KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user
8 views
Skip to first unread message
syzbot
Mar 22, 2020, 4:06:13 PM3/22/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 01364dad Linux 4.14.174
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16a54719e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=664dd71881ab2b2d
dashboard link: https://syzkaller.appspot.com/bug?extid=3d7e81b960bbb3a85b54
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=143b65b1e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e4e8c5e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3d7e81...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1584907391.239:36): avc: denied { map } for pid=7333 comm="syz-executor381" path="/root/syz-executor381074400" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x1e3/0x3b0 security/selinux/xfrm.c:102
Read of size 768 at addr ffff888086059374 by task syz-executor381/7333
CPU: 0 PID: 7333 Comm: syz-executor381 Not tainted 4.14.174-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
memcpy+0x20/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
selinux_xfrm_alloc_user+0x1e3/0x3b0 security/selinux/xfrm.c:102
security_xfrm_policy_alloc+0x76/0xb0 security/security.c:1574
copy_from_user_sec_ctx net/xfrm/xfrm_user.c:1418 [inline]
xfrm_policy_construct+0x287/0x570 net/xfrm/xfrm_user.c:1583
xfrm_add_acquire+0x1f5/0x990 net/xfrm/xfrm_user.c:2218
xfrm_user_rcv_msg+0x37d/0x5f0 net/xfrm/xfrm_user.c:2613
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2621
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4405f9
RSP: 002b:00007fff85641518 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004405f9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401e80
R13: 0000000000401f10 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 7333:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3696
__kmalloc_reserve.isra.0+0x35/0xd0 net/core/skbuff.c:137
__alloc_skb+0xca/0x4c0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:980 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1159 [inline]
netlink_sendmsg+0x7de/0xbe0 net/netlink/af_netlink.c:1853
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff888086059240
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 308 bytes inside of
1024-byte region [ffff888086059240, ffff888086059640)
The buggy address belongs to the page:
page:ffffea0002181600 count:1 mapcount:0 mapping:ffff888086058040 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff888086058040 0000000000000000 0000000100000007
raw: ffffea00029880a0 ffffea00025512a0 ffff88812fe56ac0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888086059500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888086059580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888086059600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff888086059680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff888086059700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 01364dad Linux 4.14.174
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16a54719e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=664dd71881ab2b2d
dashboard link: https://syzkaller.appspot.com/bug?extid=3d7e81b960bbb3a85b54
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=143b65b1e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e4e8c5e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3d7e81...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1584907391.239:36): avc: denied { map } for pid=7333 comm="syz-executor381" path="/root/syz-executor381074400" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x1e3/0x3b0 security/selinux/xfrm.c:102
Read of size 768 at addr ffff888086059374 by task syz-executor381/7333
CPU: 0 PID: 7333 Comm: syz-executor381 Not tainted 4.14.174-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
memcpy+0x20/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
selinux_xfrm_alloc_user+0x1e3/0x3b0 security/selinux/xfrm.c:102
security_xfrm_policy_alloc+0x76/0xb0 security/security.c:1574
copy_from_user_sec_ctx net/xfrm/xfrm_user.c:1418 [inline]
xfrm_policy_construct+0x287/0x570 net/xfrm/xfrm_user.c:1583
xfrm_add_acquire+0x1f5/0x990 net/xfrm/xfrm_user.c:2218
xfrm_user_rcv_msg+0x37d/0x5f0 net/xfrm/xfrm_user.c:2613
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2621
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4405f9
RSP: 002b:00007fff85641518 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004405f9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401e80
R13: 0000000000401f10 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 7333:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3696
__kmalloc_reserve.isra.0+0x35/0xd0 net/core/skbuff.c:137
__alloc_skb+0xca/0x4c0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:980 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1159 [inline]
netlink_sendmsg+0x7de/0xbe0 net/netlink/af_netlink.c:1853
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff888086059240
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 308 bytes inside of
1024-byte region [ffff888086059240, ffff888086059640)
The buggy address belongs to the page:
page:ffffea0002181600 count:1 mapcount:0 mapping:ffff888086058040 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff888086058040 0000000000000000 0000000100000007
raw: ffffea00029880a0 ffffea00025512a0 ffff88812fe56ac0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888086059500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888086059580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888086059600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff888086059680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff888086059700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 21, 2020, 6:56:03 PM4/21/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 25106012e91a2399c487f495f81a48186f5a6a73
Author: Xin Long <lucie...@gmail.com>
Date: Sun Feb 9 13:16:38 2020 +0000
xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1286eb17e00000
start commit: 01364dad Linux 4.14.174
git tree: linux-4.14.y
#syz fix: xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 25106012e91a2399c487f495f81a48186f5a6a73
Author: Xin Long <lucie...@gmail.com>
Date: Sun Feb 9 13:16:38 2020 +0000
xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1286eb17e00000
start commit: 01364dad Linux 4.14.174
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=664dd71881ab2b2d
dashboard link: https://syzkaller.appspot.com/bug?extid=3d7e81b960bbb3a85b54
dashboard link: https://syzkaller.appspot.com/bug?extid=3d7e81b960bbb3a85b54
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=143b65b1e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e4e8c5e00000
If the result looks correct, please mark the bug fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e4e8c5e00000
#syz fix: xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages