KASAN: slab-out-of-bounds Read in skb_network_protocol
8 views
Skip to first unread message
syzbot
Mar 25, 2018, 9:01:01 PM3/25/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot hit the following crash on net-next commit
94cb5492409219ee3f9468616dd58af314029f76 (Fri Mar 23 18:31:30 2018 +0000)
net/sched: act_vlan: declare push_vid with host byte order
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=fbe5dcb03404abcf481b
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6277385880076288
Kernel config:
https://syzkaller.appspot.com/x/.config?id=2445237949826843652
compiler: gcc (GCC) 7.1.1 20170620
CC: [andre...@google.com bpoi...@suse.com da...@davemloft.net
edum...@google.com elena.r...@intel.com ishk...@gmail.com
kees...@chromium.org linux-...@vger.kernel.org mal...@google.com
net...@vger.kernel.org rami....@intel.com wil...@google.com]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fbe5dc...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
==================================================================
kernel msg: ebtables bug: please report to author: EBT_ENTRY_OR_ENTRIES
shouldn't be set in distinguisher
BUG: KASAN: slab-out-of-bounds in skb_network_protocol+0x46b/0x4b0
net/core/dev.c:2739
Read of size 2 at addr ffff8801b3097a0b by task syz-executor5/14242
CPU: 1 PID: 14242 Comm: syz-executor5 Not tainted 4.16.0-rc6+ #280
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23c/0x360 mm/kasan/report.c:412
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
harmonize_features net/core/dev.c:2924 [inline]
netif_skb_features+0x509/0x9b0 net/core/dev.c:3011
validate_xmit_skb+0x81/0xb00 net/core/dev.c:3084
validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3142
packet_direct_xmit+0x117/0x790 net/packet/af_packet.c:256
packet_snd net/packet/af_packet.c:2944 [inline]
packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:639
___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
__sys_sendmsg+0xe5/0x210 net/socket.c:2081
SYSC_sendmsg net/socket.c:2092 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2088
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x454239
RSP: 002b:00007fc340accc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fc340acd6d4 RCX: 0000000000454239
RDX: 0000000000000000 RSI: 0000000020f21000 RDI: 0000000000000013
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000004c2 R14: 00000000006f82d0 R15: 0000000000000000
Allocated by task 10680:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541
kmem_cache_zalloc include/linux/slab.h:691 [inline]
get_empty_filp+0xfb/0x4f0 fs/file_table.c:122
alloc_file+0x26/0x390 fs/file_table.c:163
sock_alloc_file+0x1f3/0x560 net/socket.c:410
sock_map_fd+0x34/0x90 net/socket.c:437
SYSC_socket net/socket.c:1359 [inline]
SyS_socket+0x125/0x1d0 net/socket.c:1335
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 10696:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kmem_cache_free+0x83/0x2a0 mm/slab.c:3743
file_free_rcu+0x5c/0x70 fs/file_table.c:49
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2674 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2900 [inline]
rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
The buggy address belongs to the object at ffff8801b30977c0
which belongs to the cache filp of size 456
The buggy address is located 131 bytes to the right of
456-byte region [ffff8801b30977c0, ffff8801b3097988)
The buggy address belongs to the page:
page:ffffea0006cc25c0 count:1 mapcount:0 mapping:ffff8801b3097040 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801b3097040 0000000000000000 0000000100000006
raw: ffffea0006cce0e0 ffffea000753eaa0 ffff8801da5d6180 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801b3097900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b3097980: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801b3097a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8801b3097a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b3097b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot hit the following crash on net-next commit
94cb5492409219ee3f9468616dd58af314029f76 (Fri Mar 23 18:31:30 2018 +0000)
net/sched: act_vlan: declare push_vid with host byte order
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=fbe5dcb03404abcf481b
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6277385880076288
Kernel config:
https://syzkaller.appspot.com/x/.config?id=2445237949826843652
compiler: gcc (GCC) 7.1.1 20170620
CC: [andre...@google.com bpoi...@suse.com da...@davemloft.net
edum...@google.com elena.r...@intel.com ishk...@gmail.com
kees...@chromium.org linux-...@vger.kernel.org mal...@google.com
net...@vger.kernel.org rami....@intel.com wil...@google.com]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fbe5dc...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
==================================================================
kernel msg: ebtables bug: please report to author: EBT_ENTRY_OR_ENTRIES
shouldn't be set in distinguisher
BUG: KASAN: slab-out-of-bounds in skb_network_protocol+0x46b/0x4b0
net/core/dev.c:2739
Read of size 2 at addr ffff8801b3097a0b by task syz-executor5/14242
CPU: 1 PID: 14242 Comm: syz-executor5 Not tainted 4.16.0-rc6+ #280
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23c/0x360 mm/kasan/report.c:412
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
harmonize_features net/core/dev.c:2924 [inline]
netif_skb_features+0x509/0x9b0 net/core/dev.c:3011
validate_xmit_skb+0x81/0xb00 net/core/dev.c:3084
validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3142
packet_direct_xmit+0x117/0x790 net/packet/af_packet.c:256
packet_snd net/packet/af_packet.c:2944 [inline]
packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:639
___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
__sys_sendmsg+0xe5/0x210 net/socket.c:2081
SYSC_sendmsg net/socket.c:2092 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2088
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x454239
RSP: 002b:00007fc340accc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fc340acd6d4 RCX: 0000000000454239
RDX: 0000000000000000 RSI: 0000000020f21000 RDI: 0000000000000013
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000004c2 R14: 00000000006f82d0 R15: 0000000000000000
Allocated by task 10680:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541
kmem_cache_zalloc include/linux/slab.h:691 [inline]
get_empty_filp+0xfb/0x4f0 fs/file_table.c:122
alloc_file+0x26/0x390 fs/file_table.c:163
sock_alloc_file+0x1f3/0x560 net/socket.c:410
sock_map_fd+0x34/0x90 net/socket.c:437
SYSC_socket net/socket.c:1359 [inline]
SyS_socket+0x125/0x1d0 net/socket.c:1335
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 10696:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kmem_cache_free+0x83/0x2a0 mm/slab.c:3743
file_free_rcu+0x5c/0x70 fs/file_table.c:49
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2674 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2900 [inline]
rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
The buggy address belongs to the object at ffff8801b30977c0
which belongs to the cache filp of size 456
The buggy address is located 131 bytes to the right of
456-byte region [ffff8801b30977c0, ffff8801b3097988)
The buggy address belongs to the page:
page:ffffea0006cc25c0 count:1 mapcount:0 mapping:ffff8801b3097040 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801b3097040 0000000000000000 0000000100000006
raw: ffffea0006cce0e0 ffffea000753eaa0 ffff8801da5d6180 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801b3097900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b3097980: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801b3097a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8801b3097a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b3097b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot
Feb 22, 2019, 5:22:14 AM2/22/19
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages