Hello,
syzbot found the following crash on:
HEAD commit: 7472c402 Linux 4.19.108
git tree: linux-4.19.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=1207d81de00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=6d889e71eea7bde
dashboard link:
https://syzkaller.appspot.com/bug?extid=f17ced8a8ca56b539ca2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+f17ced...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline]
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102
Read of size 768 at addr ffff8880946da174 by task syz-executor.5/29289
CPU: 0 PID: 29289 Comm: syz-executor.5 Not tainted 4.19.108-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
memcpy+0x20/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:348 [inline]
selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102
security_xfrm_policy_alloc+0x6c/0xb0 security/security.c:1631
copy_from_user_sec_ctx net/xfrm/xfrm_user.c:1461 [inline]
xfrm_policy_construct+0x2a8/0x660 net/xfrm/xfrm_user.c:1626
xfrm_add_acquire+0x215/0x9f0 net/xfrm/xfrm_user.c:2279
xfrm_user_rcv_msg+0x40c/0x6b0 net/xfrm/xfrm_user.c:2677
netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2685
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c4a9
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f33b9033c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f33b90346d4 RCX: 000000000045c4a9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009fb R14: 00000000004cc78e R15: 000000000076bf2c
Allocated by task 29289:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703
__kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:137
__alloc_skb+0xef/0x5b0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:995 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1190 [inline]
netlink_sendmsg+0x8d6/0xcd0 net/netlink/af_netlink.c:1884
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8111:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
__cache_free mm/slab.c:3503 [inline]
kfree+0xce/0x220 mm/slab.c:3822
skb_free_head+0x91/0xb0 net/core/skbuff.c:554
skb_release_data+0x600/0x8c0 net/core/skbuff.c:574
skb_release_all+0x46/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
consume_skb net/core/skbuff.c:705 [inline]
consume_skb+0xda/0x380 net/core/skbuff.c:699
skb_free_datagram+0x16/0xf0 net/core/datagram.c:329
netlink_recvmsg+0x667/0xea0 net/netlink/af_netlink.c:1988
sock_recvmsg_nosec net/socket.c:795 [inline]
sock_recvmsg net/socket.c:802 [inline]
sock_recvmsg+0xca/0x110 net/socket.c:798
___sys_recvmsg+0x271/0x580 net/socket.c:2277
__sys_recvmsg+0xe9/0x1b0 net/socket.c:2326
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880946da040
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 308 bytes inside of
1024-byte region [ffff8880946da040, ffff8880946da440)
The buggy address belongs to the page:
page:ffffea000251b680 count:1 mapcount:0 mapping:ffff88812c3dcac0 index:0xffff8880946da940 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0002034308 ffffea0002a41788 ffff88812c3dcac0
raw: ffff8880946da940 ffff8880946da040 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880946da300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880946da380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880946da400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff8880946da480: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff8880946da500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.