Dmitry Vyukov
unread,Dec 16, 2015, 2:35:09 PM12/16/15Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Willem de Bruijn, David S. Miller, Eric Dumazet, Eric W. Biederman, Mel Gorman, Craig Gallek, Ying Xue, Hannes Frederic Sowa, Edward Jee, Julia Lawall, netdev, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
Hello,
The following program triggers heap-out-of-bounds access in sock_setsockopt:
// autogenerated by syzkaller (
http://github.com/google/syzkaller)
#include <syscall.h>
#include <string.h>
#include <stdint.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/in6.h>
#define SOF_TIMESTAMPING_OPT_ID (1<<7)
int main()
{
int fd = socket(PF_INET6, SOCK_RAW, IPPROTO_TCP);
struct sockaddr_in6 sa = {};
sa.sin6_family = AF_INET6;
sa.sin6_port = htons(13277);
inet_pton(AF_INET6, "::1", &sa.sin6_addr);
connect(fd, (struct sockaddr*)&sa, sizeof(sa));
int opt = SOF_TIMESTAMPING_OPT_ID;
setsockopt(fd, SOL_SOCKET, SO_TIMESTAMPING, &opt, sizeof(opt));
return 0;
}
BUG: KASAN: slab-out-of-bounds in sock_setsockopt+0x1284/0x13d0 at
addr ffff88006563ec10
Read of size 4 by task syzkaller_execu/4755
=============================================================================
BUG RAWv6 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in sk_prot_alloc+0x69/0x340 age=17 cpu=3 pid=4755
[< none >] kmem_cache_alloc+0x244/0x2c0 mm/slub.c:2607
[< none >] sk_prot_alloc+0x69/0x340 net/core/sock.c:1343
[< none >] sk_alloc+0x3a/0x6b0 net/core/sock.c:1418
[< none >] inet6_create+0x2c4/0xfd0 net/ipv6/af_inet6.c:170
[< none >] __sock_create+0x37c/0x640 net/socket.c:1162
[< inline >] sock_create net/socket.c:1202
[< inline >] SYSC_socket net/socket.c:1232
[< none >] SyS_socket+0xef/0x1b0 net/socket.c:1212
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
Call Trace:
[<ffffffff816cec2e>] __asan_report_load4_noabort+0x3e/0x40
mm/kasan/report.c:294
[<ffffffff84affb14>] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880
[< inline >] SYSC_setsockopt net/socket.c:1746
[<ffffffff84aed7ee>] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729
[<ffffffff85c18c76>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
On commit edb42dc7bc0da0125ceacab810a553ce1f0cac8d (Dec 15).