KASAN: slab-out-of-bounds Write in skcipher_null_crypt
9 views
Skip to first unread message
syzbot
Aug 13, 2021, 11:48:21 AM8/13/21
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: addba38e7c3b Linux 4.19.203
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11a0936e300000
kernel config: https://syzkaller.appspot.com/x/.config?x=386a9e0a36f171d8
dashboard link: https://syzkaller.appspot.com/bug?extid=4c5c39dc88f23814d63d
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4c5c39...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]
BUG: KASAN: slab-out-of-bounds in skcipher_null_crypt+0xb0/0x130 crypto/crypto_null.c:89
Write of size 4096 at addr ffff888093da0000 by task syz-executor.2/31061
CPU: 0 PID: 31061 Comm: syz-executor.2 Not tainted 4.19.203-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report+0x8f/0xa0 mm/kasan/report.c:412
memcpy+0x35/0x50 mm/kasan/kasan.c:303
memcpy include/linux/string.h:377 [inline]
skcipher_null_crypt+0xb0/0x130 crypto/crypto_null.c:89
skcipher_crypt_blkcipher crypto/skcipher.c:639 [inline]
skcipher_encrypt_blkcipher+0x1c6/0x290 crypto/skcipher.c:648
crypto_skcipher_encrypt include/crypto/skcipher.h:445 [inline]
crypto_authenc_encrypt+0x723/0xad0 crypto/authenc.c:237
crypto_aead_encrypt include/crypto/aead.h:337 [inline]
esp6_output_tail+0x87a/0x1920 net/ipv6/esp6.c:406
esp6_output+0x48d/0xa60 net/ipv6/esp6.c:476
xfrm_output_one net/xfrm/xfrm_output.c:115 [inline]
xfrm_output_resume+0x81d/0x22b0 net/xfrm/xfrm_output.c:150
xfrm_output2 net/xfrm/xfrm_output.c:177 [inline]
xfrm_output+0x266/0x980 net/xfrm/xfrm_output.c:262
__xfrm6_output+0x1c6/0x11e0 net/ipv6/xfrm6_output.c:184
NF_HOOK_COND include/linux/netfilter.h:278 [inline]
xfrm6_output+0x127/0x510 net/ipv6/xfrm6_output.c:189
dst_output include/net/dst.h:455 [inline]
ip6_local_out+0xaf/0x170 net/ipv6/output_core.c:160
ip6_send_skb+0xb3/0x300 net/ipv6/ip6_output.c:1741
ip6_push_pending_frames+0xbd/0xe0 net/ipv6/ip6_output.c:1761
rawv6_push_pending_frames net/ipv6/raw.c:618 [inline]
rawv6_sendmsg+0x2a81/0x36a0 net/ipv6/raw.c:959
inet_sendmsg+0x132/0x5a0 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:661
___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2225
__sys_sendmsg net/socket.c:2263 [inline]
__do_sys_sendmsg net/socket.c:2272 [inline]
__se_sys_sendmsg net/socket.c:2270 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2270
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7c1c3db188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003
RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffc2c04437f R14: 00007f7c1c3db300 R15: 0000000000022000
Allocated by task 2413:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
ima_add_digest_entry+0x4e/0x490 security/integrity/ima/ima_queue.c:102
ima_add_template_entry+0x2d2/0x5a0 security/integrity/ima/ima_queue.c:182
ima_store_template+0x1b0/0x270 security/integrity/ima/ima_api.c:119
ima_store_measurement+0x1da/0x4c0 security/integrity/ima/ima_api.c:301
process_measurement+0x109f/0x1440 security/integrity/ima/ima_main.c:292
ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:391
do_last fs/namei.c:3425 [inline]
path_openat+0x7e4/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 23093:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
__vunmap+0x2b2/0x3f0 mm/vmalloc.c:1537
vfree+0x65/0x100 mm/vmalloc.c:1598
__do_replace+0x16b/0x870 net/ipv6/netfilter/ip6_tables.c:1120
do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline]
do_ip6t_set_ctl+0x2d2/0x430 net/ipv6/netfilter/ip6_tables.c:1686
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x6f/0xc0 net/netfilter/nf_sockopt.c:115
ipv6_setsockopt+0x103/0x160 net/ipv6/ipv6_sockglue.c:945
tcp_setsockopt+0x86/0xd0 net/ipv4/tcp.c:3108
__sys_setsockopt+0x14d/0x240 net/socket.c:2011
__do_sys_setsockopt net/socket.c:2022 [inline]
__se_sys_setsockopt net/socket.c:2019 [inline]
__x64_sys_setsockopt+0xba/0x150 net/socket.c:2019
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888093da0000
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
64-byte region [ffff888093da0000, ffff888093da0040)
The buggy address belongs to the page:
page:ffffea00024f6800 count:1 mapcount:0 mapping:ffff88813bff0340 index:0xffff888093da0b80
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002ae4788 ffffea0002a33248 ffff88813bff0340
raw: ffff888093da0b80 ffff888093da0000 000000010000001f 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888093d9ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888093d9ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888093da0000: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
^
ffff888093da0080: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
ffff888093da0100: 00 00 00 00 00 00 00 02 fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
0: ff c3 inc %ebx
2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 40 00 nopl 0x0(%rax)
10: 48 89 f8 mov %rdi,%rax
13: 48 89 f7 mov %rsi,%rdi
16: 48 89 d6 mov %rdx,%rsi
19: 48 89 ca mov %rcx,%rdx
1c: 4d 89 c2 mov %r8,%r10
1f: 4d 89 c8 mov %r9,%r8
22: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
27: 0f 05 syscall
29: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
2f: 73 01 jae 0x32
31: c3 retq
32: 48 c7 c1 bc ff ff ff mov $0xffffffffffffffbc,%rcx
39: f7 d8 neg %eax
3b: 64 89 01 mov %eax,%fs:(%rcx)
3e: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: addba38e7c3b Linux 4.19.203
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11a0936e300000
kernel config: https://syzkaller.appspot.com/x/.config?x=386a9e0a36f171d8
dashboard link: https://syzkaller.appspot.com/bug?extid=4c5c39dc88f23814d63d
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4c5c39...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]
BUG: KASAN: slab-out-of-bounds in skcipher_null_crypt+0xb0/0x130 crypto/crypto_null.c:89
Write of size 4096 at addr ffff888093da0000 by task syz-executor.2/31061
CPU: 0 PID: 31061 Comm: syz-executor.2 Not tainted 4.19.203-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report+0x8f/0xa0 mm/kasan/report.c:412
memcpy+0x35/0x50 mm/kasan/kasan.c:303
memcpy include/linux/string.h:377 [inline]
skcipher_null_crypt+0xb0/0x130 crypto/crypto_null.c:89
skcipher_crypt_blkcipher crypto/skcipher.c:639 [inline]
skcipher_encrypt_blkcipher+0x1c6/0x290 crypto/skcipher.c:648
crypto_skcipher_encrypt include/crypto/skcipher.h:445 [inline]
crypto_authenc_encrypt+0x723/0xad0 crypto/authenc.c:237
crypto_aead_encrypt include/crypto/aead.h:337 [inline]
esp6_output_tail+0x87a/0x1920 net/ipv6/esp6.c:406
esp6_output+0x48d/0xa60 net/ipv6/esp6.c:476
xfrm_output_one net/xfrm/xfrm_output.c:115 [inline]
xfrm_output_resume+0x81d/0x22b0 net/xfrm/xfrm_output.c:150
xfrm_output2 net/xfrm/xfrm_output.c:177 [inline]
xfrm_output+0x266/0x980 net/xfrm/xfrm_output.c:262
__xfrm6_output+0x1c6/0x11e0 net/ipv6/xfrm6_output.c:184
NF_HOOK_COND include/linux/netfilter.h:278 [inline]
xfrm6_output+0x127/0x510 net/ipv6/xfrm6_output.c:189
dst_output include/net/dst.h:455 [inline]
ip6_local_out+0xaf/0x170 net/ipv6/output_core.c:160
ip6_send_skb+0xb3/0x300 net/ipv6/ip6_output.c:1741
ip6_push_pending_frames+0xbd/0xe0 net/ipv6/ip6_output.c:1761
rawv6_push_pending_frames net/ipv6/raw.c:618 [inline]
rawv6_sendmsg+0x2a81/0x36a0 net/ipv6/raw.c:959
inet_sendmsg+0x132/0x5a0 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:661
___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2225
__sys_sendmsg net/socket.c:2263 [inline]
__do_sys_sendmsg net/socket.c:2272 [inline]
__se_sys_sendmsg net/socket.c:2270 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2270
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7c1c3db188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003
RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffc2c04437f R14: 00007f7c1c3db300 R15: 0000000000022000
Allocated by task 2413:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
ima_add_digest_entry+0x4e/0x490 security/integrity/ima/ima_queue.c:102
ima_add_template_entry+0x2d2/0x5a0 security/integrity/ima/ima_queue.c:182
ima_store_template+0x1b0/0x270 security/integrity/ima/ima_api.c:119
ima_store_measurement+0x1da/0x4c0 security/integrity/ima/ima_api.c:301
process_measurement+0x109f/0x1440 security/integrity/ima/ima_main.c:292
ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:391
do_last fs/namei.c:3425 [inline]
path_openat+0x7e4/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 23093:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
__vunmap+0x2b2/0x3f0 mm/vmalloc.c:1537
vfree+0x65/0x100 mm/vmalloc.c:1598
__do_replace+0x16b/0x870 net/ipv6/netfilter/ip6_tables.c:1120
do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline]
do_ip6t_set_ctl+0x2d2/0x430 net/ipv6/netfilter/ip6_tables.c:1686
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x6f/0xc0 net/netfilter/nf_sockopt.c:115
ipv6_setsockopt+0x103/0x160 net/ipv6/ipv6_sockglue.c:945
tcp_setsockopt+0x86/0xd0 net/ipv4/tcp.c:3108
__sys_setsockopt+0x14d/0x240 net/socket.c:2011
__do_sys_setsockopt net/socket.c:2022 [inline]
__se_sys_setsockopt net/socket.c:2019 [inline]
__x64_sys_setsockopt+0xba/0x150 net/socket.c:2019
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888093da0000
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
64-byte region [ffff888093da0000, ffff888093da0040)
The buggy address belongs to the page:
page:ffffea00024f6800 count:1 mapcount:0 mapping:ffff88813bff0340 index:0xffff888093da0b80
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002ae4788 ffffea0002a33248 ffff88813bff0340
raw: ffff888093da0b80 ffff888093da0000 000000010000001f 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888093d9ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888093d9ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888093da0000: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
^
ffff888093da0080: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
ffff888093da0100: 00 00 00 00 00 00 00 02 fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
0: ff c3 inc %ebx
2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 40 00 nopl 0x0(%rax)
10: 48 89 f8 mov %rdi,%rax
13: 48 89 f7 mov %rsi,%rdi
16: 48 89 d6 mov %rdx,%rsi
19: 48 89 ca mov %rcx,%rdx
1c: 4d 89 c2 mov %r8,%r10
1f: 4d 89 c8 mov %r9,%r8
22: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
27: 0f 05 syscall
29: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
2f: 73 01 jae 0x32
31: c3 retq
32: 48 c7 c1 bc ff ff ff mov $0xffffffffffffffbc,%rcx
39: f7 d8 neg %eax
3b: 64 89 01 mov %eax,%fs:(%rcx)
3e: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Aug 13, 2021, 12:43:18 PM8/13/21
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: addba38e7c3b Linux 4.19.203
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14f65779300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16621581300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4c5c39...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]
BUG: KASAN: slab-out-of-bounds in skcipher_null_crypt+0xb0/0x130 crypto/crypto_null.c:89
Write of size 4096 at addr ffff88809bfd0000 by task syz-executor348/8107
CPU: 1 PID: 8107 Comm: syz-executor348 Not tainted 4.19.203-syzkaller #0
RIP: 0033:0x43f4b9
Code: 1d 01 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffffc29d778 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f4b9
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
RBP: 0000000000000005 R08: 6c616b7a79732f2e R09: 6c616b7a79732f2e
R10: 00000000000000e8 R11: 0000000000000246 R12: 00000000004034b0
R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488
Allocated by task 6253:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
getname_flags+0xce/0x590 fs/namei.c:140
do_sys_open+0x26c/0x520 fs/open.c:1079
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 6253:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
putname+0xe1/0x120 fs/namei.c:261
do_sys_open+0x2ba/0x520 fs/open.c:1094
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88809bfd0940
which belongs to the cache names_cache of size 4096
The buggy address is located 2368 bytes to the left of
4096-byte region [ffff88809bfd0940, ffff88809bfd1940)
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea00026d1b88 ffffea00026ff488 ffff88823b843380
raw: 0000000000000000 ffff88809bfd0940 0000000100000001 0000000000000000
ffff88809bfcff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88809bfd0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88809bfd0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809bfd0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 1d 01 00 85 c0 sbb $0xc0850001,%eax
5: b8 00 00 00 00 mov $0x0,%eax
a: 48 0f 44 c3 cmove %rbx,%rax
e: 5b pop %rbx
f: c3 retq
10: 90 nop
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 retq
33: 48 c7 c1 c0 ff ff ff mov $0xffffffffffffffc0,%rcx
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
HEAD commit: addba38e7c3b Linux 4.19.203
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=386a9e0a36f171d8
dashboard link: https://syzkaller.appspot.com/bug?extid=4c5c39dc88f23814d63d
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11ee5dbe300000
dashboard link: https://syzkaller.appspot.com/bug?extid=4c5c39dc88f23814d63d
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16621581300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4c5c39...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]
BUG: KASAN: slab-out-of-bounds in skcipher_null_crypt+0xb0/0x130 crypto/crypto_null.c:89
CPU: 1 PID: 8107 Comm: syz-executor348 Not tainted 4.19.203-syzkaller #0
Code: 1d 01 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffffc29d778 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f4b9
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
RBP: 0000000000000005 R08: 6c616b7a79732f2e R09: 6c616b7a79732f2e
R10: 00000000000000e8 R11: 0000000000000246 R12: 00000000004034b0
R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488
Allocated by task 6253:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
getname_flags+0xce/0x590 fs/namei.c:140
do_sys_open+0x26c/0x520 fs/open.c:1079
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 6253:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
putname+0xe1/0x120 fs/namei.c:261
do_sys_open+0x2ba/0x520 fs/open.c:1094
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88809bfd0940
which belongs to the cache names_cache of size 4096
The buggy address is located 2368 bytes to the left of
4096-byte region [ffff88809bfd0940, ffff88809bfd1940)
The buggy address belongs to the page:
page:ffffea00026ff400 count:1 mapcount:0 mapping:ffff88823b843380 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea00026d1b88 ffffea00026ff488 ffff88823b843380
raw: 0000000000000000 ffff88809bfd0940 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809bfcff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff88809bfcff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88809bfd0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88809bfd0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809bfd0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 1d 01 00 85 c0 sbb $0xc0850001,%eax
5: b8 00 00 00 00 mov $0x0,%eax
a: 48 0f 44 c3 cmove %rbx,%rax
e: 5b pop %rbx
f: c3 retq
10: 90 nop
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 retq
33: 48 c7 c1 c0 ff ff ff mov $0xffffffffffffffc0,%rcx
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Reply all
Reply to author
Forward
0 new messages