KASAN: null-ptr-deref in llcp_sock_getname
6 views
Skip to first unread message
syzbot
Oct 30, 2019, 1:08:09 AM10/30/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: ddef1e8e Linux 4.14.151
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=119c6be4e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a2b317f0c5f02ed3
dashboard link: https://syzkaller.appspot.com/bug?extid=63fbbf96a292870dd86b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17192e48e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13eb470f600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+63fbbf...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1572408311.438:36): avc: denied { map } for
pid=6826 comm="syz-executor496" path="/root/syz-executor496605180"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: null-ptr-deref in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: null-ptr-deref in llcp_sock_getname+0x38f/0x4a0
net/nfc/llcp_sock.c:532
BUG: unable to handle kernel
Read of size 43 at addr (null) by task syz-executor496/6833
NULL pointer dereference
CPU: 1 PID: 6833 Comm: syz-executor496 Not tainted 4.14.151 #0
at (null)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
IP: memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54
Call Trace:
PGD 93d0f067
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
P4D 93d0f067
PUD 9293b067
kasan_report_error mm/kasan/report.c:349 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0x127/0x2af mm/kasan/report.c:393
PMD 0
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
Oops: 0000 [#1] PREEMPT SMP KASAN
memcpy include/linux/string.h:347 [inline]
llcp_sock_getname+0x38f/0x4a0 net/nfc/llcp_sock.c:532
Modules linked in:
SYSC_getpeername+0x120/0x270 net/socket.c:1715
CPU: 0 PID: 6837 Comm: syz-executor496 Not tainted 4.14.151 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8880a9a900c0 task.stack: ffff8880a8728000
RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54
RSP: 0018:ffff8880a872fd20 EFLAGS: 00010246
SyS_getpeername+0x24/0x30 net/socket.c:1699
RAX: ffff8880a872fe0a RBX: ffff8880a872fdf8 RCX: 000000000000002b
RDX: 000000000000002b RSI: 0000000000000000 RDI: ffff8880a872fe0a
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
RBP: ffff8880a872fd40 R08: 1ffff110150e5fc1 R09: ffffed10150e5fc7
R10: ffffed10150e5fc6 R11: ffff8880a872fe34 R12: 000000000000002b
entry_SYSCALL_64_after_hwframe+0x42/0xb7
R13: ffff8880a872fe0a R14: 0000000000000000 R15: ffffffff87069cc0
RIP: 0033:0x4412b9
FS: 0000000001ca0880(0000) GS:ffff8880aee00000(0000) knlGS:0000000000000000
RSP: 002b:00007fffabcaa758 EFLAGS: 00000246
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
ORIG_RAX: 0000000000000034
CR2: 0000000000000000 CR3: 00000000916b4000 CR4: 00000000001406f0
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
Call Trace:
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402030
R13: 00000000004020c0 R14: 0000000000000000 R15: 0000000000000000
memcpy include/linux/string.h:347 [inline]
llcp_sock_getname+0x38f/0x4a0 net/nfc/llcp_sock.c:532
==================================================================
SYSC_getpeername+0x120/0x270 net/socket.c:1715
SyS_getpeername+0x24/0x30 net/socket.c:1699
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4412b9
RSP: 002b:00007fffabcaa758 EFLAGS: 00000246 ORIG_RAX: 0000000000000034
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402030
R13: 00000000004020c0 R14: 0000000000000000 R15: 0000000000000000
Code: 90 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07
f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f
1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38
RIP: memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54 RSP: ffff8880a872fd20
CR2: 0000000000000000
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54
PGD 99447067 P4D 99447067 PUD 967c6067 PMD 0
Oops: 0000 [#2] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 6835 Comm: syz-executor496 Tainted: G B D 4.14.151 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff888091fac380 task.stack: ffff8880a7fb8000
RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54
RSP: 0018:ffff8880a7fbfd20 EFLAGS: 00010246
RAX: ffff8880a7fbfe0a RBX: ffff8880a7fbfdf8 RCX: 000000000000002b
RDX: 000000000000002b RSI: 0000000000000000 RDI: ffff8880a7fbfe0a
RBP: ffff8880a7fbfd40 R08: 1ffff11014ff7fc1 R09: ffffed1014ff7fc7
R10: ffffed1014ff7fc6 R11: ffff8880a7fbfe34 R12: 000000000000002b
R13: ffff8880a7fbfe0a R14: 0000000000000000 R15: ffffffff87069cc0
FS: 0000000001ca0880(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000093326000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
memcpy include/linux/string.h:347 [inline]
llcp_sock_getname+0x38f/0x4a0 net/nfc/llcp_sock.c:532
SYSC_getpeername+0x120/0x270 net/socket.c:1715
SyS_getpeername+0x24/0x30 net/socket.c:1699
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4412b9
RSP: 002b:00007fffabcaa758 EFLAGS: 00000246 ORIG_RAX: 0000000000000034
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402030
R13: 00000000004020c0 R14: 0000000000000000 R15: 0000000000000000
Code: 90 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07
f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f
1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38
RIP: memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54 RSP: ffff8880a7fbfd20
CR2: 0000000000000000
BUG: unable to handle kernel NULL pointer dereference at (null)
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: ddef1e8e Linux 4.14.151
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=119c6be4e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a2b317f0c5f02ed3
dashboard link: https://syzkaller.appspot.com/bug?extid=63fbbf96a292870dd86b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17192e48e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13eb470f600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+63fbbf...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1572408311.438:36): avc: denied { map } for
pid=6826 comm="syz-executor496" path="/root/syz-executor496605180"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: null-ptr-deref in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: null-ptr-deref in llcp_sock_getname+0x38f/0x4a0
net/nfc/llcp_sock.c:532
BUG: unable to handle kernel
Read of size 43 at addr (null) by task syz-executor496/6833
NULL pointer dereference
CPU: 1 PID: 6833 Comm: syz-executor496 Not tainted 4.14.151 #0
at (null)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
IP: memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54
Call Trace:
PGD 93d0f067
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
P4D 93d0f067
PUD 9293b067
kasan_report_error mm/kasan/report.c:349 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0x127/0x2af mm/kasan/report.c:393
PMD 0
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
Oops: 0000 [#1] PREEMPT SMP KASAN
memcpy include/linux/string.h:347 [inline]
llcp_sock_getname+0x38f/0x4a0 net/nfc/llcp_sock.c:532
Modules linked in:
SYSC_getpeername+0x120/0x270 net/socket.c:1715
CPU: 0 PID: 6837 Comm: syz-executor496 Not tainted 4.14.151 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8880a9a900c0 task.stack: ffff8880a8728000
RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54
RSP: 0018:ffff8880a872fd20 EFLAGS: 00010246
SyS_getpeername+0x24/0x30 net/socket.c:1699
RAX: ffff8880a872fe0a RBX: ffff8880a872fdf8 RCX: 000000000000002b
RDX: 000000000000002b RSI: 0000000000000000 RDI: ffff8880a872fe0a
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
RBP: ffff8880a872fd40 R08: 1ffff110150e5fc1 R09: ffffed10150e5fc7
R10: ffffed10150e5fc6 R11: ffff8880a872fe34 R12: 000000000000002b
entry_SYSCALL_64_after_hwframe+0x42/0xb7
R13: ffff8880a872fe0a R14: 0000000000000000 R15: ffffffff87069cc0
RIP: 0033:0x4412b9
FS: 0000000001ca0880(0000) GS:ffff8880aee00000(0000) knlGS:0000000000000000
RSP: 002b:00007fffabcaa758 EFLAGS: 00000246
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
ORIG_RAX: 0000000000000034
CR2: 0000000000000000 CR3: 00000000916b4000 CR4: 00000000001406f0
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
Call Trace:
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402030
R13: 00000000004020c0 R14: 0000000000000000 R15: 0000000000000000
memcpy include/linux/string.h:347 [inline]
llcp_sock_getname+0x38f/0x4a0 net/nfc/llcp_sock.c:532
==================================================================
SYSC_getpeername+0x120/0x270 net/socket.c:1715
SyS_getpeername+0x24/0x30 net/socket.c:1699
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4412b9
RSP: 002b:00007fffabcaa758 EFLAGS: 00000246 ORIG_RAX: 0000000000000034
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402030
R13: 00000000004020c0 R14: 0000000000000000 R15: 0000000000000000
Code: 90 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07
f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f
1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38
RIP: memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54 RSP: ffff8880a872fd20
CR2: 0000000000000000
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54
PGD 99447067 P4D 99447067 PUD 967c6067 PMD 0
Oops: 0000 [#2] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 6835 Comm: syz-executor496 Tainted: G B D 4.14.151 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff888091fac380 task.stack: ffff8880a7fb8000
RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54
RSP: 0018:ffff8880a7fbfd20 EFLAGS: 00010246
RAX: ffff8880a7fbfe0a RBX: ffff8880a7fbfdf8 RCX: 000000000000002b
RDX: 000000000000002b RSI: 0000000000000000 RDI: ffff8880a7fbfe0a
RBP: ffff8880a7fbfd40 R08: 1ffff11014ff7fc1 R09: ffffed1014ff7fc7
R10: ffffed1014ff7fc6 R11: ffff8880a7fbfe34 R12: 000000000000002b
R13: ffff8880a7fbfe0a R14: 0000000000000000 R15: ffffffff87069cc0
FS: 0000000001ca0880(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000093326000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
memcpy include/linux/string.h:347 [inline]
llcp_sock_getname+0x38f/0x4a0 net/nfc/llcp_sock.c:532
SYSC_getpeername+0x120/0x270 net/socket.c:1715
SyS_getpeername+0x24/0x30 net/socket.c:1699
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4412b9
RSP: 002b:00007fffabcaa758 EFLAGS: 00000246 ORIG_RAX: 0000000000000034
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402030
R13: 00000000004020c0 R14: 0000000000000000 R15: 0000000000000000
Code: 90 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07
f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f
1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38
RIP: memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54 RSP: ffff8880a7fbfd20
CR2: 0000000000000000
BUG: unable to handle kernel NULL pointer dereference at (null)
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Nov 8, 2019, 8:26:01 AM11/8/19
to syzkaller...@googlegroups.com
syzbot has bisected this bug to:
commit f7b1e143d1ade0881d8e5670f7d6789be7d068ad
Author: Eric Dumazet <edum...@google.com>
Date: Fri Oct 4 18:08:34 2019 +0000
nfc: fix memory leak in llcp_sock_bind()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=179db92ce00000
start commit: ddef1e8e Linux 4.14.151
git tree: linux-4.14.y
final crash: https://syzkaller.appspot.com/x/report.txt?x=145db92ce00000
console output: https://syzkaller.appspot.com/x/log.txt?x=105db92ce00000
Fixes: f7b1e143d1ad ("nfc: fix memory leak in llcp_sock_bind()")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit f7b1e143d1ade0881d8e5670f7d6789be7d068ad
Author: Eric Dumazet <edum...@google.com>
Date: Fri Oct 4 18:08:34 2019 +0000
nfc: fix memory leak in llcp_sock_bind()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=179db92ce00000
start commit: ddef1e8e Linux 4.14.151
git tree: linux-4.14.y
final crash: https://syzkaller.appspot.com/x/report.txt?x=145db92ce00000
console output: https://syzkaller.appspot.com/x/log.txt?x=105db92ce00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a2b317f0c5f02ed3
dashboard link: https://syzkaller.appspot.com/bug?extid=63fbbf96a292870dd86b
dashboard link: https://syzkaller.appspot.com/bug?extid=63fbbf96a292870dd86b
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17192e48e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13eb470f600000
Reported-by: syzbot+63fbbf...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13eb470f600000
Fixes: f7b1e143d1ad ("nfc: fix memory leak in llcp_sock_bind()")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages