KASAN: use-after-free Write in __unwind_start (3)
7 views
Skip to first unread message
syzbot
Mar 29, 2018, 3:01:04 PM3/29/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot hit the following crash on net-next commit
94cb5492409219ee3f9468616dd58af314029f76 (Fri Mar 23 18:31:30 2018 +0000)
net/sched: act_vlan: declare push_vid with host byte order
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=58f3d5b9eaf8cd816af4
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5609587587678208
Kernel config:
https://syzkaller.appspot.com/x/.config?id=2445237949826843652
compiler: gcc (GCC) 7.1.1 20170620
CC: [h...@zytor.com jpoi...@redhat.com linux-...@vger.kernel.org
mhir...@kernel.org mi...@redhat.com tg...@linutronix.de x...@kernel.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+58f3d5...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
==================================================================
BUG: KASAN: use-after-free in memset include/linux/string.h:330 [inline]
BUG: KASAN: use-after-free in __unwind_start+0x2d/0x330
arch/x86/kernel/unwind_frame.c:389
kasan: CONFIG_KASAN_INLINE enabled
Write of size 88 at addr ffff8801cef1f3a0 by task syz-executor1/17024
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 17027 Comm: syz-executor0 Not tainted 4.16.0-rc6+ #280
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline]
RIP: 0010:list_empty include/linux/list.h:203 [inline]
RIP: 0010:__bfs+0x144/0x830 kernel/locking/lockdep.c:1010
RSP: 0018:ffff88019faf71e0 EFLAGS: 00010082
RAX: e000fc0000000000 RBX: ffffffff88223b70 RCX: 0000000000000000
RDX: 1ffff10033f5ee4d RSI: 0000000000000000 RDI: ffff88019faf73e0
RBP: ffff88019faf7350 R08: 0000000000000000 R09: 0000000000000000
R10: ffff88019faf7478 R11: ffffed0033f5ee7e R12: 1ffff10033f5ee4d
R13: 0000000000000000 R14: ffff88019faf73d0 R15: ffff88019faf7328
FS: 0000000000d57940(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000480000 CR3: 00000001a8e93005 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__bfs_backwards kernel/locking/lockdep.c:1071 [inline]
find_usage_backwards kernel/locking/lockdep.c:1385 [inline]
check_usage_backwards+0x1fa/0x410 kernel/locking/lockdep.c:2666
mark_lock_irq kernel/locking/lockdep.c:2757 [inline]
mark_lock+0xa2f/0x1430 kernel/locking/lockdep.c:3147
mark_irqflags kernel/locking/lockdep.c:3039 [inline]
__lock_acquire+0x601/0x3e00 kernel/locking/lockdep.c:3388
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:310 [inline]
inode_doinit_with_dentry+0x13e/0x14c0 security/selinux/hooks.c:1496
__inode_security_revalidate+0xd2/0x130 security/selinux/hooks.c:276
inode_security_rcu security/selinux/hooks.c:290 [inline]
selinux_inode_permission+0x211/0x5f0 security/selinux/hooks.c:3093
security_inode_permission+0xaf/0xf0 security/security.c:697
inode_permission+0xea/0x470 fs/namei.c:456
SYSC_chdir fs/open.c:444 [inline]
SyS_chdir+0xf1/0x200 fs/open.c:434
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x453ea7
RSP: 002b:0000000000a3eb78 EFLAGS: 00000217 ORIG_RAX: 0000000000000050
RAX: ffffffffffffffda RBX: 00000000000009bf RCX: 0000000000453ea7
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000a3f850
RBP: 0000000000a3f220 R08: 0000000000000000 R09: 0000000000d57940
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000
R13: 0000000000000013 R14: 0000000000000000 R15: 0000000000001380
Code: 8b 2b 4c 89 e2 48 c1 ea 03 80 3c 02 00 0f 85 b9 05 00 00 49 c1 ec 03
48 b8 00 00 00 00 00 fc 00 e0 4c 39 eb 4d 89 af 40 ff ff ff <41> c6 04 04
f8 0f 84 1d 04 00 00 49 89 c4 83 05 37 e3 73 06 01
RIP: __read_once_size include/linux/compiler.h:188 [inline] RSP:
ffff88019faf71e0
RIP: list_empty include/linux/list.h:203 [inline] RSP: ffff88019faf71e0
RIP: __bfs+0x144/0x830 kernel/locking/lockdep.c:1010 RSP: ffff88019faf71e0
---[ end trace d58dffdf846f396c ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot hit the following crash on net-next commit
94cb5492409219ee3f9468616dd58af314029f76 (Fri Mar 23 18:31:30 2018 +0000)
net/sched: act_vlan: declare push_vid with host byte order
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=58f3d5b9eaf8cd816af4
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5609587587678208
Kernel config:
https://syzkaller.appspot.com/x/.config?id=2445237949826843652
compiler: gcc (GCC) 7.1.1 20170620
CC: [h...@zytor.com jpoi...@redhat.com linux-...@vger.kernel.org
mhir...@kernel.org mi...@redhat.com tg...@linutronix.de x...@kernel.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+58f3d5...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
==================================================================
BUG: KASAN: use-after-free in memset include/linux/string.h:330 [inline]
BUG: KASAN: use-after-free in __unwind_start+0x2d/0x330
arch/x86/kernel/unwind_frame.c:389
kasan: CONFIG_KASAN_INLINE enabled
Write of size 88 at addr ffff8801cef1f3a0 by task syz-executor1/17024
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 17027 Comm: syz-executor0 Not tainted 4.16.0-rc6+ #280
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline]
RIP: 0010:list_empty include/linux/list.h:203 [inline]
RIP: 0010:__bfs+0x144/0x830 kernel/locking/lockdep.c:1010
RSP: 0018:ffff88019faf71e0 EFLAGS: 00010082
RAX: e000fc0000000000 RBX: ffffffff88223b70 RCX: 0000000000000000
RDX: 1ffff10033f5ee4d RSI: 0000000000000000 RDI: ffff88019faf73e0
RBP: ffff88019faf7350 R08: 0000000000000000 R09: 0000000000000000
R10: ffff88019faf7478 R11: ffffed0033f5ee7e R12: 1ffff10033f5ee4d
R13: 0000000000000000 R14: ffff88019faf73d0 R15: ffff88019faf7328
FS: 0000000000d57940(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000480000 CR3: 00000001a8e93005 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__bfs_backwards kernel/locking/lockdep.c:1071 [inline]
find_usage_backwards kernel/locking/lockdep.c:1385 [inline]
check_usage_backwards+0x1fa/0x410 kernel/locking/lockdep.c:2666
mark_lock_irq kernel/locking/lockdep.c:2757 [inline]
mark_lock+0xa2f/0x1430 kernel/locking/lockdep.c:3147
mark_irqflags kernel/locking/lockdep.c:3039 [inline]
__lock_acquire+0x601/0x3e00 kernel/locking/lockdep.c:3388
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:310 [inline]
inode_doinit_with_dentry+0x13e/0x14c0 security/selinux/hooks.c:1496
__inode_security_revalidate+0xd2/0x130 security/selinux/hooks.c:276
inode_security_rcu security/selinux/hooks.c:290 [inline]
selinux_inode_permission+0x211/0x5f0 security/selinux/hooks.c:3093
security_inode_permission+0xaf/0xf0 security/security.c:697
inode_permission+0xea/0x470 fs/namei.c:456
SYSC_chdir fs/open.c:444 [inline]
SyS_chdir+0xf1/0x200 fs/open.c:434
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x453ea7
RSP: 002b:0000000000a3eb78 EFLAGS: 00000217 ORIG_RAX: 0000000000000050
RAX: ffffffffffffffda RBX: 00000000000009bf RCX: 0000000000453ea7
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000a3f850
RBP: 0000000000a3f220 R08: 0000000000000000 R09: 0000000000d57940
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000
R13: 0000000000000013 R14: 0000000000000000 R15: 0000000000001380
Code: 8b 2b 4c 89 e2 48 c1 ea 03 80 3c 02 00 0f 85 b9 05 00 00 49 c1 ec 03
48 b8 00 00 00 00 00 fc 00 e0 4c 39 eb 4d 89 af 40 ff ff ff <41> c6 04 04
f8 0f 84 1d 04 00 00 49 89 c4 83 05 37 e3 73 06 01
RIP: __read_once_size include/linux/compiler.h:188 [inline] RSP:
ffff88019faf71e0
RIP: list_empty include/linux/list.h:203 [inline] RSP: ffff88019faf71e0
RIP: __bfs+0x144/0x830 kernel/locking/lockdep.c:1010 RSP: ffff88019faf71e0
---[ end trace d58dffdf846f396c ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Jul 17, 2018, 10:22:20 AM7/17/18
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
Happened once 113 days ago, looks like a previous memory corruption:
#syz invalid
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/f403043cbe84a953e0056891be04%40google.com.
> For more options, visit https://groups.google.com/d/optout.
#syz invalid
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/f403043cbe84a953e0056891be04%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages