panic: malformed IPv4 option passed to ip_optcopy
12 views
Skip to first unread message
syzbot
Dec 18, 2018, 1:56:03 PM12/18/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 9257d67bbd0d split tests into multiple make targets
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=17882943400000
kernel config: https://syzkaller.appspot.com/x/.config?x=906264fb5874384d
dashboard link: https://syzkaller.appspot.com/bug?extid=0361ed02deed123667cb
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0361ed...@syzkaller.appspotmail.com
panic: malformed IPv4 option passed to ip_optcopy
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*198503 95839 0 0 0x4000000 0 syz-executor0
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_optcopy(ffffff002c650c00,ffff800000171290) at ip_optcopy
ip_output(ffffff0036f13e38,ffffff002c650c00,ffffff002665407c,22,1366,2edbb98aab4e2460)
at
ip_output+0xbd5 sys/netinet/ip_output.c:501
rip_output(0,9,ffffff003c249ae0,ffffff003ebc0400) at rip_output+0x187
sys/netinet/raw_ip.c:293
rip_usrreq(b52,ffffff003c249ae0,ffffff003ebc0400,ffffff002c650c00,0,2edbb98aab4e2460)
at
rip_usrreq+0x3ed sys/netinet/raw_ip.c:472
sosend(ffffff003033c010,ffff800014ad7c38,1366,ffff800014ad7c38,ffff800014ad7c58,2edbb98aab4e2460)
at
sosend+0x462 sys/kern/uipc_socket.c:513
sendit(ffff800014ad7c38,ffff800014af9f80,ffff800014af9e90,ffff800014af9f98,6)
at
sendit+0x3f3 sys/kern/uipc_syscalls.c:662
sys_sendmsg(ffff800014afa020,ffff800014ad7c38,ffff800014a16300) at
sys_sendmsg+0x155 sys/kern/uipc_syscalls.c:567
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffffd3,0,3,58c8bfe010) at Xsyscall+0x128
end of kernel
end trace frame: 0x5b01f04b40, count: 4
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> show panic
malformed IPv4 option passed to ip_optcopy
ddb> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_optcopy(ffffff002c650c00,ffff800000171290) at ip_optcopy
ip_output(ffffff0036f13e38,ffffff002c650c00,ffffff002665407c,22,1366,2edbb98aab4e2460)
at
ip_output+0xbd5 sys/netinet/ip_output.c:501
rip_output(0,9,ffffff003c249ae0,ffffff003ebc0400) at rip_output+0x187
sys/netinet/raw_ip.c:293
rip_usrreq(b52,ffffff003c249ae0,ffffff003ebc0400,ffffff002c650c00,0,2edbb98aab4e2460)
at
rip_usrreq+0x3ed sys/netinet/raw_ip.c:472
sosend(ffffff003033c010,ffff800014ad7c38,1366,ffff800014ad7c38,ffff800014ad7c58,2edbb98aab4e2460)
at
sosend+0x462 sys/kern/uipc_socket.c:513
sendit(ffff800014ad7c38,ffff800014af9f80,ffff800014af9e90,ffff800014af9f98,6)
at
sendit+0x3f3 sys/kern/uipc_syscalls.c:662
sys_sendmsg(ffff800014afa020,ffff800014ad7c38,ffff800014a16300) at
sys_sendmsg+0x155 sys/kern/uipc_syscalls.c:567
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffffd3,0,3,58c8bfe010) at Xsyscall+0x128
end of kernel
end trace frame: 0x5b01f04b40, count: -11
ddb> show registers
rdi 0xffffffff81e39300 kprintf_mutex
rsi 0xffffffff81804899 db_enter+0x9
rbp 0xffff800014af9a50
rbx 0xffff800014af9af0
rdx 0xffff8000014cc000
rcx 0x181d __ALIGN_SIZE+0x81d
rax 0xffff8000014cc000
r8 0xffff800014af9a20
r9 0
r10 0x549ae4707eb168ee
r11 0xffffffff81782140 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800014af9a60
r14 0x100
r15 0xffffffff81c1e7e5 apollo_udma100_tim+0xc2a1
rip 0xffffffff8180489a db_enter+0xa
cs 0x8
rflags 0x206
rsp 0xffff800014af9a50
ss 0x10
db_enter+0xa: popq %rbp
ddb> show proc
PROC (syz-executor0) pid=198503 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=82, usrpri=82, nice=20
forw=0xffffffffffffffff, list=0xffff800014ad6270,0xffffffff81ebb720
process=0xffff800014a16300 user=0xffff800014af5000,
vmspace=0xffffff003f12bd68
estcpu=36, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
95839 198222 53460 0 2 0 syz-executor0
*95839 198503 53460 0 7 0x4000000 syz-executor0
60515 56902 21320 0 3 0x80 nanosleep syz-executor1
60515 137267 21320 0 3 0x4000080 fifor syz-executor1
60515 318807 21320 0 3 0x4000080 fsleep syz-executor1
6619 458131 1 0 3 0x100083 ttyin getty
95640 451836 0 0 3 0x14200 bored sosplice
53460 363435 63439 0 3 0x82 nanosleep syz-executor0
21320 409260 63439 0 3 0x82 nanosleep syz-executor1
63439 189682 51201 0 3 0x82 thrsleep syz-fuzzer
63439 56557 51201 0 3 0x4000082 thrsleep syz-fuzzer
63439 375081 51201 0 3 0x4000082 thrsleep syz-fuzzer
63439 473130 51201 0 3 0x4000082 thrsleep syz-fuzzer
63439 150235 51201 0 3 0x4000082 kqread syz-fuzzer
63439 449211 51201 0 3 0x4000082 thrsleep syz-fuzzer
63439 137638 51201 0 3 0x4000082 thrsleep syz-fuzzer
51201 19715 35897 0 3 0x10008a pause ksh
35897 119779 2816 0 3 0x92 select sshd
2816 192089 1 0 3 0x80 select sshd
51839 101917 68736 73 3 0x100090 kqread syslogd
68736 381567 1 0 3 0x100082 netio syslogd
19809 469682 1 77 3 0x100090 poll dhclient
11850 436572 1 0 3 0x80 poll dhclient
6937 78176 0 0 2 0x14200 zerothread
64113 431846 0 0 3 0x14200 aiodoned aiodoned
49527 180082 0 0 3 0x14200 syncer update
83896 368155 0 0 3 0x14200 cleaner cleaner
2669 8447 0 0 3 0x14200 reaper reaper
23194 185749 0 0 3 0x14200 pgdaemon pagedaemon
75824 490998 0 0 3 0x14200 bored crynlk
40718 293597 0 0 3 0x14200 bored crypto
37015 317352 0 0 3 0x40014200 acpi0 acpi0
89061 36230 0 0 3 0x14200 bored softnet
73639 347540 0 0 3 0x14200 bored systqmp
78922 148920 0 0 3 0x14200 bored systq
5154 15530 0 0 3 0x40014200 bored softclock
53121 125888 0 0 3 0x40014200 idle0
1 277488 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 9257d67bbd0d split tests into multiple make targets
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=17882943400000
kernel config: https://syzkaller.appspot.com/x/.config?x=906264fb5874384d
dashboard link: https://syzkaller.appspot.com/bug?extid=0361ed02deed123667cb
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0361ed...@syzkaller.appspotmail.com
panic: malformed IPv4 option passed to ip_optcopy
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*198503 95839 0 0 0x4000000 0 syz-executor0
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_optcopy(ffffff002c650c00,ffff800000171290) at ip_optcopy
ip_output(ffffff0036f13e38,ffffff002c650c00,ffffff002665407c,22,1366,2edbb98aab4e2460)
at
ip_output+0xbd5 sys/netinet/ip_output.c:501
rip_output(0,9,ffffff003c249ae0,ffffff003ebc0400) at rip_output+0x187
sys/netinet/raw_ip.c:293
rip_usrreq(b52,ffffff003c249ae0,ffffff003ebc0400,ffffff002c650c00,0,2edbb98aab4e2460)
at
rip_usrreq+0x3ed sys/netinet/raw_ip.c:472
sosend(ffffff003033c010,ffff800014ad7c38,1366,ffff800014ad7c38,ffff800014ad7c58,2edbb98aab4e2460)
at
sosend+0x462 sys/kern/uipc_socket.c:513
sendit(ffff800014ad7c38,ffff800014af9f80,ffff800014af9e90,ffff800014af9f98,6)
at
sendit+0x3f3 sys/kern/uipc_syscalls.c:662
sys_sendmsg(ffff800014afa020,ffff800014ad7c38,ffff800014a16300) at
sys_sendmsg+0x155 sys/kern/uipc_syscalls.c:567
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffffd3,0,3,58c8bfe010) at Xsyscall+0x128
end of kernel
end trace frame: 0x5b01f04b40, count: 4
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> show panic
malformed IPv4 option passed to ip_optcopy
ddb> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_optcopy(ffffff002c650c00,ffff800000171290) at ip_optcopy
ip_output(ffffff0036f13e38,ffffff002c650c00,ffffff002665407c,22,1366,2edbb98aab4e2460)
at
ip_output+0xbd5 sys/netinet/ip_output.c:501
rip_output(0,9,ffffff003c249ae0,ffffff003ebc0400) at rip_output+0x187
sys/netinet/raw_ip.c:293
rip_usrreq(b52,ffffff003c249ae0,ffffff003ebc0400,ffffff002c650c00,0,2edbb98aab4e2460)
at
rip_usrreq+0x3ed sys/netinet/raw_ip.c:472
sosend(ffffff003033c010,ffff800014ad7c38,1366,ffff800014ad7c38,ffff800014ad7c58,2edbb98aab4e2460)
at
sosend+0x462 sys/kern/uipc_socket.c:513
sendit(ffff800014ad7c38,ffff800014af9f80,ffff800014af9e90,ffff800014af9f98,6)
at
sendit+0x3f3 sys/kern/uipc_syscalls.c:662
sys_sendmsg(ffff800014afa020,ffff800014ad7c38,ffff800014a16300) at
sys_sendmsg+0x155 sys/kern/uipc_syscalls.c:567
syscall(0) at syscall+0x3e4
Xsyscall(6,0,ffffffffffffffd3,0,3,58c8bfe010) at Xsyscall+0x128
end of kernel
end trace frame: 0x5b01f04b40, count: -11
ddb> show registers
rdi 0xffffffff81e39300 kprintf_mutex
rsi 0xffffffff81804899 db_enter+0x9
rbp 0xffff800014af9a50
rbx 0xffff800014af9af0
rdx 0xffff8000014cc000
rcx 0x181d __ALIGN_SIZE+0x81d
rax 0xffff8000014cc000
r8 0xffff800014af9a20
r9 0
r10 0x549ae4707eb168ee
r11 0xffffffff81782140 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800014af9a60
r14 0x100
r15 0xffffffff81c1e7e5 apollo_udma100_tim+0xc2a1
rip 0xffffffff8180489a db_enter+0xa
cs 0x8
rflags 0x206
rsp 0xffff800014af9a50
ss 0x10
db_enter+0xa: popq %rbp
ddb> show proc
PROC (syz-executor0) pid=198503 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=82, usrpri=82, nice=20
forw=0xffffffffffffffff, list=0xffff800014ad6270,0xffffffff81ebb720
process=0xffff800014a16300 user=0xffff800014af5000,
vmspace=0xffffff003f12bd68
estcpu=36, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
95839 198222 53460 0 2 0 syz-executor0
*95839 198503 53460 0 7 0x4000000 syz-executor0
60515 56902 21320 0 3 0x80 nanosleep syz-executor1
60515 137267 21320 0 3 0x4000080 fifor syz-executor1
60515 318807 21320 0 3 0x4000080 fsleep syz-executor1
6619 458131 1 0 3 0x100083 ttyin getty
95640 451836 0 0 3 0x14200 bored sosplice
53460 363435 63439 0 3 0x82 nanosleep syz-executor0
21320 409260 63439 0 3 0x82 nanosleep syz-executor1
63439 189682 51201 0 3 0x82 thrsleep syz-fuzzer
63439 56557 51201 0 3 0x4000082 thrsleep syz-fuzzer
63439 375081 51201 0 3 0x4000082 thrsleep syz-fuzzer
63439 473130 51201 0 3 0x4000082 thrsleep syz-fuzzer
63439 150235 51201 0 3 0x4000082 kqread syz-fuzzer
63439 449211 51201 0 3 0x4000082 thrsleep syz-fuzzer
63439 137638 51201 0 3 0x4000082 thrsleep syz-fuzzer
51201 19715 35897 0 3 0x10008a pause ksh
35897 119779 2816 0 3 0x92 select sshd
2816 192089 1 0 3 0x80 select sshd
51839 101917 68736 73 3 0x100090 kqread syslogd
68736 381567 1 0 3 0x100082 netio syslogd
19809 469682 1 77 3 0x100090 poll dhclient
11850 436572 1 0 3 0x80 poll dhclient
6937 78176 0 0 2 0x14200 zerothread
64113 431846 0 0 3 0x14200 aiodoned aiodoned
49527 180082 0 0 3 0x14200 syncer update
83896 368155 0 0 3 0x14200 cleaner cleaner
2669 8447 0 0 3 0x14200 reaper reaper
23194 185749 0 0 3 0x14200 pgdaemon pagedaemon
75824 490998 0 0 3 0x14200 bored crynlk
40718 293597 0 0 3 0x14200 bored crypto
37015 317352 0 0 3 0x40014200 acpi0 acpi0
89061 36230 0 0 3 0x14200 bored softnet
73639 347540 0 0 3 0x14200 bored systqmp
78922 148920 0 0 3 0x14200 bored systq
5154 15530 0 0 3 0x40014200 bored softclock
53121 125888 0 0 3 0x40014200 idle0
1 277488 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Dec 22, 2018, 5:28:05 PM12/22/18
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: afb6229dd599 The wrong header file was given for EVP_PKEY_..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=12a420c3400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0361ed...@syzkaller.appspotmail.com
panic: malformed IPv4 option passed to ip_optcopy
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*245344 73868 0 0 0x4000000 0 syz-executor0
ip_output(ffffff0036f09118,ffffff00353fb400,ffffff00391da000,22,1000,ffcc7a1cc2ba05e5)
at
ip_output+0xbd5 sys/netinet/ip_output.c:501
rip_output(0,9,ffffff0036333a88,0) at rip_output+0x187
sys/netinet/raw_ip.c:293
rip_usrreq(1000,ffffff0036333a88,0,ffffff00353fb400,0,ffcc7a1cc2ba05e5) at
rip_usrreq+0x3ed sys/netinet/raw_ip.c:472
sosend(ffffff0037690e88,ffff800014ab01b8,1000,ffff800014ab0260,0,ffcc7a1cc2ba05e5)
at
sosend+0x462 sys/kern/uipc_socket.c:513
dofilewritev(ffff8000ffffc4b8,ffff800014ab0260,1000,ffff800014ab0278,dda37938eb8)
at
dofilewritev+0x13e sys/kern/sys_generic.c:364
sys_write(ffff800014ab0300,ffff8000ffffc4b8,ffff8000149cffd0) at
sys_write+0x6e sys/kern/sys_generic.c:283
syscall(0) at syscall+0x3e4
Xsyscall(6,0,c,0,3,dd77184d010) at Xsyscall+0x128
end of kernel
end trace frame: 0xdda37938f40, count: 4
ip_output(ffffff0036f09118,ffffff00353fb400,ffffff00391da000,22,1000,ffcc7a1cc2ba05e5)
at
ip_output+0xbd5 sys/netinet/ip_output.c:501
rip_output(0,9,ffffff0036333a88,0) at rip_output+0x187
sys/netinet/raw_ip.c:293
rip_usrreq(1000,ffffff0036333a88,0,ffffff00353fb400,0,ffcc7a1cc2ba05e5) at
rip_usrreq+0x3ed sys/netinet/raw_ip.c:472
sosend(ffffff0037690e88,ffff800014ab01b8,1000,ffff800014ab0260,0,ffcc7a1cc2ba05e5)
at
sosend+0x462 sys/kern/uipc_socket.c:513
dofilewritev(ffff8000ffffc4b8,ffff800014ab0260,1000,ffff800014ab0278,dda37938eb8)
at
dofilewritev+0x13e sys/kern/sys_generic.c:364
sys_write(ffff800014ab0300,ffff8000ffffc4b8,ffff8000149cffd0) at
sys_write+0x6e sys/kern/sys_generic.c:283syscall(0) at syscall+0x3e4
Xsyscall(6,0,c,0,3,dd77184d010) at Xsyscall+0x128
end of kernel
end trace frame: 0xdda37938f40, count: -11
ddb> show registers
rdi 0xffffffff81e32758 kprintf_mutex
rsi 0x5
rbp 0xffff800014aafdf0
rbx 0xffff800014aafe90
rdx 0x3fd
rcx 0
rax 0x1
r8 0xffff800014aafdc0
r9 0
r10 0x495952dd39ba416a
r11 0xffffffff817d6c80 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800014aafe00
r14 0x100
r15 0xffffffff81c1f7e9 substchar+0xe718
rip 0xffffffff819017ba db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800014aafdf0
flags process=0 proc=4000000<THREAD>
pri=50, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffffd778,0xffffffff81ed9bd0
process=0xffff8000149cffd0 user=0xffff800014aab000,
vmspace=0xffffff003f12c420
estcpu=0, cpticks=0, pctcpu=0.0
*73868 245344 31309 0 7 0x4000000 syz-executor0
31309 414828 43114 0 3 0x82 nanosleep syz-executor0
43114 200314 83474 0 3 0x82 thrsleep syz-execprog
43114 391602 83474 0 3 0x4000082 thrsleep syz-execprog
43114 245488 83474 0 3 0x4000082 thrsleep syz-execprog
43114 448666 83474 0 3 0x4000082 thrsleep syz-execprog
43114 7476 83474 0 3 0x4000082 kqread syz-execprog
43114 463026 83474 0 3 0x4000082 thrsleep syz-execprog
83474 36557 9992 0 3 0x10008a pause ksh
9992 152075 69808 0 3 0x92 select sshd
31395 397315 1 0 3 0x100083 ttyin getty
69808 315177 1 0 3 0x80 select sshd
75056 146190 34335 73 3 0x100090 kqread syslogd
34335 312749 1 0 3 0x100082 netio syslogd
26481 271717 1 77 3 0x100090 poll dhclient
5653 184599 1 0 3 0x80 poll dhclient
34184 40196 0 0 2 0x14200 zerothread
79088 134201 0 0 3 0x14200 aiodoned aiodoned
22188 521077 0 0 3 0x14200 syncer update
95457 47499 0 0 3 0x14200 cleaner cleaner
57930 105905 0 0 3 0x14200 reaper reaper
91163 371799 0 0 3 0x14200 pgdaemon pagedaemon
39325 491237 0 0 3 0x14200 bored crynlk
17161 243870 0 0 3 0x14200 bored crypto
64044 143015 0 0 3 0x40014200 acpi0 acpi0
46137 340925 0 0 3 0x14200 bored softnet
82509 343081 0 0 3 0x14200 bored systqmp
20045 462752 0 0 3 0x14200 bored systq
24935 185996 0 0 3 0x40014200 bored softclock
68479 424698 0 0 3 0x40014200 idle0
1 185281 0 0 3 0x82 wait init
HEAD commit: afb6229dd599 The wrong header file was given for EVP_PKEY_..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=12a420c3400000
kernel config: https://syzkaller.appspot.com/x/.config?x=906264fb5874384d
dashboard link: https://syzkaller.appspot.com/bug?extid=0361ed02deed123667cb
compiler:
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160c3135400000
dashboard link: https://syzkaller.appspot.com/bug?extid=0361ed02deed123667cb
compiler:
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0361ed...@syzkaller.appspotmail.com
panic: malformed IPv4 option passed to ip_optcopy
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_optcopy(ffffff00353fb400,ffff800000171290) at ip_optcopy
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_output(ffffff0036f09118,ffffff00353fb400,ffffff00391da000,22,1000,ffcc7a1cc2ba05e5)
at
ip_output+0xbd5 sys/netinet/ip_output.c:501
rip_output(0,9,ffffff0036333a88,0) at rip_output+0x187
sys/netinet/raw_ip.c:293
rip_usrreq(1000,ffffff0036333a88,0,ffffff00353fb400,0,ffcc7a1cc2ba05e5) at
rip_usrreq+0x3ed sys/netinet/raw_ip.c:472
sosend(ffffff0037690e88,ffff800014ab01b8,1000,ffff800014ab0260,0,ffcc7a1cc2ba05e5)
at
sosend+0x462 sys/kern/uipc_socket.c:513
dofilewritev(ffff8000ffffc4b8,ffff800014ab0260,1000,ffff800014ab0278,dda37938eb8)
at
dofilewritev+0x13e sys/kern/sys_generic.c:364
sys_write(ffff800014ab0300,ffff8000ffffc4b8,ffff8000149cffd0) at
sys_write+0x6e sys/kern/sys_generic.c:283
syscall(0) at syscall+0x3e4
Xsyscall(6,0,c,0,3,dd77184d010) at Xsyscall+0x128
end of kernel
end trace frame: 0xdda37938f40, count: 4
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> show panic
malformed IPv4 option passed to ip_optcopy
ddb> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_optcopy(ffffff00353fb400,ffff800000171290) at ip_optcopy
reports. Insufficient info makes it difficult to find and fix bugs.
ddb>
ddb> set $lines = 0
ddb> show panic
malformed IPv4 option passed to ip_optcopy
ddb> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_output(ffffff0036f09118,ffffff00353fb400,ffffff00391da000,22,1000,ffcc7a1cc2ba05e5)
at
ip_output+0xbd5 sys/netinet/ip_output.c:501
rip_output(0,9,ffffff0036333a88,0) at rip_output+0x187
sys/netinet/raw_ip.c:293
rip_usrreq(1000,ffffff0036333a88,0,ffffff00353fb400,0,ffcc7a1cc2ba05e5) at
rip_usrreq+0x3ed sys/netinet/raw_ip.c:472
sosend(ffffff0037690e88,ffff800014ab01b8,1000,ffff800014ab0260,0,ffcc7a1cc2ba05e5)
at
sosend+0x462 sys/kern/uipc_socket.c:513
dofilewritev(ffff8000ffffc4b8,ffff800014ab0260,1000,ffff800014ab0278,dda37938eb8)
at
dofilewritev+0x13e sys/kern/sys_generic.c:364
sys_write(ffff800014ab0300,ffff8000ffffc4b8,ffff8000149cffd0) at
sys_write+0x6e sys/kern/sys_generic.c:283syscall(0) at syscall+0x3e4
Xsyscall(6,0,c,0,3,dd77184d010) at Xsyscall+0x128
end of kernel
end trace frame: 0xdda37938f40, count: -11
ddb> show registers
rdi 0xffffffff81e32758 kprintf_mutex
rsi 0x5
rbp 0xffff800014aafdf0
rbx 0xffff800014aafe90
rdx 0x3fd
rcx 0
rax 0x1
r8 0xffff800014aafdc0
r9 0
r10 0x495952dd39ba416a
r11 0xffffffff817d6c80 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800014aafe00
r14 0x100
r15 0xffffffff81c1f7e9 substchar+0xe718
rip 0xffffffff819017ba db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800014aafdf0
ss 0x10
db_enter+0xa: popq %rbp
ddb> show proc
PROC (syz-executor0) pid=245344 stat=onproc
db_enter+0xa: popq %rbp
ddb> show proc
flags process=0 proc=4000000<THREAD>
pri=50, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff8000ffffd778,0xffffffff81ed9bd0
process=0xffff8000149cffd0 user=0xffff800014aab000,
vmspace=0xffffff003f12c420
estcpu=0, cpticks=0, pctcpu=0.0
user=0, sys=0, intr=0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
73868 391905 31309 0 2 0 syz-executor0
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
*73868 245344 31309 0 7 0x4000000 syz-executor0
31309 414828 43114 0 3 0x82 nanosleep syz-executor0
43114 200314 83474 0 3 0x82 thrsleep syz-execprog
43114 391602 83474 0 3 0x4000082 thrsleep syz-execprog
43114 245488 83474 0 3 0x4000082 thrsleep syz-execprog
43114 448666 83474 0 3 0x4000082 thrsleep syz-execprog
43114 7476 83474 0 3 0x4000082 kqread syz-execprog
43114 463026 83474 0 3 0x4000082 thrsleep syz-execprog
83474 36557 9992 0 3 0x10008a pause ksh
9992 152075 69808 0 3 0x92 select sshd
31395 397315 1 0 3 0x100083 ttyin getty
69808 315177 1 0 3 0x80 select sshd
75056 146190 34335 73 3 0x100090 kqread syslogd
34335 312749 1 0 3 0x100082 netio syslogd
26481 271717 1 77 3 0x100090 poll dhclient
5653 184599 1 0 3 0x80 poll dhclient
34184 40196 0 0 2 0x14200 zerothread
79088 134201 0 0 3 0x14200 aiodoned aiodoned
22188 521077 0 0 3 0x14200 syncer update
95457 47499 0 0 3 0x14200 cleaner cleaner
57930 105905 0 0 3 0x14200 reaper reaper
91163 371799 0 0 3 0x14200 pgdaemon pagedaemon
39325 491237 0 0 3 0x14200 bored crynlk
17161 243870 0 0 3 0x14200 bored crypto
64044 143015 0 0 3 0x40014200 acpi0 acpi0
46137 340925 0 0 3 0x14200 bored softnet
82509 343081 0 0 3 0x14200 bored systqmp
20045 462752 0 0 3 0x14200 bored systq
24935 185996 0 0 3 0x40014200 bored softclock
68479 424698 0 0 3 0x40014200 idle0
1 185281 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb>
syzbot
Dec 23, 2018, 12:41:04 AM12/23/18
to syzkaller-o...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 907eae9ac960 sync
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=11c06bb7400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ee0315400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a75bb7400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0361ed...@syzkaller.appspotmail.com
panic: malformed IPv4 option passed to ip_optcopy
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
240244 90692 0 0x2 0 1 syz-executor7182
*221300 90692 0 0x2 0x4000000 0K syz-executor7182
ip_fragment+0x5f4
ip_output(ffffff006f2d9000,ffffff006efd9700,ffffff0005fe9000,22,1000,e03a3044e0550017)
at
ip_output+0xc6c sys/netinet/ip_output.c:501
rip_output(0,9,ffffff006e6fd908,0) at rip_output+0x187
sys/netinet/raw_ip.c:293
rip_usrreq(1000,ffffff006e6fd908,0,ffffff006efd9700,0,e03a3044e0550017) at
rip_usrreq+0x3ed sys/netinet/raw_ip.c:472
sosend(ffffff006e48d620,ffff800021119318,1000,ffff8000211193c0,0,e03a3044e0550017)
at
sosend+0x46a sys/kern/uipc_socket.c:513
dofilewritev(ffff8000210a4970,ffff8000211193c0,1000,ffff8000211193d8,62a2c369ff8)
at
dofilewritev+0x13e sys/kern/sys_generic.c:364
sys_write(40,ffff8000210a4970,0) at sys_write+0x6e
sys/kern/sys_generic.c:283
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,62a817bd4a0,0,62798b4a098,62798b4a090) at Xsyscall+0x128
end of kernel
end trace frame: 0x62a2c36a020, count: 4
ddb{0}> set $lines = 0
ddb{0}> show panic
ip_fragment+0x5f4
ip_output(ffffff006f2d9000,ffffff006efd9700,ffffff0005fe9000,22,1000,e03a3044e0550017)
at
ip_output+0xc6c sys/netinet/ip_output.c:501
rip_output(0,9,ffffff006e6fd908,0) at rip_output+0x187
sys/netinet/raw_ip.c:293
rip_usrreq(1000,ffffff006e6fd908,0,ffffff006efd9700,0,e03a3044e0550017) at
rip_usrreq+0x3ed sys/netinet/raw_ip.c:472
sosend(ffffff006e48d620,ffff800021119318,1000,ffff8000211193c0,0,e03a3044e0550017)
at
sosend+0x46a sys/kern/uipc_socket.c:513
dofilewritev(ffff8000210a4970,ffff8000211193c0,1000,ffff8000211193d8,62a2c369ff8)
at
dofilewritev+0x13e sys/kern/sys_generic.c:364
sys_write(40,ffff8000210a4970,0) at sys_write+0x6e
sys/kern/sys_generic.c:283
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,62a817bd4a0,0,62798b4a098,62798b4a090) at Xsyscall+0x128
end of kernel
end trace frame: 0x62a2c36a020, count: -11
ddb{0}> show registers
rdi 0xffffffff81e20110 kprintf_mutex
rsi 0x5
rbp 0xffff800021118f50
rbx 0xffff800021118ff0
r9 0
r10 0
r11 0xffffffff8197d380 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800021118f60
r14 0x100
r15 0xffffffff81c38636 apollo_udma100_tim+0xd631
rip 0xffffffff8182d81a db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800021118f50
PROC (syz-executor7182) pid=221300 stat=onproc
flags process=2<EXEC> proc=4000000<THREAD>
pri=51, usrpri=51, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a4718,0xffffffff81ebabf8
process=0xffff8000210a7300 user=0xffff800021114000,
vmspace=0xffffff007f124210
estcpu=1, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
*90692 221300 75369 0 7 0x4000002 syz-executor7182
75369 163534 14015 0 3 0x10008a pause ksh
14015 59605 46217 0 3 0x92 select sshd
60858 311911 1 0 3 0x100083 ttyin getty
46217 482486 1 0 3 0x80 select sshd
51974 59267 85278 73 3 0x100090 kqread syslogd
85278 79216 1 0 3 0x100082 netio syslogd
93235 129952 1 77 3 0x100090 poll dhclient
90893 45340 1 0 3 0x80 poll dhclient
3626 353315 0 0 2 0x14200 zerothread
99632 49372 0 0 3 0x14200 aiodoned aiodoned
70051 189025 0 0 3 0x14200 syncer update
94447 403790 0 0 3 0x14200 cleaner cleaner
16158 308297 0 0 3 0x14200 reaper reaper
22042 3036 0 0 3 0x14200 pgdaemon pagedaemon
57722 253800 0 0 3 0x14200 bored crynlk
41276 504436 0 0 3 0x14200 bored crypto
41465 240531 0 0 3 0x40014200 acpi0 acpi0
92137 104984 0 0 3 0x40014200 idle1
78872 449395 0 0 3 0x14200 bored softnet
21325 166296 0 0 3 0x14200 bored systqmp
89258 51153 0 0 3 0x14200 bored systq
72343 398068 0 0 3 0x40014200 bored softclock
53696 477841 0 0 3 0x40014200 idle0
1 283596 0 0 3 0x82 wait init
HEAD commit: 907eae9ac960 sync
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=11c06bb7400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2ee3db928411249
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ee0315400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a75bb7400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0361ed...@syzkaller.appspotmail.com
panic: malformed IPv4 option passed to ip_optcopy
Stopped at db_enter+0xa: popq %rbp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*221300 90692 0 0x2 0x4000000 0K syz-executor7182
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_fragment(ffffff0005fe9000,ffff800000173290,ffffff006efd9700) at
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_fragment+0x5f4
ip_output(ffffff006f2d9000,ffffff006efd9700,ffffff0005fe9000,22,1000,e03a3044e0550017)
at
ip_output+0xc6c sys/netinet/ip_output.c:501
rip_output(0,9,ffffff006e6fd908,0) at rip_output+0x187
sys/netinet/raw_ip.c:293
rip_usrreq(1000,ffffff006e6fd908,0,ffffff006efd9700,0,e03a3044e0550017) at
rip_usrreq+0x3ed sys/netinet/raw_ip.c:472
sosend(ffffff006e48d620,ffff800021119318,1000,ffff8000211193c0,0,e03a3044e0550017)
at
sosend+0x46a sys/kern/uipc_socket.c:513
dofilewritev(ffff8000210a4970,ffff8000211193c0,1000,ffff8000211193d8,62a2c369ff8)
at
dofilewritev+0x13e sys/kern/sys_generic.c:364
sys_write(40,ffff8000210a4970,0) at sys_write+0x6e
sys/kern/sys_generic.c:283
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,62a817bd4a0,0,62798b4a098,62798b4a090) at Xsyscall+0x128
end of kernel
end trace frame: 0x62a2c36a020, count: 4
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}> set $lines = 0
ddb{0}> show panic
malformed IPv4 option passed to ip_optcopy
ddb{0}> trace
db_enter() at db_enter+0xa sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_fragment(ffffff0005fe9000,ffff800000173290,ffffff006efd9700) at
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_fragment+0x5f4
ip_output(ffffff006f2d9000,ffffff006efd9700,ffffff0005fe9000,22,1000,e03a3044e0550017)
at
ip_output+0xc6c sys/netinet/ip_output.c:501
rip_output(0,9,ffffff006e6fd908,0) at rip_output+0x187
sys/netinet/raw_ip.c:293
rip_usrreq(1000,ffffff006e6fd908,0,ffffff006efd9700,0,e03a3044e0550017) at
rip_usrreq+0x3ed sys/netinet/raw_ip.c:472
sosend(ffffff006e48d620,ffff800021119318,1000,ffff8000211193c0,0,e03a3044e0550017)
at
sosend+0x46a sys/kern/uipc_socket.c:513
dofilewritev(ffff8000210a4970,ffff8000211193c0,1000,ffff8000211193d8,62a2c369ff8)
at
dofilewritev+0x13e sys/kern/sys_generic.c:364
sys_write(40,ffff8000210a4970,0) at sys_write+0x6e
sys/kern/sys_generic.c:283
syscall(0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,62a817bd4a0,0,62798b4a098,62798b4a090) at Xsyscall+0x128
end of kernel
end trace frame: 0x62a2c36a020, count: -11
ddb{0}> show registers
rdi 0xffffffff81e20110 kprintf_mutex
rsi 0x5
rbp 0xffff800021118f50
rbx 0xffff800021118ff0
rdx 0x3fd
rcx 0
rax 0x1
r8 0xffff800021118f20
rcx 0
rax 0x1
r9 0
r10 0
r11 0xffffffff8197d380 x86_bus_space_io_read_1
r12 0x3000000008
r13 0xffff800021118f60
r14 0x100
r15 0xffffffff81c38636 apollo_udma100_tim+0xd631
rip 0xffffffff8182d81a db_enter+0xa
cs 0x8
rflags 0x202
rsp 0xffff800021118f50
ss 0x10
db_enter+0xa: popq %rbp
ddb{0}> show proc
db_enter+0xa: popq %rbp
PROC (syz-executor7182) pid=221300 stat=onproc
flags process=2<EXEC> proc=4000000<THREAD>
pri=51, usrpri=51, nice=20
forw=0xffffffffffffffff, list=0xffff8000210a4718,0xffffffff81ebabf8
process=0xffff8000210a7300 user=0xffff800021114000,
vmspace=0xffffff007f124210
estcpu=1, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
90692 240244 75369 0 7 0x2 syz-executor7182
*90692 221300 75369 0 7 0x4000002 syz-executor7182
75369 163534 14015 0 3 0x10008a pause ksh
14015 59605 46217 0 3 0x92 select sshd
60858 311911 1 0 3 0x100083 ttyin getty
46217 482486 1 0 3 0x80 select sshd
51974 59267 85278 73 3 0x100090 kqread syslogd
85278 79216 1 0 3 0x100082 netio syslogd
93235 129952 1 77 3 0x100090 poll dhclient
90893 45340 1 0 3 0x80 poll dhclient
3626 353315 0 0 2 0x14200 zerothread
99632 49372 0 0 3 0x14200 aiodoned aiodoned
70051 189025 0 0 3 0x14200 syncer update
94447 403790 0 0 3 0x14200 cleaner cleaner
16158 308297 0 0 3 0x14200 reaper reaper
22042 3036 0 0 3 0x14200 pgdaemon pagedaemon
57722 253800 0 0 3 0x14200 bored crynlk
41276 504436 0 0 3 0x14200 bored crypto
41465 240531 0 0 3 0x40014200 acpi0 acpi0
92137 104984 0 0 3 0x40014200 idle1
78872 449395 0 0 3 0x14200 bored softnet
21325 166296 0 0 3 0x14200 bored systqmp
89258 51153 0 0 3 0x14200 bored systq
72343 398068 0 0 3 0x40014200 bored softclock
53696 477841 0 0 3 0x40014200 idle0
1 283596 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}>
Reply all
Reply to author
Forward
0 new messages