a0 kernel/softirq.c:288
Freed by task 6987:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
skb_free_head+0x8b/0xb0 net/core/skbuff.c:554
skb_release_data+0x4af/0x700 net/core/skbuff.c:574
skb_release_all+0x4d/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
kfree_skb+0xb5/0x340 net/core/skbuff.c:663
dccp_v4_do_rcv net/dccp/ipv4.c:691 [inline]
dccp_v4_do_rcv+0x13e/0x170 net/dccp/ipv4.c:651
sk_backlog_rcv include/net/sock.h:912 [inline]
__release_sock+0x12d/0x350 net/core/sock.c:2264
release_sock+0x59/0x1b0 net/core/sock.c:2779
dccp_sendmsg+0x57e/0x950 net/dccp/proto.c:813
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x349/0x840 net/socket.c:2062
__sys_sendmmsg+0x152/0x3a0 net/socket.c:2152
SYSC_sendmmsg net/socket.c:2183 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2178
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff888080f1b200
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1181 bytes inside of
2048-byte region [ffff888080f1b200, ffff888080f1ba00)
The buggy address belongs to the page:
page:ffffea000203c680 count:1 mapcount:0 mapping:ffff888080f1a100 index:0x0
compound_mapcount: 0
flags: 0x1fffc0000008100(slab|head)
raw: 01fffc0000008100 ffff888080f1a100 0000000000000000 0000000100000003
raw: ffffea0001c966a0 ffffea0001c969a0 ffff8880aa800c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888080f1b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888080f1b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888080f1b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888080f1b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888080f1b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Nov 11, 2019, 9:14:02 AM11/11/19
to syzkaller...@googlegroups.com
syzbot has bisected this bug to:
commit 3fa6f616a7a4d0bdf4d877d530456d8a5c3b109b
Author: David Ahern <dsa...@gmail.com>
Date: Mon Aug 7 15:44:17 2017 +0000
net: ipv4: add second dif to inet socket lookups
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1443f1e6e00000
start commit: c9fda4f2 Linux 4.14.152
git tree: linux-4.14.y
final crash: https://syzkaller.appspot.com/x/report.txt?x=1643f1e6e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=1243f1e6e00000
Fixes: 3fa6f616a7a4 ("net: ipv4: add second dif to inet socket lookups")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 3fa6f616a7a4d0bdf4d877d530456d8a5c3b109b
Author: David Ahern <dsa...@gmail.com>
Date: Mon Aug 7 15:44:17 2017 +0000
net: ipv4: add second dif to inet socket lookups
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1443f1e6e00000
start commit: c9fda4f2 Linux 4.14.152
git tree: linux-4.14.y
final crash: https://syzkaller.appspot.com/x/report.txt?x=1643f1e6e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=1243f1e6e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8e71058946820493
dashboard link: https://syzkaller.appspot.com/bug?extid=f82d6c1bfc332d1196b2
dashboard link: https://syzkaller.appspot.com/bug?extid=f82d6c1bfc332d1196b2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10d54352e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1764fd3ae00000
Reported-by: syzbot+f82d6c...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1764fd3ae00000
Fixes: 3fa6f616a7a4 ("net: ipv4: add second dif to inet socket lookups")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages