KASAN: slab-out-of-bounds Read in xfrm_hash_rebuild
26 views
Skip to first unread message
syzbot
Nov 7, 2017, 3:28:25āÆPM11/7/17
to da...@davemloft.net, her...@gondor.apana.org.au, linux-...@vger.kernel.org, net...@vger.kernel.org, steffen....@secunet.com, syzkall...@googlegroups.com
Hello,
syzkaller hit the following crash on
0f611fb6dcc0d6d91b4e1fec911321f434a3b858
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00
net/xfrm/xfrm_policy.c:619
Read of size 2 at addr ffff8801d180fa34 by task kworker/1:2/1348
CPU: 1 PID: 1348 Comm: kworker/1:2 Not tainted 4.14.0-rc5-mm1+ #20
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events xfrm_hash_rebuild
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:619
process_one_work+0xbf0/0x1bc0 kernel/workqueue.c:2112
worker_thread+0x223/0x1990 kernel/workqueue.c:2246
kthread+0x38b/0x470 kernel/kthread.c:242
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Allocated by task 3006:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3712 [inline]
__kmalloc+0x162/0x760 mm/slab.c:3721
kmalloc include/linux/slab.h:504 [inline]
sk_prot_alloc+0x101/0x2a0 net/core/sock.c:1469
sk_alloc+0x89/0x700 net/core/sock.c:1523
pfkey_create+0x2b2/0xae0 net/key/af_key.c:158
__sock_create+0x4d4/0x850 net/socket.c:1261
sock_create net/socket.c:1301 [inline]
SYSC_socket net/socket.c:1331 [inline]
SyS_socket+0xeb/0x200 net/socket.c:1311
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8801d180f500
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1332 bytes inside of
2048-byte region [ffff8801d180f500, ffff8801d180fd00)
The buggy address belongs to the page:
page:ffffea0007460380 count:1 mapcount:0 mapping:ffff8801d180e400 index:0x0
compound_mapcount: 0
flags: 0x200000000008100(slab|head)
raw: 0200000000008100 ffff8801d180e400 0000000000000000 0000000100000003
raw: ffffea0007490720 ffff8801dac01948 ffff8801dac00c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d180f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801d180f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801d180fa00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801d180fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801d180fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
syzkaller hit the following crash on
0f611fb6dcc0d6d91b4e1fec911321f434a3b858
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00
net/xfrm/xfrm_policy.c:619
Read of size 2 at addr ffff8801d180fa34 by task kworker/1:2/1348
CPU: 1 PID: 1348 Comm: kworker/1:2 Not tainted 4.14.0-rc5-mm1+ #20
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events xfrm_hash_rebuild
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:619
process_one_work+0xbf0/0x1bc0 kernel/workqueue.c:2112
worker_thread+0x223/0x1990 kernel/workqueue.c:2246
kthread+0x38b/0x470 kernel/kthread.c:242
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Allocated by task 3006:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3712 [inline]
__kmalloc+0x162/0x760 mm/slab.c:3721
kmalloc include/linux/slab.h:504 [inline]
sk_prot_alloc+0x101/0x2a0 net/core/sock.c:1469
sk_alloc+0x89/0x700 net/core/sock.c:1523
pfkey_create+0x2b2/0xae0 net/key/af_key.c:158
__sock_create+0x4d4/0x850 net/socket.c:1261
sock_create net/socket.c:1301 [inline]
SYSC_socket net/socket.c:1331 [inline]
SyS_socket+0xeb/0x200 net/socket.c:1311
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8801d180f500
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1332 bytes inside of
2048-byte region [ffff8801d180f500, ffff8801d180fd00)
The buggy address belongs to the page:
page:ffffea0007460380 count:1 mapcount:0 mapping:ffff8801d180e400 index:0x0
compound_mapcount: 0
flags: 0x200000000008100(slab|head)
raw: 0200000000008100 ffff8801d180e400 0000000000000000 0000000100000003
raw: ffffea0007490720 ffff8801dac01948 ffff8801dac00c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d180f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801d180f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801d180fa00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801d180fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801d180fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
syzbot
Dec 21, 2017, 8:48:02āÆAM12/21/17
to da...@davemloft.net, her...@gondor.apana.org.au, linux-...@vger.kernel.org, net...@vger.kernel.org, steffen....@secunet.com, syzkall...@googlegroups.com
syzkaller has found reproducer for the following crash on
8f36e00065436412a02d1f50ad77375bdb506300
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
Read of size 2 at addr ffff8801c8e92fe4 by task kworker/1:1/23
CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 4.15.0-rc3+ #161
dump_stack+0x194/0x257 lib/dump_stack.c:53
process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112
worker_thread+0x223/0x1990 kernel/workqueue.c:2246
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:441
Allocated by task 3152:
__kmalloc+0x162/0x760 mm/slab.c:3717
kmalloc include/linux/slab.h:504 [inline]
sk_prot_alloc+0x101/0x2a0 net/core/sock.c:1471
sk_alloc+0x8c/0x730 net/core/sock.c:1525
pfkey_create+0x2b2/0xae0 net/key/af_key.c:158
__sock_create+0x4d4/0x850 net/socket.c:1257
sock_create net/socket.c:1297 [inline]
SYSC_socket net/socket.c:1327 [inline]
SyS_socket+0xeb/0x1d0 net/socket.c:1307
entry_SYSCALL_64_fastpath+0x1f/0x96
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8801c8e92ac0
2048-byte region [ffff8801c8e92ac0, ffff8801c8e932c0)
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c8e92240 0000000000000000 0000000100000003
raw: ffffea000723d120 ffff8801db001948 ffff8801db000c40 0000000000000000
ffff8801c8e92f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801c8e92f80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
^
ffff8801c8e93000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801c8e93080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
8f36e00065436412a02d1f50ad77375bdb506300
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
==================================================================
for information about syzkaller reproducers
BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00
net/xfrm/xfrm_policy.c:618
Read of size 2 at addr ffff8801c8e92fe4 by task kworker/1:1/23
CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 4.15.0-rc3+ #161
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events xfrm_hash_rebuild
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Workqueue: events xfrm_hash_rebuild
Call Trace:
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112
worker_thread+0x223/0x1990 kernel/workqueue.c:2246
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:441
Allocated by task 3152:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3708 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__kmalloc+0x162/0x760 mm/slab.c:3717
kmalloc include/linux/slab.h:504 [inline]
sk_prot_alloc+0x101/0x2a0 net/core/sock.c:1471
sk_alloc+0x8c/0x730 net/core/sock.c:1525
pfkey_create+0x2b2/0xae0 net/key/af_key.c:158
__sock_create+0x4d4/0x850 net/socket.c:1257
sock_create net/socket.c:1297 [inline]
SYSC_socket net/socket.c:1327 [inline]
SyS_socket+0xeb/0x1d0 net/socket.c:1307
entry_SYSCALL_64_fastpath+0x1f/0x96
Freed by task 0:
(stack is not available)
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1316 bytes inside of
2048-byte region [ffff8801c8e92ac0, ffff8801c8e932c0)
The buggy address belongs to the page:
page:000000004ba28b34 count:1 mapcount:0 mapping:00000000d439dc9d index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c8e92240 0000000000000000 0000000100000003
raw: ffffea000723d120 ffff8801db001948 ffff8801db000c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c8e92e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff8801c8e92f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801c8e92f80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
^
ffff8801c8e93000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801c8e93080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Florian Westphal
Dec 27, 2017, 5:27:51āÆPM12/27/17
to net...@vger.kernel.org, steffen....@secunet.com, syzkall...@googlegroups.com, Florian Westphal, Herbert Xu, Timo Teras, Christophe Gouault
syzkaller triggered following KASAN splat:
BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
read of size 2 at addr ffff8801c8e92fe4 by task kworker/1:1/23 [..]
Workqueue: events xfrm_hash_rebuild [..]
The reproducer triggers:
1016 if (error) {
1017 list_move_tail(&walk->walk.all, &x->all);
1018 goto out;
1019 }
in xfrm_policy_walk() via pfkey (it sets tiny rcv space, dump
callback returns -ENOBUFS).
In this case, *walk is located the pfkey socket struct, so this socket
becomes visible in the global policy list.
It looks like this is intentional -- phony walker has walk.dead set to 1
and all other places skip such "policies".
Ccing original authors of the two commits that seem to expose this
issue (first patch missed ->dead check, second patch adds pfkey
sockets to policies dumper list).
Fixes: 880a6fab8f6ba5b ("xfrm: configure policy hash table thresholds by netlink")
Fixes: 12a169e7d8f4b1c ("ipsec: Put dumpers on the dump list")
Cc: Herbert Xu <her...@gondor.apana.org.au>
Cc: Timo Teras <timo....@iki.fi>
Cc: Christophe Gouault <christoph...@6wind.com>
Reported-by: syzbot <bot+c028095236fcb6f434...@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/xfrm/xfrm_policy.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 9542975eb2f9..181bc6181789 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -609,7 +609,8 @@ static void xfrm_hash_rebuild(struct work_struct *work)
/* re-insert all policies by order of creation */
list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
- if (xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
+ if (policy->walk.dead ||
+ xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
/* skip socket policies */
continue;
}
--
2.13.6
BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
Workqueue: events xfrm_hash_rebuild [..]
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112
worker_thread+0x223/0x1990 kernel/workqueue.c:2246 [..]
xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112
The reproducer triggers:
1016 if (error) {
1017 list_move_tail(&walk->walk.all, &x->all);
1018 goto out;
1019 }
in xfrm_policy_walk() via pfkey (it sets tiny rcv space, dump
callback returns -ENOBUFS).
In this case, *walk is located the pfkey socket struct, so this socket
becomes visible in the global policy list.
It looks like this is intentional -- phony walker has walk.dead set to 1
and all other places skip such "policies".
Ccing original authors of the two commits that seem to expose this
issue (first patch missed ->dead check, second patch adds pfkey
sockets to policies dumper list).
Fixes: 880a6fab8f6ba5b ("xfrm: configure policy hash table thresholds by netlink")
Fixes: 12a169e7d8f4b1c ("ipsec: Put dumpers on the dump list")
Cc: Herbert Xu <her...@gondor.apana.org.au>
Cc: Timo Teras <timo....@iki.fi>
Cc: Christophe Gouault <christoph...@6wind.com>
Reported-by: syzbot <bot+c028095236fcb6f434...@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/xfrm/xfrm_policy.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 9542975eb2f9..181bc6181789 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -609,7 +609,8 @@ static void xfrm_hash_rebuild(struct work_struct *work)
/* re-insert all policies by order of creation */
list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
- if (xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
+ if (policy->walk.dead ||
+ xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
/* skip socket policies */
continue;
}
--
2.13.6
Steffen Klassert
Dec 31, 2017, 2:50:20āÆAM12/31/17
to Florian Westphal, net...@vger.kernel.org, syzkall...@googlegroups.com, Herbert Xu, Timo Teras, Christophe Gouault
Eric Biggers
Jan 30, 2018, 8:59:58āÆPM1/30/18
to Steffen Klassert, Florian Westphal, net...@vger.kernel.org, syzkall...@googlegroups.com, Herbert Xu, Timo Teras, Christophe Gouault
so that it can start reporting any crashes in this same place again:
#syz fix: xfrm: skip policies marked as dead while rehashing
- Eric
syzbot
Jan 30, 2018, 8:59:59āÆPM1/30/18
to Eric Biggers, christoph...@6wind.com, ebig...@gmail.com, f...@strlen.de, her...@gondor.apana.org.au, net...@vger.kernel.org, steffen....@secunet.com, syzkall...@googlegroups.com, timo....@iki.fi
> - Eric
> --
> You received this message because you are subscribed to the Google
> Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/20180131015954.vdcywjiga6idam53%40gmail.com.
> For more options, visit https://groups.google.com/d/optout.
Eric Biggers
Jan 30, 2018, 9:02:15āÆPM1/30/18
to syzbot, da...@davemloft.net, her...@gondor.apana.org.au, linux-...@vger.kernel.org, net...@vger.kernel.org, steffen....@secunet.com, syzkall...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages