syzbot

 sign-in | mailing list | source | docs
🐞 Open [1052] Subsystems 🐞 Fixed [5296] 🐞 Invalid [12638] Missing Backports [92] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

UBSAN: shift-out-of-bounds in tcindex_set_parms

Status: fixed on 2021/03/10 01:49
Subsystems: net
[Documentation on labels]
Fix commit: bcd0cf19ef82 net_sched: avoid shift-out-of-bounds in tcindex_set_parms()
First crash: 1248d, last: 1213d
Cause bisection: introduced by (bisect log) [merge commit]:
commit 1de4f2ef216dade3b5bd5f5247c4c750a953f51c
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sat Nov 10 19:27:58 2018 +0000

  Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

Crash: KASAN: use-after-free Read in __tcf_block_put (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit 66c556025d687dbdd0f748c5e1df89c977b6c02a
Author: Alexander Lobakin <alobakin@pm.me>
Date: Fri Jan 15 15:04:40 2021 +0000

  skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too

  

Sample crash report:
================================================================================
UBSAN: shift-out-of-bounds in net/sched/cls_tcindex.c:260:29
shift exponent 255 is too large for 32-bit type 'int'
CPU: 0 PID: 8516 Comm: syz-executor228 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
 valid_perfect_hash net/sched/cls_tcindex.c:260 [inline]
 tcindex_set_parms.cold+0x1b/0x215 net/sched/cls_tcindex.c:425
 tcindex_change+0x232/0x340 net/sched/cls_tcindex.c:546
 tc_new_tfilter+0x13fb/0x21b0 net/sched/cls_api.c:2127
 rtnetlink_rcv_msg+0x8b6/0xb80 net/core/rtnetlink.c:5555
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2336
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2390
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2423
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441659
Code: e8 3c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffcb9470898 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441659
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000006
RBP: 00000000006cc018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402400
R13: 0000000000402490 R14: 0000000000000000 R15: 0000000000000000
================================================================================

Crashes (45):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/17 00:49 upstream 5e60366d56c6 04201c06 .config console log report syz C ci-upstream-kasan-gce
2021/01/20 15:09 net-next-old 7b8fc0103bb5 d4f4eca5 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in tcindex_set_parms
2021/01/15 15:15 upstream 146620506274 65a7a854 .config console log report info ci-upstream-kasan-gce
2021/01/13 14:10 upstream e609571b5ffa a945f0a3 .config console log report info ci-upstream-kasan-gce
2021/01/10 09:17 upstream 2ff90100ace8 2c1f2513 .config console log report info ci-upstream-kasan-gce
2021/01/10 09:16 upstream 2ff90100ace8 2c1f2513 .config console log report info ci-upstream-kasan-gce
2021/01/10 09:01 upstream 2ff90100ace8 2c1f2513 .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/10 08:02 upstream 2ff90100ace8 2c1f2513 .config console log report info ci-upstream-kasan-gce
2021/01/10 07:17 upstream 2ff90100ace8 2c1f2513 .config console log report info ci-upstream-kasan-gce
2021/01/10 05:53 upstream 2ff90100ace8 2c1f2513 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/26 08:04 upstream 5814bc2d4cc2 821e0b09 .config console log report info ci-upstream-kasan-gce
2020/12/19 15:38 upstream 3644e2d2dda7 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/17 21:08 upstream accefff5b547 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/17 20:45 upstream accefff5b547 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/17 20:39 upstream accefff5b547 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/17 13:23 upstream accefff5b547 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/16 21:56 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/19 13:33 upstream 3644e2d2dda7 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/17 15:36 upstream accefff5b547 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/16 23:34 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/16 17:46 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce-386
2021/01/10 20:02 net-old f97844f9c518 2c1f2513 .config console log report info ci-upstream-net-this-kasan-gce
2021/01/10 15:55 net-old f97844f9c518 2c1f2513 .config console log report info ci-upstream-net-this-kasan-gce
2020/12/26 15:27 net-old 1f45dc220667 821e0b09 .config console log report info ci-upstream-net-this-kasan-gce
2020/12/22 12:27 net-old 54ddbdb02488 04201c06 .config console log report info ci-upstream-net-this-kasan-gce
2020/12/18 17:25 net-old d64c6f96ba86 04201c06 .config console log report info ci-upstream-net-this-kasan-gce
2020/12/18 16:55 net-old d64c6f96ba86 04201c06 .config console log report info ci-upstream-net-this-kasan-gce
2021/01/15 13:39 net-next-old 1d9f03c0a15f 65a7a854 .config console log report info ci-upstream-net-kasan-gce
2021/01/15 00:38 net-next-old 0ae5b43d6dde 65a7a854 .config console log report info ci-upstream-net-kasan-gce
2021/01/13 20:41 net-next-old f50e2f9f7916 a945f0a3 .config console log report info ci-upstream-net-kasan-gce
2021/01/11 18:26 net-next-old 73b7a6047971 2c1f2513 .config console log report info ci-upstream-net-kasan-gce
2021/01/11 05:45 net-next-old 73b7a6047971 2c1f2513 .config console log report info ci-upstream-net-kasan-gce
2021/01/05 22:40 net-next-old 3db1a3fa9880 a0234d98 .config console log report info ci-upstream-net-kasan-gce
2021/01/05 19:52 net-next-old 3db1a3fa9880 a0234d98 .config console log report info ci-upstream-net-kasan-gce
2021/01/05 06:50 net-next-old 3db1a3fa9880 2a28ff1f .config console log report info ci-upstream-net-kasan-gce
2021/01/05 03:59 net-next-old 3db1a3fa9880 2a28ff1f .config console log report info ci-upstream-net-kasan-gce
2021/01/04 16:46 net-next-old 3db1a3fa9880 79264ae3 .config console log report info ci-upstream-net-kasan-gce
2021/01/04 16:22 net-next-old 3db1a3fa9880 79264ae3 .config console log report info ci-upstream-net-kasan-gce
2021/01/03 07:45 net-next-old 3db1a3fa9880 79264ae3 .config console log report info ci-upstream-net-kasan-gce
2021/01/02 22:50 net-next-old 3db1a3fa9880 79264ae3 .config console log report info ci-upstream-net-kasan-gce
2021/01/02 07:29 net-next-old 3db1a3fa9880 79264ae3 .config console log report info ci-upstream-net-kasan-gce
2021/01/01 13:50 net-next-old 3db1a3fa9880 79264ae3 .config console log report info ci-upstream-net-kasan-gce
2020/12/31 22:23 net-next-old 3db1a3fa9880 79264ae3 .config console log report info ci-upstream-net-kasan-gce
2020/12/28 12:20 net-next-old 3db1a3fa9880 2242f77f .config console log report info ci-upstream-net-kasan-gce
2020/12/17 18:05 linux-next 90cc8cf2d1ab 04201c06 .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.