KASAN: slab-out-of-bounds in j1939_session_tx_rts
82 views
Skip to first unread message
Shuangpeng Bai
Mar 26, 2023, 2:54:58 PM3/26/23
to syzk...@googlegroups.com
Hi Syzkaller Team,
We found a bug by using our modified Syzkaller.
Kenrel Commit: v6.2
Kernel config: see attachment
C/Syz reproducer: see attachment
Best,
Shuangpeng
[ 64.636824][ C0] ==================================================================
[ 64.637568][ C0] BUG: KASAN: slab-out-of-bounds in j1939_session_tx_rts (net/can/j1939/transport.c:? net/can/j1939/transport.c:656 net/can/j1939/transport.c:674 net/can/j1939/transport.c:742)
[ 64.638240][ C0] Read of size 1072 at addr ffff88802a6de840 by task a.out/8093
[ 64.638871][ C0]
[ 64.639152][ C0] CPU: 0 PID: 8093 Comm: a.out Tainted: G W 6.2.0-dirty #4
[ 64.639894][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 64.645572][ C0] Call Trace:
[ 64.646732][ C0] <IRQ>
[ 64.647631][ C0] dump_stack_lvl (lib/dump_stack.c:107)
[ 64.649317][ C0] ? show_regs_print_info (lib/dump_stack.c:98)
[ 64.651115][ C0] ? __wake_up_klogd (./arch/x86/include/asm/preempt.h:104 kernel/printk/printk.c:3757)
[ 64.652709][ C0] ? log_buf_vmcoreinfo_setup (kernel/printk/printk.c:2375)
[ 64.654640][ C0] ? _printk (kernel/printk/printk.c:2383)
[ 64.661956][ C0] print_address_description (mm/kasan/report.c:307)
[ 64.662591][ C0] print_report (mm/kasan/report.c:418)
[ 64.663014][ C0] ? __virt_addr_valid (./include/linux/mmzone.h:? arch/x86/mm/physaddr.c:65)
[ 64.663673][ C0] ? __phys_addr (arch/x86/mm/physaddr.c:31)
[ 64.665258][ C0] ? j1939_session_tx_rts (net/can/j1939/transport.c:? net/can/j1939/transport.c:656 net/can/j1939/transport.c:674 net/can/j1939/transport.c:742)
[ 64.667444][ C0] kasan_report (mm/kasan/report.c:?)
[ 64.669088][ C0] ? __kmem_cache_alloc_node (mm/slab.h:? mm/slab.c:3263 mm/slab.c:3546)
[ 64.671159][ C0] ? j1939_session_tx_rts (net/can/j1939/transport.c:? net/can/j1939/transport.c:656 net/can/j1939/transport.c:674 net/can/j1939/transport.c:742)
[ 64.671781][ C0] kasan_check_range (mm/kasan/generic.c:? mm/kasan/generic.c:189)
[ 64.672493][ C0] ? j1939_session_tx_rts (net/can/j1939/transport.c:? net/can/j1939/transport.c:656 net/can/j1939/transport.c:674 net/can/j1939/transport.c:742)
[ 64.673508][ C0] memcpy (mm/kasan/shadow.c:65)
[ 64.673990][ C0] j1939_session_tx_rts (net/can/j1939/transport.c:? net/can/j1939/transport.c:656 net/can/j1939/transport.c:674 net/can/j1939/transport.c:742)
[ 64.674439][ C0] j1939_tp_txtimer (net/can/j1939/transport.c:? net/can/j1939/transport.c:1156)
[ 64.674871][ C0] ? __lock_acquire (kernel/locking/lockdep.c:5676)
[ 64.675644][ C0] ? print_irqtrace_events (kernel/locking/lockdep.c:4274)
[ 64.676107][ C0] ? do_raw_spin_unlock (./arch/x86/include/asm/atomic.h:29 ./include/linux/atomic/atomic-instrumented.h:28 ./include/asm-generic/qspinlock.h:57 kernel/locking/spinlock_debug.c:100 kernel/locking/spinlock_debug.c:140)
[ 64.676567][ C0] ? rcu_read_lock_sched_held (kernel/rcu/update.c:104 kernel/rcu/update.c:123)
[ 64.677136][ C0] ? __bpf_trace_rcu_stall_warning (kernel/rcu/update.c:120)
[ 64.677957][ C0] ? j1939_session_destroy (net/can/j1939/transport.c:1146)
[ 64.678497][ C0] ? hrtimer_run_softirq (kernel/time/hrtimer.c:?)
[ 64.679206][ C0] __hrtimer_run_queues (kernel/time/hrtimer.c:1685 kernel/time/hrtimer.c:1749)
[ 64.679809][ C0] ? j1939_session_destroy (net/can/j1939/transport.c:1146)
[ 64.680336][ C0] ? hrtimer_interrupt (kernel/time/hrtimer.c:1719)
[ 64.681055][ C0] ? kvm_clock_get_cycles (./arch/x86/include/asm/preempt.h:95 arch/x86/kernel/kvmclock.c:80 arch/x86/kernel/kvmclock.c:86)
[ 64.681783][ C0] hrtimer_run_softirq (kernel/time/hrtimer.c:1768)
[ 64.682608][ C0] __do_softirq (kernel/softirq.c:572)
[ 64.683247][ C0] ? __irq_exit_rcu (kernel/softirq.c:630 kernel/softirq.c:652)
[ 64.683715][ C0] ? __lock_text_end (kernel/softirq.c:529)
[ 64.684185][ C0] __irq_exit_rcu (kernel/softirq.c:630 kernel/softirq.c:652)
[ 64.684968][ C0] ? irq_exit_rcu (kernel/softirq.c:641)
[ 64.685756][ C0] ? __sysvec_apic_timer_interrupt (./include/asm-generic/irq_regs.h:29 arch/x86/kernel/apic/apic.c:1116)
[ 64.686807][ C0] irq_exit_rcu (kernel/softirq.c:664)
[ 64.687506][ C0] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107)
[ 64.688448][ C0] </IRQ>
[ 64.688943][ C0] <TASK>
[ 64.689445][ C0] asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:649)
[ 64.690457][ C0] RIP: 0010:_raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)
[ 64.691565][ C0] Code: f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 3a 66 25 f7 f6 44 24 21 02 75 4e 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 0f d9 a4 f6 65 8b 05 00 aa 4b 75 85 c0 74 3f 48 c7 04 24 0e 36
All code
========
0: f0 48 c1 e8 03 lock shr $0x3,%rax
5: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
a: 74 08 je 0x14
c: 4c 89 f7 mov %r14,%rdi
f: e8 3a 66 25 f7 call 0xfffffffff725664e
14: f6 44 24 21 02 testb $0x2,0x21(%rsp)
19: 75 4e jne 0x69
1b: 41 f7 c7 00 02 00 00 test $0x200,%r15d
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
2a:* e8 0f d9 a4 f6 call 0xfffffffff6a4d93e <-- trapping instruction
2f: 65 8b 05 00 aa 4b 75 mov %gs:0x754baa00(%rip),%eax # 0x754baa36
36: 85 c0 test %eax,%eax
38: 74 3f je 0x79
3a: 48 rex.W
3b: c7 .byte 0xc7
3c: 04 24 add $0x24,%al
3e: 0e (bad)
3f: 36 ss
Code starting with the faulting instruction
===========================================
0: e8 0f d9 a4 f6 call 0xfffffffff6a4d914
5: 65 8b 05 00 aa 4b 75 mov %gs:0x754baa00(%rip),%eax # 0x754baa0c
c: 85 c0 test %eax,%eax
e: 74 3f je 0x4f
10: 48 rex.W
11: c7 .byte 0xc7
12: 04 24 add $0x24,%al
14: 0e (bad)
15: 36 ss
[ 64.694909][ C0] RSP: 0018:ffffc90002ce7760 EFLAGS: 00000206
[ 64.695952][ C0] RAX: 1ffff9200059cef0 RBX: ffff88806202a6c0 RCX: 0000000000000000
[ 64.697281][ C0] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000001
[ 64.698637][ C0] RBP: ffffc90002ce77f0 R08: dffffc0000000000 R09: ffffed100c4054d9
[ 64.699987][ C0] R10: ffffed100c4054d9 R11: 0000000000000000 R12: dffffc0000000000
[ 64.701336][ C0] R13: 1ffff9200059ceec R14: ffffc90002ce7780 R15: 0000000000000a06
[ 64.702708][ C0] ? _raw_spin_unlock (kernel/locking/spinlock.c:193)
[ 64.703544][ C0] j1939_sk_sendmsg (net/can/j1939/socket.c:? net/can/j1939/socket.c:1256)
[ 64.704384][ C0] ? j1939_sk_getsockopt (net/can/j1939/socket.c:1192)
[ 64.705299][ C0] ? security_socket_sendmsg (security/security.c:?)
[ 64.706041][ C0] ? j1939_sk_getsockopt (net/can/j1939/socket.c:1192)
[ 64.706536][ C0] ____sys_sendmsg (net/socket.c:714 net/socket.c:734 net/socket.c:2479)
[ 64.707042][ C0] ? __sys_sendmsg_sock (net/socket.c:2426)
[ 64.707523][ C0] ? __fdget (fs/file.c:1017 fs/file.c:1029)
[ 64.707952][ C0] __sys_sendmmsg (net/socket.c:2533 net/socket.c:2619)
[ 64.708472][ C0] ? __ia32_sys_sendmsg (net/socket.c:2580)
[ 64.708949][ C0] ? fault_around_bytes_set (mm/memory.c:4025)
[ 64.709514][ C0] ? __lock_acquire (kernel/locking/lockdep.c:5676)
[ 64.709984][ C0] ? __rcu_read_lock (kernel/rcu/tree_plugin.h:417)
[ 64.710499][ C0] ? handle_mm_fault (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/linux/perf_event.h:1292 mm/memory.c:5137 mm/memory.c:5238)
[ 64.710957][ C0] ? rcu_read_lock_sched_held (kernel/rcu/update.c:104 kernel/rcu/update.c:123)
[ 64.711619][ C0] ? __bpf_trace_rcu_stall_warning (kernel/rcu/update.c:120)
[ 64.712113][ C0] ? trace_lock_release (./include/trace/events/lock.h:69)
[ 64.712643][ C0] ? do_user_addr_fault (arch/x86/mm/fault.c:1457)
[ 64.713688][ C0] ? lock_release (kernel/locking/lockdep.c:115 kernel/locking/lockdep.c:5681)
[ 64.714603][ C0] ? numa_migrate_prep (mm/memory.c:5193)
[ 64.715579][ C0] ? up_read (kernel/locking/rwsem.c:1332)
[ 64.716393][ C0] ? __vma_adjust (mm/mmap.c:1831)
[ 64.717358][ C0] ? rcu_read_lock_sched_held (kernel/rcu/update.c:104 kernel/rcu/update.c:123)
[ 64.718475][ C0] ? print_irqtrace_events (kernel/locking/lockdep.c:4274)
[ 64.719222][ C0] __x64_sys_sendmmsg (net/socket.c:2648 net/socket.c:2645 net/socket.c:2645)
[ 64.720099][ C0] do_syscall_64 (arch/x86/entry/common.c:?)
[ 64.720864][ C0] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
[ 64.721625][ C0] RIP: 0033:0x7fe38d2e4469
[ 64.722230][ C0] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
All code
========
0: 00 f3 add %dh,%bl
2: c3 ret
3: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 40 00 nopl 0x0(%rax)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d ff 49 2b 00 mov 0x2b49ff(%rip),%rcx # 0x2b4a39
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d ff 49 2b 00 mov 0x2b49ff(%rip),%rcx # 0x2b4a0f
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 64.724555][ C0] RSP: 002b:00007ffdb3961548 EFLAGS: 00000202 ORIG_RAX: 0000000000000133
[ 64.725534][ C0] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe38d2e4469
[ 64.726314][ C0] RDX: 0000000000000002 RSI: 0000000020003400 RDI: 0000000000000003
[ 64.727003][ C0] RBP: 00007ffdb3961560 R08: 000000000000000a R09: 000000000000000a
[ 64.727707][ C0] R10: 0000000000000044 R11: 0000000000000202 R12: 0000555656201220
[ 64.728724][ C0] R13: 00007ffdb3961670 R14: 0000000000000000 R15: 0000000000000000
[ 64.729815][ C0] </TASK>
[ 64.730125][ C0]
[ 64.730348][ C0] Allocated by task 8093:
[ 64.730786][ C0] kasan_set_track (mm/kasan/common.c:46 mm/kasan/common.c:52)
[ 64.731232][ C0] __kasan_kmalloc (mm/kasan/common.c:383)
[ 64.731671][ C0] j1939_session_new (net/can/j1939/transport.c:1488)
[ 64.732128][ C0] j1939_tp_send (net/can/j1939/transport.c:1998)
[ 64.732552][ C0] j1939_sk_sendmsg (net/can/j1939/socket.c:1133 net/can/j1939/socket.c:1256)
[ 64.733020][ C0] ____sys_sendmsg (net/socket.c:714 net/socket.c:734 net/socket.c:2479)
[ 64.733459][ C0] __sys_sendmmsg (net/socket.c:2533 net/socket.c:2619)
[ 64.733903][ C0] __x64_sys_sendmmsg (net/socket.c:2648 net/socket.c:2645 net/socket.c:2645)
[ 64.734393][ C0] do_syscall_64 (arch/x86/entry/common.c:?)
[ 64.734855][ C0] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
[ 64.735444][ C0]
[ 64.735696][ C0] The buggy address belongs to the object at ffff88802a6de800
[ 64.735696][ C0] which belongs to the cache kmalloc-512 of size 512
[ 64.737045][ C0] The buggy address is located 64 bytes inside of
[ 64.737045][ C0] 512-byte region [ffff88802a6de800, ffff88802a6dea00)
[ 64.738263][ C0]
[ 64.738522][ C0] The buggy address belongs to the physical page:
[ 64.739167][ C0] page:ffffea0000a9b780 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a6de
[ 64.740182][ C0] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 64.740887][ C0] raw: 00fff00000000200 ffff88801f440600 ffffea0000e17950 ffff88801f441750
[ 64.741668][ C0] raw: 0000000000000000 ffff88802a6de000 0000000100000004 0000000000000000
[ 64.742491][ C0] page dumped because: kasan: bad access detected
[ 64.743148][ C0] page_owner tracks the page as allocated
[ 64.743702][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2c20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_THISNODE), pid 8093, tgid 8093 (a.out), ts 64635905739, free_ts 34719457101
[ 64.745624][ C0] get_page_from_freelist (mm/page_alloc.c:2533 mm/page_alloc.c:4283)
[ 64.746126][ C0] __alloc_pages (mm/page_alloc.c:5549)
[ 64.746525][ C0] kmem_getpages (mm/slab.c:1364)
[ 64.746953][ C0] cache_grow_begin (mm/slab.c:2577)
[ 64.747490][ C0] cache_alloc_refill (mm/slab.c:2949)
[ 64.747936][ C0] __kmem_cache_alloc_node (mm/slab.c:3025 mm/slab.c:3208 mm/slab.c:3256 mm/slab.c:3546)
[ 64.748387][ C0] __kmalloc_node_track_caller (./include/linux/kasan.h:211 mm/slab_common.c:968 mm/slab_common.c:988)
[ 64.748906][ C0] __alloc_skb (net/core/skbuff.c:495 net/core/skbuff.c:565)
[ 64.749308][ C0] alloc_skb_with_frags (net/core/skbuff.c:6195)
[ 64.749770][ C0] sock_alloc_send_pskb (net/core/sock.c:2745)
[ 64.750295][ C0] j1939_sk_sendmsg (net/can/j1939/socket.c:870 net/can/j1939/socket.c:1121 net/can/j1939/socket.c:1256)
[ 64.750814][ C0] ____sys_sendmsg (net/socket.c:714 net/socket.c:734 net/socket.c:2479)
[ 64.751307][ C0] __sys_sendmmsg (net/socket.c:2533 net/socket.c:2619)
[ 64.751757][ C0] __x64_sys_sendmmsg (net/socket.c:2648 net/socket.c:2645 net/socket.c:2645)
[ 64.752187][ C0] do_syscall_64 (arch/x86/entry/common.c:?)
[ 64.752600][ C0] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
[ 64.753134][ C0] page last free stack trace:
[ 64.753567][ C0] free_pcp_prepare (./include/linux/page_owner.h:? mm/page_alloc.c:1446 mm/page_alloc.c:1496)
[ 64.754027][ C0] free_unref_page (mm/page_alloc.c:3369 mm/page_alloc.c:3464)
[ 64.754508][ C0] kasan_depopulate_vmalloc_pte (./include/linux/spinlock.h:390 mm/kasan/shadow.c:377)
[ 64.755085][ C0] __apply_to_page_range (mm/memory.c:2596 mm/memory.c:2640 mm/memory.c:2676 mm/memory.c:2712 mm/memory.c:2746)
[ 64.755599][ C0] kasan_release_vmalloc (mm/kasan/shadow.c:496)
[ 64.756097][ C0] __purge_vmap_area_lazy (./include/linux/instrumented.h:102 ./include/linux/atomic/atomic-instrumented.h:1361 mm/vmalloc.c:1779)
[ 64.756570][ C0] _vm_unmap_aliases (mm/vmalloc.c:2187)
[ 64.756932][ C0] change_page_attr_set_clr (arch/x86/mm/pat/set_memory.c:1839)
[ 64.757479][ C0] set_memory_ro (arch/x86/mm/pat/set_memory.c:1885 arch/x86/mm/pat/set_memory.c:2076)
[ 64.757894][ C0] bpf_prog_select_runtime (kernel/bpf/core.c:2120 kernel/bpf/core.c:2210)
[ 64.758325][ C0] bpf_prepare_filter (net/core/filter.c:1298 net/core/filter.c:1346)
[ 64.758712][ C0] sk_attach_filter (net/core/filter.c:1530)
[ 64.759077][ C0] sk_setsockopt (net/core/sock.c:?)
[ 64.759463][ C0] __sys_setsockopt (net/socket.c:?)
[ 64.759852][ C0] __x64_sys_setsockopt (net/socket.c:2260 net/socket.c:2257 net/socket.c:2257)
[ 64.760273][ C0] do_syscall_64 (arch/x86/entry/common.c:?)
[ 64.760631][ C0]
[ 64.760822][ C0] Memory state around the buggy address:
[ 64.761271][ C0] ffff88802a6de880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 64.761922][ C0] ffff88802a6de900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 64.762569][ C0] >ffff88802a6de980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.763196][ C0] ^
[ 64.763522][ C0] ffff88802a6dea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.764182][ C0] ffff88802a6dea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.764836][ C0] ==================================================================
[ 64.796174][ T8093] a.out (8093) used greatest stack depth: 17208 bytes left
root@syzkaller:/# [ 64.836193][ T9] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 66.779384][ T9] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 68.920595][ T9] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 68.979921][ T9] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 69.754763][ T9] device hsr_slave_0 left promiscuous mode
[ 69.757088][ T9] device hsr_slave_1 left promiscuous mode
[ 69.759679][ T9] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 69.762221][ T9] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 69.766620][ T9] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 69.769762][ T9] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 69.773739][ T9] device bridge_slave_1 left promiscuous mode
[ 69.776693][ T9] bridge0: port 2(bridge_slave_1) entered disabled state
[ 69.783935][ T9] device bridge_slave_0 left promiscuous mode
[ 69.786843][ T9] bridge0: port 1(bridge_slave_0) entered disabled state
[ 69.794733][ T9] device veth1_macvtap left promiscuous mode
[ 69.795483][ T9] device veth0_macvtap left promiscuous mode
[ 69.796591][ T9] device veth1_vlan left promiscuous mode
[ 69.797163][ T9] device veth0_vlan left promiscuous mode
[ 70.101887][ T9] team0 (unregistering): Port device team_slave_1 removed
[ 70.114406][ T9] team0 (unregistering): Port device team_slave_0 removed
[ 70.121572][ T9] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 70.129882][ T9] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 70.185804][ T9] bond0 (unregistering): Released all slaves
We found a bug by using our modified Syzkaller.
Kenrel Commit: v6.2
Kernel config: see attachment
C/Syz reproducer: see attachment
Best,
Shuangpeng
[ 64.636824][ C0] ==================================================================
[ 64.637568][ C0] BUG: KASAN: slab-out-of-bounds in j1939_session_tx_rts (net/can/j1939/transport.c:? net/can/j1939/transport.c:656 net/can/j1939/transport.c:674 net/can/j1939/transport.c:742)
[ 64.638240][ C0] Read of size 1072 at addr ffff88802a6de840 by task a.out/8093
[ 64.638871][ C0]
[ 64.639152][ C0] CPU: 0 PID: 8093 Comm: a.out Tainted: G W 6.2.0-dirty #4
[ 64.639894][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 64.645572][ C0] Call Trace:
[ 64.646732][ C0] <IRQ>
[ 64.647631][ C0] dump_stack_lvl (lib/dump_stack.c:107)
[ 64.649317][ C0] ? show_regs_print_info (lib/dump_stack.c:98)
[ 64.651115][ C0] ? __wake_up_klogd (./arch/x86/include/asm/preempt.h:104 kernel/printk/printk.c:3757)
[ 64.652709][ C0] ? log_buf_vmcoreinfo_setup (kernel/printk/printk.c:2375)
[ 64.654640][ C0] ? _printk (kernel/printk/printk.c:2383)
[ 64.661956][ C0] print_address_description (mm/kasan/report.c:307)
[ 64.662591][ C0] print_report (mm/kasan/report.c:418)
[ 64.663014][ C0] ? __virt_addr_valid (./include/linux/mmzone.h:? arch/x86/mm/physaddr.c:65)
[ 64.663673][ C0] ? __phys_addr (arch/x86/mm/physaddr.c:31)
[ 64.665258][ C0] ? j1939_session_tx_rts (net/can/j1939/transport.c:? net/can/j1939/transport.c:656 net/can/j1939/transport.c:674 net/can/j1939/transport.c:742)
[ 64.667444][ C0] kasan_report (mm/kasan/report.c:?)
[ 64.669088][ C0] ? __kmem_cache_alloc_node (mm/slab.h:? mm/slab.c:3263 mm/slab.c:3546)
[ 64.671159][ C0] ? j1939_session_tx_rts (net/can/j1939/transport.c:? net/can/j1939/transport.c:656 net/can/j1939/transport.c:674 net/can/j1939/transport.c:742)
[ 64.671781][ C0] kasan_check_range (mm/kasan/generic.c:? mm/kasan/generic.c:189)
[ 64.672493][ C0] ? j1939_session_tx_rts (net/can/j1939/transport.c:? net/can/j1939/transport.c:656 net/can/j1939/transport.c:674 net/can/j1939/transport.c:742)
[ 64.673508][ C0] memcpy (mm/kasan/shadow.c:65)
[ 64.673990][ C0] j1939_session_tx_rts (net/can/j1939/transport.c:? net/can/j1939/transport.c:656 net/can/j1939/transport.c:674 net/can/j1939/transport.c:742)
[ 64.674439][ C0] j1939_tp_txtimer (net/can/j1939/transport.c:? net/can/j1939/transport.c:1156)
[ 64.674871][ C0] ? __lock_acquire (kernel/locking/lockdep.c:5676)
[ 64.675644][ C0] ? print_irqtrace_events (kernel/locking/lockdep.c:4274)
[ 64.676107][ C0] ? do_raw_spin_unlock (./arch/x86/include/asm/atomic.h:29 ./include/linux/atomic/atomic-instrumented.h:28 ./include/asm-generic/qspinlock.h:57 kernel/locking/spinlock_debug.c:100 kernel/locking/spinlock_debug.c:140)
[ 64.676567][ C0] ? rcu_read_lock_sched_held (kernel/rcu/update.c:104 kernel/rcu/update.c:123)
[ 64.677136][ C0] ? __bpf_trace_rcu_stall_warning (kernel/rcu/update.c:120)
[ 64.677957][ C0] ? j1939_session_destroy (net/can/j1939/transport.c:1146)
[ 64.678497][ C0] ? hrtimer_run_softirq (kernel/time/hrtimer.c:?)
[ 64.679206][ C0] __hrtimer_run_queues (kernel/time/hrtimer.c:1685 kernel/time/hrtimer.c:1749)
[ 64.679809][ C0] ? j1939_session_destroy (net/can/j1939/transport.c:1146)
[ 64.680336][ C0] ? hrtimer_interrupt (kernel/time/hrtimer.c:1719)
[ 64.681055][ C0] ? kvm_clock_get_cycles (./arch/x86/include/asm/preempt.h:95 arch/x86/kernel/kvmclock.c:80 arch/x86/kernel/kvmclock.c:86)
[ 64.681783][ C0] hrtimer_run_softirq (kernel/time/hrtimer.c:1768)
[ 64.682608][ C0] __do_softirq (kernel/softirq.c:572)
[ 64.683247][ C0] ? __irq_exit_rcu (kernel/softirq.c:630 kernel/softirq.c:652)
[ 64.683715][ C0] ? __lock_text_end (kernel/softirq.c:529)
[ 64.684185][ C0] __irq_exit_rcu (kernel/softirq.c:630 kernel/softirq.c:652)
[ 64.684968][ C0] ? irq_exit_rcu (kernel/softirq.c:641)
[ 64.685756][ C0] ? __sysvec_apic_timer_interrupt (./include/asm-generic/irq_regs.h:29 arch/x86/kernel/apic/apic.c:1116)
[ 64.686807][ C0] irq_exit_rcu (kernel/softirq.c:664)
[ 64.687506][ C0] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107)
[ 64.688448][ C0] </IRQ>
[ 64.688943][ C0] <TASK>
[ 64.689445][ C0] asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:649)
[ 64.690457][ C0] RIP: 0010:_raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)
[ 64.691565][ C0] Code: f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 3a 66 25 f7 f6 44 24 21 02 75 4e 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 0f d9 a4 f6 65 8b 05 00 aa 4b 75 85 c0 74 3f 48 c7 04 24 0e 36
All code
========
0: f0 48 c1 e8 03 lock shr $0x3,%rax
5: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
a: 74 08 je 0x14
c: 4c 89 f7 mov %r14,%rdi
f: e8 3a 66 25 f7 call 0xfffffffff725664e
14: f6 44 24 21 02 testb $0x2,0x21(%rsp)
19: 75 4e jne 0x69
1b: 41 f7 c7 00 02 00 00 test $0x200,%r15d
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
2a:* e8 0f d9 a4 f6 call 0xfffffffff6a4d93e <-- trapping instruction
2f: 65 8b 05 00 aa 4b 75 mov %gs:0x754baa00(%rip),%eax # 0x754baa36
36: 85 c0 test %eax,%eax
38: 74 3f je 0x79
3a: 48 rex.W
3b: c7 .byte 0xc7
3c: 04 24 add $0x24,%al
3e: 0e (bad)
3f: 36 ss
Code starting with the faulting instruction
===========================================
0: e8 0f d9 a4 f6 call 0xfffffffff6a4d914
5: 65 8b 05 00 aa 4b 75 mov %gs:0x754baa00(%rip),%eax # 0x754baa0c
c: 85 c0 test %eax,%eax
e: 74 3f je 0x4f
10: 48 rex.W
11: c7 .byte 0xc7
12: 04 24 add $0x24,%al
14: 0e (bad)
15: 36 ss
[ 64.694909][ C0] RSP: 0018:ffffc90002ce7760 EFLAGS: 00000206
[ 64.695952][ C0] RAX: 1ffff9200059cef0 RBX: ffff88806202a6c0 RCX: 0000000000000000
[ 64.697281][ C0] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000001
[ 64.698637][ C0] RBP: ffffc90002ce77f0 R08: dffffc0000000000 R09: ffffed100c4054d9
[ 64.699987][ C0] R10: ffffed100c4054d9 R11: 0000000000000000 R12: dffffc0000000000
[ 64.701336][ C0] R13: 1ffff9200059ceec R14: ffffc90002ce7780 R15: 0000000000000a06
[ 64.702708][ C0] ? _raw_spin_unlock (kernel/locking/spinlock.c:193)
[ 64.703544][ C0] j1939_sk_sendmsg (net/can/j1939/socket.c:? net/can/j1939/socket.c:1256)
[ 64.704384][ C0] ? j1939_sk_getsockopt (net/can/j1939/socket.c:1192)
[ 64.705299][ C0] ? security_socket_sendmsg (security/security.c:?)
[ 64.706041][ C0] ? j1939_sk_getsockopt (net/can/j1939/socket.c:1192)
[ 64.706536][ C0] ____sys_sendmsg (net/socket.c:714 net/socket.c:734 net/socket.c:2479)
[ 64.707042][ C0] ? __sys_sendmsg_sock (net/socket.c:2426)
[ 64.707523][ C0] ? __fdget (fs/file.c:1017 fs/file.c:1029)
[ 64.707952][ C0] __sys_sendmmsg (net/socket.c:2533 net/socket.c:2619)
[ 64.708472][ C0] ? __ia32_sys_sendmsg (net/socket.c:2580)
[ 64.708949][ C0] ? fault_around_bytes_set (mm/memory.c:4025)
[ 64.709514][ C0] ? __lock_acquire (kernel/locking/lockdep.c:5676)
[ 64.709984][ C0] ? __rcu_read_lock (kernel/rcu/tree_plugin.h:417)
[ 64.710499][ C0] ? handle_mm_fault (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/linux/perf_event.h:1292 mm/memory.c:5137 mm/memory.c:5238)
[ 64.710957][ C0] ? rcu_read_lock_sched_held (kernel/rcu/update.c:104 kernel/rcu/update.c:123)
[ 64.711619][ C0] ? __bpf_trace_rcu_stall_warning (kernel/rcu/update.c:120)
[ 64.712113][ C0] ? trace_lock_release (./include/trace/events/lock.h:69)
[ 64.712643][ C0] ? do_user_addr_fault (arch/x86/mm/fault.c:1457)
[ 64.713688][ C0] ? lock_release (kernel/locking/lockdep.c:115 kernel/locking/lockdep.c:5681)
[ 64.714603][ C0] ? numa_migrate_prep (mm/memory.c:5193)
[ 64.715579][ C0] ? up_read (kernel/locking/rwsem.c:1332)
[ 64.716393][ C0] ? __vma_adjust (mm/mmap.c:1831)
[ 64.717358][ C0] ? rcu_read_lock_sched_held (kernel/rcu/update.c:104 kernel/rcu/update.c:123)
[ 64.718475][ C0] ? print_irqtrace_events (kernel/locking/lockdep.c:4274)
[ 64.719222][ C0] __x64_sys_sendmmsg (net/socket.c:2648 net/socket.c:2645 net/socket.c:2645)
[ 64.720099][ C0] do_syscall_64 (arch/x86/entry/common.c:?)
[ 64.720864][ C0] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
[ 64.721625][ C0] RIP: 0033:0x7fe38d2e4469
[ 64.722230][ C0] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
All code
========
0: 00 f3 add %dh,%bl
2: c3 ret
3: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 40 00 nopl 0x0(%rax)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d ff 49 2b 00 mov 0x2b49ff(%rip),%rcx # 0x2b4a39
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d ff 49 2b 00 mov 0x2b49ff(%rip),%rcx # 0x2b4a0f
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 64.724555][ C0] RSP: 002b:00007ffdb3961548 EFLAGS: 00000202 ORIG_RAX: 0000000000000133
[ 64.725534][ C0] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe38d2e4469
[ 64.726314][ C0] RDX: 0000000000000002 RSI: 0000000020003400 RDI: 0000000000000003
[ 64.727003][ C0] RBP: 00007ffdb3961560 R08: 000000000000000a R09: 000000000000000a
[ 64.727707][ C0] R10: 0000000000000044 R11: 0000000000000202 R12: 0000555656201220
[ 64.728724][ C0] R13: 00007ffdb3961670 R14: 0000000000000000 R15: 0000000000000000
[ 64.729815][ C0] </TASK>
[ 64.730125][ C0]
[ 64.730348][ C0] Allocated by task 8093:
[ 64.730786][ C0] kasan_set_track (mm/kasan/common.c:46 mm/kasan/common.c:52)
[ 64.731232][ C0] __kasan_kmalloc (mm/kasan/common.c:383)
[ 64.731671][ C0] j1939_session_new (net/can/j1939/transport.c:1488)
[ 64.732128][ C0] j1939_tp_send (net/can/j1939/transport.c:1998)
[ 64.732552][ C0] j1939_sk_sendmsg (net/can/j1939/socket.c:1133 net/can/j1939/socket.c:1256)
[ 64.733020][ C0] ____sys_sendmsg (net/socket.c:714 net/socket.c:734 net/socket.c:2479)
[ 64.733459][ C0] __sys_sendmmsg (net/socket.c:2533 net/socket.c:2619)
[ 64.733903][ C0] __x64_sys_sendmmsg (net/socket.c:2648 net/socket.c:2645 net/socket.c:2645)
[ 64.734393][ C0] do_syscall_64 (arch/x86/entry/common.c:?)
[ 64.734855][ C0] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
[ 64.735444][ C0]
[ 64.735696][ C0] The buggy address belongs to the object at ffff88802a6de800
[ 64.735696][ C0] which belongs to the cache kmalloc-512 of size 512
[ 64.737045][ C0] The buggy address is located 64 bytes inside of
[ 64.737045][ C0] 512-byte region [ffff88802a6de800, ffff88802a6dea00)
[ 64.738263][ C0]
[ 64.738522][ C0] The buggy address belongs to the physical page:
[ 64.739167][ C0] page:ffffea0000a9b780 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a6de
[ 64.740182][ C0] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 64.740887][ C0] raw: 00fff00000000200 ffff88801f440600 ffffea0000e17950 ffff88801f441750
[ 64.741668][ C0] raw: 0000000000000000 ffff88802a6de000 0000000100000004 0000000000000000
[ 64.742491][ C0] page dumped because: kasan: bad access detected
[ 64.743148][ C0] page_owner tracks the page as allocated
[ 64.743702][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2c20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_THISNODE), pid 8093, tgid 8093 (a.out), ts 64635905739, free_ts 34719457101
[ 64.745624][ C0] get_page_from_freelist (mm/page_alloc.c:2533 mm/page_alloc.c:4283)
[ 64.746126][ C0] __alloc_pages (mm/page_alloc.c:5549)
[ 64.746525][ C0] kmem_getpages (mm/slab.c:1364)
[ 64.746953][ C0] cache_grow_begin (mm/slab.c:2577)
[ 64.747490][ C0] cache_alloc_refill (mm/slab.c:2949)
[ 64.747936][ C0] __kmem_cache_alloc_node (mm/slab.c:3025 mm/slab.c:3208 mm/slab.c:3256 mm/slab.c:3546)
[ 64.748387][ C0] __kmalloc_node_track_caller (./include/linux/kasan.h:211 mm/slab_common.c:968 mm/slab_common.c:988)
[ 64.748906][ C0] __alloc_skb (net/core/skbuff.c:495 net/core/skbuff.c:565)
[ 64.749308][ C0] alloc_skb_with_frags (net/core/skbuff.c:6195)
[ 64.749770][ C0] sock_alloc_send_pskb (net/core/sock.c:2745)
[ 64.750295][ C0] j1939_sk_sendmsg (net/can/j1939/socket.c:870 net/can/j1939/socket.c:1121 net/can/j1939/socket.c:1256)
[ 64.750814][ C0] ____sys_sendmsg (net/socket.c:714 net/socket.c:734 net/socket.c:2479)
[ 64.751307][ C0] __sys_sendmmsg (net/socket.c:2533 net/socket.c:2619)
[ 64.751757][ C0] __x64_sys_sendmmsg (net/socket.c:2648 net/socket.c:2645 net/socket.c:2645)
[ 64.752187][ C0] do_syscall_64 (arch/x86/entry/common.c:?)
[ 64.752600][ C0] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
[ 64.753134][ C0] page last free stack trace:
[ 64.753567][ C0] free_pcp_prepare (./include/linux/page_owner.h:? mm/page_alloc.c:1446 mm/page_alloc.c:1496)
[ 64.754027][ C0] free_unref_page (mm/page_alloc.c:3369 mm/page_alloc.c:3464)
[ 64.754508][ C0] kasan_depopulate_vmalloc_pte (./include/linux/spinlock.h:390 mm/kasan/shadow.c:377)
[ 64.755085][ C0] __apply_to_page_range (mm/memory.c:2596 mm/memory.c:2640 mm/memory.c:2676 mm/memory.c:2712 mm/memory.c:2746)
[ 64.755599][ C0] kasan_release_vmalloc (mm/kasan/shadow.c:496)
[ 64.756097][ C0] __purge_vmap_area_lazy (./include/linux/instrumented.h:102 ./include/linux/atomic/atomic-instrumented.h:1361 mm/vmalloc.c:1779)
[ 64.756570][ C0] _vm_unmap_aliases (mm/vmalloc.c:2187)
[ 64.756932][ C0] change_page_attr_set_clr (arch/x86/mm/pat/set_memory.c:1839)
[ 64.757479][ C0] set_memory_ro (arch/x86/mm/pat/set_memory.c:1885 arch/x86/mm/pat/set_memory.c:2076)
[ 64.757894][ C0] bpf_prog_select_runtime (kernel/bpf/core.c:2120 kernel/bpf/core.c:2210)
[ 64.758325][ C0] bpf_prepare_filter (net/core/filter.c:1298 net/core/filter.c:1346)
[ 64.758712][ C0] sk_attach_filter (net/core/filter.c:1530)
[ 64.759077][ C0] sk_setsockopt (net/core/sock.c:?)
[ 64.759463][ C0] __sys_setsockopt (net/socket.c:?)
[ 64.759852][ C0] __x64_sys_setsockopt (net/socket.c:2260 net/socket.c:2257 net/socket.c:2257)
[ 64.760273][ C0] do_syscall_64 (arch/x86/entry/common.c:?)
[ 64.760631][ C0]
[ 64.760822][ C0] Memory state around the buggy address:
[ 64.761271][ C0] ffff88802a6de880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 64.761922][ C0] ffff88802a6de900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 64.762569][ C0] >ffff88802a6de980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.763196][ C0] ^
[ 64.763522][ C0] ffff88802a6dea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.764182][ C0] ffff88802a6dea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.764836][ C0] ==================================================================
[ 64.796174][ T8093] a.out (8093) used greatest stack depth: 17208 bytes left
root@syzkaller:/# [ 64.836193][ T9] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 66.779384][ T9] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 68.920595][ T9] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 68.979921][ T9] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 69.754763][ T9] device hsr_slave_0 left promiscuous mode
[ 69.757088][ T9] device hsr_slave_1 left promiscuous mode
[ 69.759679][ T9] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 69.762221][ T9] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 69.766620][ T9] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 69.769762][ T9] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 69.773739][ T9] device bridge_slave_1 left promiscuous mode
[ 69.776693][ T9] bridge0: port 2(bridge_slave_1) entered disabled state
[ 69.783935][ T9] device bridge_slave_0 left promiscuous mode
[ 69.786843][ T9] bridge0: port 1(bridge_slave_0) entered disabled state
[ 69.794733][ T9] device veth1_macvtap left promiscuous mode
[ 69.795483][ T9] device veth0_macvtap left promiscuous mode
[ 69.796591][ T9] device veth1_vlan left promiscuous mode
[ 69.797163][ T9] device veth0_vlan left promiscuous mode
[ 70.101887][ T9] team0 (unregistering): Port device team_slave_1 removed
[ 70.114406][ T9] team0 (unregistering): Port device team_slave_0 removed
[ 70.121572][ T9] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 70.129882][ T9] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 70.185804][ T9] bond0 (unregistering): Released all slaves
Aleksandr Nogikh
Mar 26, 2023, 3:47:11 PM3/26/23
to Shuangpeng Bai, syzk...@googlegroups.com
Hi Shuangpeng,
There's unfortunately not much sense in reporting Linux kernel bugs
only to this group, as the group is mostly about issues of and
discussions about syzkaller itself. You should report the bug to the
maintainers and mailing list(s) of the affected Linux kernel code,
only then it will be noticed and, hopefully, fixed.
--
Best Regards,
Aleksandr
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/CAJdxit5BSPh1cf_UaRVTGqvbZvS9yb0BkRVXwoG7kt%2BaYt2aEA%40mail.gmail.com.
There's unfortunately not much sense in reporting Linux kernel bugs
only to this group, as the group is mostly about issues of and
discussions about syzkaller itself. You should report the bug to the
maintainers and mailing list(s) of the affected Linux kernel code,
only then it will be noticed and, hopefully, fixed.
--
Best Regards,
Aleksandr
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/CAJdxit5BSPh1cf_UaRVTGqvbZvS9yb0BkRVXwoG7kt%2BaYt2aEA%40mail.gmail.com.
Shuangpeng
Mar 26, 2023, 5:59:15 PM3/26/23
to syzkaller
Hi Aleksandr,
I am new to kernel bug reporting. Could you please check whether it is good to report kernel bugs in the following procedure? Thank you!
- I checked that the error occurs in the source file net/can/j1939/transport.c.
- I found the corresponding maintainers through the command perl scripts/get_maintainer.pl -f ./net/can/j1939/transport.c. After that, I get a bunch of email addresses.
- Add these maintainers as recipients.
The email address list is:
Robin van der Gracht <ro...@protonic.nl> (maintainer:CAN-J1939 NETWORK LAYER)
Oleksij Rempel <li...@rempel-privat.de> (maintainer:CAN-J1939 NETWORK LAYER)
ker...@pengutronix.de (reviewer: CAN-J1939 NETWORK LAYER)
Oliver Hartkopp <sock...@hartkopp.net> (maintainer: CAN NETWORK LAYER)
Marc Kleine-Budde <m...@pengutronix.de> (maintainer: CAN NETWORK LAYER)
"David S. Miller" <da...@davemloft.net> (maintainer:NETWORKING [GENERAL])
Eric Dumazet <edum...@google.com> (maintainer:NETWORKING [GENERAL])
Jakub Kicinski <ku...@kernel.org> (maintainer:NETWORKING [GENERAL])
Paolo Abeni <pab...@redhat.com> (maintainer:NETWORKING [GENERAL])
linu...@vger.kernel.org (open list: CAN-J1939 NETWORK LAYER)
net...@vger.kernel.org (open list: NETWORKING [GENERAL])
linux-...@vger.kernel.org (open list)
Oleksij Rempel <li...@rempel-privat.de> (maintainer:CAN-J1939 NETWORK LAYER)
ker...@pengutronix.de (reviewer: CAN-J1939 NETWORK LAYER)
Oliver Hartkopp <sock...@hartkopp.net> (maintainer: CAN NETWORK LAYER)
Marc Kleine-Budde <m...@pengutronix.de> (maintainer: CAN NETWORK LAYER)
"David S. Miller" <da...@davemloft.net> (maintainer:NETWORKING [GENERAL])
Eric Dumazet <edum...@google.com> (maintainer:NETWORKING [GENERAL])
Jakub Kicinski <ku...@kernel.org> (maintainer:NETWORKING [GENERAL])
Paolo Abeni <pab...@redhat.com> (maintainer:NETWORKING [GENERAL])
linu...@vger.kernel.org (open list: CAN-J1939 NETWORK LAYER)
net...@vger.kernel.org (open list: NETWORKING [GENERAL])
linux-...@vger.kernel.org (open list)
Is this okay? Thank you so much for your help.
Best,
Shuangpeng
Aleksandr Nogikh
Mar 27, 2023, 5:58:18 AM3/27/23
to Shuangpeng, syzkaller
Hi Shuangpeng,
Yes, both the procedure and the resulting list of emails seem reasonable.
--
Aleksandr
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/c33049eb-c966-4a26-bac7-700b2d77826an%40googlegroups.com.
Yes, both the procedure and the resulting list of emails seem reasonable.
--
Aleksandr
白双朋
Mar 27, 2023, 1:59:21 PM3/27/23
to ro...@protonic.nl, li...@rempel-privat.de, ker...@pengutronix.de, sock...@hartkopp.net, m...@pengutronix.de, syzkaller
Hi Kernel Maintainers,
We found a slab-out-of-bounds bug in net/can/j1939/transport.c.
Please see this page (https://groups.google.com/g/syzkaller/c/G_LL-C3plRs/m/_f_B37VMAgAJ) for more details of the bug report, kernel commit and reproducers.
Best,
Shuangpeng
Aleksandr Nogikh <nog...@google.com> 于2023年3月27日周一 05:58写道:
Oleksij Rempel
Mar 28, 2023, 5:26:31 AM3/28/23
to 白双朋, ro...@protonic.nl, li...@rempel-privat.de, ker...@pengutronix.de, sock...@hartkopp.net, m...@pengutronix.de, syzkaller
Hi,
On Mon, Mar 27, 2023 at 01:59:09PM -0400, 白双朋 wrote:
> Hi Kernel Maintainers,
>
> We found a slab-out-of-bounds bug in *net/can/j1939/transport.c*.
>
> Please see this page (
patch?
Regards,
Oleksij
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
On Mon, Mar 27, 2023 at 01:59:09PM -0400, 白双朋 wrote:
> Hi Kernel Maintainers,
>
>
> Please see this page (
> https://groups.google.com/g/syzkaller/c/G_LL-C3plRs/m/_f_B37VMAgAJ) for
> more details of the bug report, kernel commit and reproducers.
thank you for your bug report. What Reported-by attribute should I use for the
> more details of the bug report, kernel commit and reproducers.
patch?
Regards,
Oleksij
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
白双朋
Mar 28, 2023, 11:00:30 AM3/28/23
to Oleksij Rempel, ro...@protonic.nl, li...@rempel-privat.de, ker...@pengutronix.de, sock...@hartkopp.net, m...@pengutronix.de, syzkaller
Hi Oleksij,
The reporter can be Shuangpeng Bai from Penn State. Thank you.
Best,
Shuangpeng
Oleksij Rempel <o.re...@pengutronix.de> 于2023年3月28日周二 05:01写道:
Oleksij Rempel
Mar 28, 2023, 11:05:40 AM3/28/23
to 白双朋, ro...@protonic.nl, li...@rempel-privat.de, ker...@pengutronix.de, sock...@hartkopp.net, m...@pengutronix.de, syzkaller
On Tue, Mar 28, 2023 at 11:00:17AM -0400, 白双朋 wrote:
> Hi Oleksij,
>
> The reporter can be Shuangpeng Bai from Penn State. Thank you.
Reported-by: Shuangpeng Bai <bb993...@gmail.com>
> Hi Oleksij,
>
> The reporter can be Shuangpeng Bai from Penn State. Thank you.
or Shuangpeng Bai <sjb...@psu.edu>?
白双朋
Mar 28, 2023, 11:07:37 AM3/28/23
to Oleksij Rempel, ro...@protonic.nl, li...@rempel-privat.de, ker...@pengutronix.de, sock...@hartkopp.net, m...@pengutronix.de, syzkaller
Shuangpeng Bai <sjb...@psu.edu> is better. Thank you!
Oleksij Rempel <o.re...@pengutronix.de> 于2023年3月28日周二 11:05写道:
Oleksij Rempel
Mar 29, 2023, 6:35:06 AM3/29/23
to 白双朋, ro...@protonic.nl, li...@rempel-privat.de, ker...@pengutronix.de, sock...@hartkopp.net, m...@pengutronix.de, syzkaller
Hi!
On Tue, Mar 28, 2023 at 11:07:25AM -0400, 白双朋 wrote:
> Shuangpeng Bai <sjb...@psu.edu> is better. Thank you!
>
> Oleksij Rempel <o.re...@pengutronix.de> 于2023年3月28日周二 11:05写道:
>
> > On Tue, Mar 28, 2023 at 11:00:17AM -0400, 白双朋 wrote:
> > > Hi Oleksij,
> > >
> > > The reporter can be Shuangpeng Bai from Penn State. Thank you.
Can you please test following change:
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
index fb92c3609e17..fe3df23a2595 100644
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -604,7 +604,10 @@ sk_buff *j1939_tp_tx_dat_new(struct j1939_priv *priv,
/* reserve CAN header */
skb_reserve(skb, offsetof(struct can_frame, data));
- memcpy(skb->cb, re_skcb, sizeof(skb->cb));
+ /* skb->cb must be large enough to hold a j1939_sk_buff_cb structure */
+ BUILD_BUG_ON(sizeof(skb->cb) < sizeof(*re_skcb));
+
+ memcpy(skb->cb, re_skcb, sizeof(*re_skcb));
skcb = j1939_skb_to_cb(skb);
if (swap_src_dst)
j1939_skbcb_swap(skcb);
Regards,
Oleskij
On Tue, Mar 28, 2023 at 11:07:25AM -0400, 白双朋 wrote:
> Shuangpeng Bai <sjb...@psu.edu> is better. Thank you!
>
> Oleksij Rempel <o.re...@pengutronix.de> 于2023年3月28日周二 11:05写道:
>
> > On Tue, Mar 28, 2023 at 11:00:17AM -0400, 白双朋 wrote:
> > > Hi Oleksij,
> > >
> > > The reporter can be Shuangpeng Bai from Penn State. Thank you.
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
index fb92c3609e17..fe3df23a2595 100644
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -604,7 +604,10 @@ sk_buff *j1939_tp_tx_dat_new(struct j1939_priv *priv,
/* reserve CAN header */
skb_reserve(skb, offsetof(struct can_frame, data));
- memcpy(skb->cb, re_skcb, sizeof(skb->cb));
+ /* skb->cb must be large enough to hold a j1939_sk_buff_cb structure */
+ BUILD_BUG_ON(sizeof(skb->cb) < sizeof(*re_skcb));
+
+ memcpy(skb->cb, re_skcb, sizeof(*re_skcb));
skcb = j1939_skb_to_cb(skb);
if (swap_src_dst)
j1939_skbcb_swap(skcb);
Regards,
Oleskij
白双朋
Apr 3, 2023, 1:59:51 PM4/3/23
to Oleksij Rempel, ro...@protonic.nl, li...@rempel-privat.de, ker...@pengutronix.de, sock...@hartkopp.net, m...@pengutronix.de, syzkaller
Hi Oleskij,
After adding the fix, the error did not occur again. Thank you!
Best,
Shuangpeng
Oleksij Rempel <o.re...@pengutronix.de> 于2023年3月29日周三 06:35写道:
Reply all
Reply to author
Forward
0 new messages