KASAN: slab-out-of-bounds Write in tcindex_set_parms
18 views
Skip to first unread message
syzbot
Mar 11, 2020, 4:08:15 AM3/11/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 7472c402 Linux 4.19.108
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1568aaf9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=6d889e71eea7bde
dashboard link: https://syzkaller.appspot.com/bug?extid=07793f753385ffac9073
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13cef439e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15cb8991e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+07793f...@syzkaller.appspotmail.com
audit: type=1400 audit(1583913938.595:36): avc: denied { map } for pid=7966 comm="syz-executor066" path="/root/syz-executor066597159" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: slab-out-of-bounds in tcindex_set_parms+0x17d0/0x19d0 net/sched/cls_tcindex.c:455
Write of size 16 at addr ffff8880a54778b8 by task syz-executor066/7967
CPU: 0 PID: 7967 Comm: syz-executor066 Not tainted 4.19.108-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
tcindex_set_parms+0x17d0/0x19d0 net/sched/cls_tcindex.c:455
tcindex_change+0x200/0x2d3 net/sched/cls_tcindex.c:517
tc_new_tfilter+0xa6b/0x1450 net/sched/cls_api.c:1320
rtnetlink_rcv_msg+0x453/0xaf0 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440eb9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe0f5cf728 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004a2690 RCX: 0000000000440eb9
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 00000000004a2690 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004023c0
R13: 0000000000402450 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 1524:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x14d/0x7a0 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
kthread+0x96/0x420 kernel/kthread.c:215
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8880a5477800
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 184 bytes inside of
192-byte region [ffff8880a5477800, ffff8880a54778c0)
The buggy address belongs to the page:
page:ffffea0002951dc0 count:1 mapcount:0 mapping:ffff88812c3dc040 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea000296f948 ffffea00029a9008 ffff88812c3dc040
raw: 0000000000000000 ffff8880a5477000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a5477780: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a5477800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a5477880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff8880a5477900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a5477980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 7472c402 Linux 4.19.108
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1568aaf9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=6d889e71eea7bde
dashboard link: https://syzkaller.appspot.com/bug?extid=07793f753385ffac9073
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13cef439e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15cb8991e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+07793f...@syzkaller.appspotmail.com
audit: type=1400 audit(1583913938.595:36): avc: denied { map } for pid=7966 comm="syz-executor066" path="/root/syz-executor066597159" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: slab-out-of-bounds in tcindex_set_parms+0x17d0/0x19d0 net/sched/cls_tcindex.c:455
Write of size 16 at addr ffff8880a54778b8 by task syz-executor066/7967
CPU: 0 PID: 7967 Comm: syz-executor066 Not tainted 4.19.108-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
tcindex_set_parms+0x17d0/0x19d0 net/sched/cls_tcindex.c:455
tcindex_change+0x200/0x2d3 net/sched/cls_tcindex.c:517
tc_new_tfilter+0xa6b/0x1450 net/sched/cls_api.c:1320
rtnetlink_rcv_msg+0x453/0xaf0 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440eb9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe0f5cf728 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004a2690 RCX: 0000000000440eb9
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 00000000004a2690 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004023c0
R13: 0000000000402450 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 1524:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x14d/0x7a0 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
kthread+0x96/0x420 kernel/kthread.c:215
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8880a5477800
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 184 bytes inside of
192-byte region [ffff8880a5477800, ffff8880a54778c0)
The buggy address belongs to the page:
page:ffffea0002951dc0 count:1 mapcount:0 mapping:ffff88812c3dc040 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea000296f948 ffffea00029a9008 ffff88812c3dc040
raw: 0000000000000000 ffff8880a5477000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a5477780: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a5477800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a5477880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff8880a5477900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a5477980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Mar 18, 2020, 12:05:16 PM3/18/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 12cd844a Linux 4.14.173
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14141be3e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8a9d0602a0f7791e
dashboard link: https://syzkaller.appspot.com/bug?extid=a5203d2fc3d2d926b2e1
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1638f32de00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11a2cbe3e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
audit: type=1400 audit(1584547305.820:36): avc: denied { map } for pid=7472 comm="syz-executor195" path="/root/syz-executor195313127" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: slab-out-of-bounds in tcindex_set_parms+0x1521/0x16a0 net/sched/cls_tcindex.c:473
==================================================================
Write of size 16 at addr ffff8880a935d470 by task syz-executor195/7473
CPU: 0 PID: 7473 Comm: syz-executor195 Not tainted 4.14.173-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Call Trace:
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
tcindex_set_parms+0x1521/0x16a0 net/sched/cls_tcindex.c:473
tcindex_change+0x1b5/0x270 net/sched/cls_tcindex.c:534
tc_ctl_tfilter+0xf13/0x18e6 net/sched/cls_api.c:738
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440e79
RSP: 002b:00007fff1171bcb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 00007fff1171bcc0 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650
R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 7473:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x14d/0x7b0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
sock_alloc_inode+0x5f/0x250 net/socket.c:254
alloc_inode+0x5d/0x170 fs/inode.c:209
new_inode_pseudo+0x14/0xe0 fs/inode.c:898
sock_alloc+0x3c/0x270 net/socket.c:569
__sock_create+0x89/0x620 net/socket.c:1239
sock_create net/socket.c:1315 [inline]
SYSC_socket net/socket.c:1345 [inline]
SyS_socket+0xd2/0x170 net/socket.c:1325
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 400:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcb/0x260 mm/slab.c:3815
call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
umh_complete+0x6d/0x80 kernel/umh.c:46
call_usermodehelper_exec_async+0x413/0x4c0 kernel/umh.c:110
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
The buggy address belongs to the object at ffff8880a935d3c0
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 48 bytes to the right of
128-byte region [ffff8880a935d3c0, ffff8880a935d440)
The buggy address belongs to the page:
page:ffffea0002a4d740 count:1 mapcount:0 mapping:ffff8880a935d000 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880a935d000 0000000000000000 0000000100000015
raw: ffffea0002a4d360 ffffea0002a4daa0 ffff88812fe56640 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a935d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
Memory state around the buggy address:
ffff8880a935d380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
>ffff8880a935d400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff8880a935d480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a935d500: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
syzbot
Apr 10, 2020, 8:21:05 AM4/10/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 557d015ffb27b672e24e6ad141fd887783871dc2
Author: Cong Wang <xiyou.w...@gmail.com>
Date: Thu Mar 12 05:42:28 2020 +0000
net_sched: keep alloc_hash updated after hash allocation
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=153f79e7e00000
start commit: 7472c402 Linux 4.19.108
git tree: linux-4.19.y
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17121dfde00000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: net_sched: keep alloc_hash updated after hash allocation
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 557d015ffb27b672e24e6ad141fd887783871dc2
Author: Cong Wang <xiyou.w...@gmail.com>
Date: Thu Mar 12 05:42:28 2020 +0000
net_sched: keep alloc_hash updated after hash allocation
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=153f79e7e00000
start commit: 7472c402 Linux 4.19.108
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=6d889e71eea7bde
dashboard link: https://syzkaller.appspot.com/bug?extid=07793f753385ffac9073
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12160af9e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=07793f753385ffac9073
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17121dfde00000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: net_sched: keep alloc_hash updated after hash allocation
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Apr 17, 2020, 3:49:04 PM4/17/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 9f8b6c44be178c2498a00b270872a6e30e7c8266
Author: Cong Wang <xiyou.w...@gmail.com>
Date: Thu Mar 12 05:42:28 2020 +0000
net_sched: keep alloc_hash updated after hash allocation
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=105664d7e00000
Date: Thu Mar 12 05:42:28 2020 +0000
net_sched: keep alloc_hash updated after hash allocation
start commit: 12cd844a Linux 4.14.173
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=8a9d0602a0f7791e
dashboard link: https://syzkaller.appspot.com/bug?extid=a5203d2fc3d2d926b2e1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13ef961de00000
dashboard link: https://syzkaller.appspot.com/bug?extid=a5203d2fc3d2d926b2e1
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1456ab55e00000
Reply all
Reply to author
Forward
0 new messages