KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user
5 views
Skip to first unread message
syzbot
Mar 10, 2020, 11:06:14 PM3/10/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 7472c402 Linux 4.19.108
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1207d81de00000
kernel config: https://syzkaller.appspot.com/x/.config?x=6d889e71eea7bde
dashboard link: https://syzkaller.appspot.com/bug?extid=f17ced8a8ca56b539ca2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f17ced...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline]
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102
Read of size 768 at addr ffff8880946da174 by task syz-executor.5/29289
CPU: 0 PID: 29289 Comm: syz-executor.5 Not tainted 4.19.108-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
memcpy+0x20/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:348 [inline]
selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102
security_xfrm_policy_alloc+0x6c/0xb0 security/security.c:1631
copy_from_user_sec_ctx net/xfrm/xfrm_user.c:1461 [inline]
xfrm_policy_construct+0x2a8/0x660 net/xfrm/xfrm_user.c:1626
xfrm_add_acquire+0x215/0x9f0 net/xfrm/xfrm_user.c:2279
xfrm_user_rcv_msg+0x40c/0x6b0 net/xfrm/xfrm_user.c:2677
netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2685
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c4a9
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f33b9033c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f33b90346d4 RCX: 000000000045c4a9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009fb R14: 00000000004cc78e R15: 000000000076bf2c
Allocated by task 29289:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703
__kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:137
__alloc_skb+0xef/0x5b0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:995 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1190 [inline]
netlink_sendmsg+0x8d6/0xcd0 net/netlink/af_netlink.c:1884
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8111:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
__cache_free mm/slab.c:3503 [inline]
kfree+0xce/0x220 mm/slab.c:3822
skb_free_head+0x91/0xb0 net/core/skbuff.c:554
skb_release_data+0x600/0x8c0 net/core/skbuff.c:574
skb_release_all+0x46/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
consume_skb net/core/skbuff.c:705 [inline]
consume_skb+0xda/0x380 net/core/skbuff.c:699
skb_free_datagram+0x16/0xf0 net/core/datagram.c:329
netlink_recvmsg+0x667/0xea0 net/netlink/af_netlink.c:1988
sock_recvmsg_nosec net/socket.c:795 [inline]
sock_recvmsg net/socket.c:802 [inline]
sock_recvmsg+0xca/0x110 net/socket.c:798
___sys_recvmsg+0x271/0x580 net/socket.c:2277
__sys_recvmsg+0xe9/0x1b0 net/socket.c:2326
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880946da040
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 308 bytes inside of
1024-byte region [ffff8880946da040, ffff8880946da440)
The buggy address belongs to the page:
page:ffffea000251b680 count:1 mapcount:0 mapping:ffff88812c3dcac0 index:0xffff8880946da940 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0002034308 ffffea0002a41788 ffff88812c3dcac0
raw: ffff8880946da940 ffff8880946da040 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880946da300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880946da380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880946da400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff8880946da480: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff8880946da500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 7472c402 Linux 4.19.108
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1207d81de00000
kernel config: https://syzkaller.appspot.com/x/.config?x=6d889e71eea7bde
dashboard link: https://syzkaller.appspot.com/bug?extid=f17ced8a8ca56b539ca2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f17ced...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline]
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102
Read of size 768 at addr ffff8880946da174 by task syz-executor.5/29289
CPU: 0 PID: 29289 Comm: syz-executor.5 Not tainted 4.19.108-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
memcpy+0x20/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:348 [inline]
selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102
security_xfrm_policy_alloc+0x6c/0xb0 security/security.c:1631
copy_from_user_sec_ctx net/xfrm/xfrm_user.c:1461 [inline]
xfrm_policy_construct+0x2a8/0x660 net/xfrm/xfrm_user.c:1626
xfrm_add_acquire+0x215/0x9f0 net/xfrm/xfrm_user.c:2279
xfrm_user_rcv_msg+0x40c/0x6b0 net/xfrm/xfrm_user.c:2677
netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2685
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c4a9
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f33b9033c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f33b90346d4 RCX: 000000000045c4a9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009fb R14: 00000000004cc78e R15: 000000000076bf2c
Allocated by task 29289:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703
__kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:137
__alloc_skb+0xef/0x5b0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:995 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1190 [inline]
netlink_sendmsg+0x8d6/0xcd0 net/netlink/af_netlink.c:1884
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8111:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
__cache_free mm/slab.c:3503 [inline]
kfree+0xce/0x220 mm/slab.c:3822
skb_free_head+0x91/0xb0 net/core/skbuff.c:554
skb_release_data+0x600/0x8c0 net/core/skbuff.c:574
skb_release_all+0x46/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
consume_skb net/core/skbuff.c:705 [inline]
consume_skb+0xda/0x380 net/core/skbuff.c:699
skb_free_datagram+0x16/0xf0 net/core/datagram.c:329
netlink_recvmsg+0x667/0xea0 net/netlink/af_netlink.c:1988
sock_recvmsg_nosec net/socket.c:795 [inline]
sock_recvmsg net/socket.c:802 [inline]
sock_recvmsg+0xca/0x110 net/socket.c:798
___sys_recvmsg+0x271/0x580 net/socket.c:2277
__sys_recvmsg+0xe9/0x1b0 net/socket.c:2326
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880946da040
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 308 bytes inside of
1024-byte region [ffff8880946da040, ffff8880946da440)
The buggy address belongs to the page:
page:ffffea000251b680 count:1 mapcount:0 mapping:ffff88812c3dcac0 index:0xffff8880946da940 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0002034308 ffffea0002a41788 ffff88812c3dcac0
raw: ffff8880946da940 ffff8880946da040 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880946da300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880946da380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880946da400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff8880946da480: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff8880946da500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 10, 2020, 11:21:16 PM3/10/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 7472c402 Linux 4.19.108
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13fb00b1e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118f0439e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f17ced...@syzkaller.appspotmail.com
kauditd_printk_skb: 3 callbacks suppressed
audit: type=1400 audit(1583896668.577:36): avc: denied { map } for pid=8070 comm="syz-executor877" path="/root/syz-executor877659611" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
CPU: 0 PID: 8070 Comm: syz-executor877 Not tainted 4.19.108-syzkaller #0
RIP: 0033:0x4405f9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd06fd0338 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004405f9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401e80
R13: 0000000000401f10 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 8070:
put_pipe_info+0xc2/0xe0 fs/pipe.c:570
pipe_release+0x1d6/0x270 fs/pipe.c:591
__fput+0x2cd/0x890 fs/file_table.c:278
task_work_run+0x13f/0x1b0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x25a/0x2b0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a9534900
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0002451b88 ffffea0002a13008 ffff88812c3dcac0
raw: 0000000000000000 ffff8880a9534000 0000000100000007 0000000000000000
ffff8880a9534c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a9534d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a9534d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a9534e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
HEAD commit: 7472c402 Linux 4.19.108
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=6d889e71eea7bde
dashboard link: https://syzkaller.appspot.com/bug?extid=f17ced8a8ca56b539ca2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1473b981e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=f17ced8a8ca56b539ca2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118f0439e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f17ced...@syzkaller.appspotmail.com
audit: type=1400 audit(1583896668.577:36): avc: denied { map } for pid=8070 comm="syz-executor877" path="/root/syz-executor877659611" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline]
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102
Read of size 768 at addr ffff8880a9534a34 by task syz-executor877/8070
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline]
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102
CPU: 0 PID: 8070 Comm: syz-executor877 Not tainted 4.19.108-syzkaller #0
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd06fd0338 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004405f9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401e80
R13: 0000000000401f10 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 8070:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703
__kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:137
__alloc_skb+0xef/0x5b0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:995 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1190 [inline]
netlink_sendmsg+0x8d6/0xcd0 net/netlink/af_netlink.c:1884
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 4450:
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703
__kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:137
__alloc_skb+0xef/0x5b0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:995 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1190 [inline]
netlink_sendmsg+0x8d6/0xcd0 net/netlink/af_netlink.c:1884
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
__cache_free mm/slab.c:3503 [inline]
kfree+0xce/0x220 mm/slab.c:3822
free_pipe_info+0x232/0x2f0 fs/pipe.c:697
__kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
__cache_free mm/slab.c:3503 [inline]
kfree+0xce/0x220 mm/slab.c:3822
put_pipe_info+0xc2/0xe0 fs/pipe.c:570
pipe_release+0x1d6/0x270 fs/pipe.c:591
__fput+0x2cd/0x890 fs/file_table.c:278
task_work_run+0x13f/0x1b0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x25a/0x2b0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a9534900
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 308 bytes inside of
1024-byte region [ffff8880a9534900, ffff8880a9534d00)
The buggy address is located 308 bytes inside of
The buggy address belongs to the page:
page:ffffea0002a54d00 count:1 mapcount:0 mapping:ffff88812c3dcac0 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0002451b88 ffffea0002a13008 ffff88812c3dcac0
raw: 0000000000000000 ffff8880a9534000 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a9534c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff8880a9534c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a9534d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a9534d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a9534e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
syzbot
Apr 14, 2020, 6:00:03 PM4/14/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 0a7b397c013322fec975f30012302f694efba2da
Author: Xin Long <lucie...@gmail.com>
Date: Sun Feb 9 13:16:38 2020 +0000
xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16dc4a00100000
start commit: 56920971 Linux 4.19.109
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=c73648903e665531
dashboard link: https://syzkaller.appspot.com/bug?extid=f17ced8a8ca56b539ca2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125061f9e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=164ac52de00000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 0a7b397c013322fec975f30012302f694efba2da
Author: Xin Long <lucie...@gmail.com>
Date: Sun Feb 9 13:16:38 2020 +0000
xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16dc4a00100000
start commit: 56920971 Linux 4.19.109
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=c73648903e665531
dashboard link: https://syzkaller.appspot.com/bug?extid=f17ced8a8ca56b539ca2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125061f9e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=164ac52de00000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages