syzbot


KASAN: use-after-free Write in xfrm_hash_rebuild

Status: fixed on 2019/08/05 13:45
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+0165480d4ef07360eeda@syzkaller.appspotmail.com
Fix commit: fd709721352d xfrm: policy: fix bydst hlist corruption on hash rebuild
First crash: 2038d, last: 1984d
Cause bisection: introduced by (bisect log) :
commit 1548bc4e0512700cf757192c106b3a20ab639223
Author: Florian Westphal <fw@strlen.de>
Date: Fri Jan 4 13:17:02 2019 +0000

  xfrm: policy: delete inexact policies from inexact list on hash rebuild

Crash: KASAN: use-after-free Write in xfrm_hash_rebuild (log)
Repro: syz .config
  
Discussions (5)
Title Replies (including bot) Last reply
[PATCH 5.2 00/20] 5.2.6-stable review 32 (32) 2019/08/07 02:38
[PATCH 6/7] xfrm: policy: fix bydst hlist corruption on hash rebuild 1 (1) 2019/07/05 08:26
[PATCH ipsec] xfrm: policy: fix bydst hlist corruption on hash rebuild 2 (2) 2019/07/04 10:21
KASAN: use-after-free Write in xfrm_hash_rebuild 2 (5) 2019/07/02 06:43
Reminder: 27 open syzbot bugs in "net/xfrm" subsystem 1 (1) 2019/06/25 05:51

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:221 [inline]
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:748 [inline]
BUG: KASAN: use-after-free in hlist_del_rcu include/linux/rculist.h:455 [inline]
BUG: KASAN: use-after-free in xfrm_hash_rebuild+0xfff/0x10f0 net/xfrm/xfrm_policy.c:1318
Write of size 8 at addr ffff88808f9f1900 by task kworker/0:0/5

CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.2.0-rc6+ #41
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events xfrm_hash_rebuild
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:137
 __write_once_size include/linux/compiler.h:221 [inline]
 __hlist_del include/linux/list.h:748 [inline]
 hlist_del_rcu include/linux/rculist.h:455 [inline]
 xfrm_hash_rebuild+0xfff/0x10f0 net/xfrm/xfrm_policy.c:1318
 process_one_work+0x989/0x1790 kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 kernel/workqueue.c:2415
 kthread+0x354/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 8976:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_kmalloc mm/kasan/common.c:489 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
 __do_kmalloc mm/slab.c:3660 [inline]
 __kmalloc+0x15c/0x740 mm/slab.c:3669
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:742 [inline]
 xfrm_hash_alloc+0xd1/0x100 net/xfrm/xfrm_hash.c:21
 xfrm_policy_init net/xfrm/xfrm_policy.c:4036 [inline]
 xfrm_net_init net/xfrm/xfrm_policy.c:4120 [inline]
 xfrm_net_init+0x227/0xa30 net/xfrm/xfrm_policy.c:4105
 ops_init+0xb3/0x410 net/core/net_namespace.c:130
 setup_net+0x2d3/0x740 net/core/net_namespace.c:316
 copy_net_ns+0x1df/0x340 net/core/net_namespace.c:439
 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:103
 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:202
 ksys_unshare+0x440/0x980 kernel/fork.c:2692
 __do_sys_unshare kernel/fork.c:2760 [inline]
 __se_sys_unshare kernel/fork.c:2758 [inline]
 __x64_sys_unshare+0x31/0x40 kernel/fork.c:2758
 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8978:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
 __cache_free mm/slab.c:3432 [inline]
 kfree+0xcf/0x220 mm/slab.c:3755
 xfrm_hash_free+0xc3/0xe0 net/xfrm/xfrm_hash.c:35
 xfrm_bydst_resize net/xfrm/xfrm_policy.c:602 [inline]
 xfrm_hash_resize+0x695/0x1600 net/xfrm/xfrm_policy.c:680
 process_one_work+0x989/0x1790 kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 kernel/workqueue.c:2415
 kthread+0x354/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff88808f9f1900
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
 64-byte region [ffff88808f9f1900, ffff88808f9f1940)
The buggy address belongs to the page:
page:ffffea00023e7c40 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002392988 ffffea0002676e08 ffff8880aa400340
raw: 0000000000000000 ffff88808f9f1000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808f9f1800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ffff88808f9f1880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff88808f9f1900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                   ^
 ffff88808f9f1980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88808f9f1a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/06/27 06:42 upstream 249155c20f9b 7509bf36 .config console log report syz ci-upstream-kasan-gce-root
2019/06/27 06:25 upstream 249155c20f9b 7509bf36 .config console log report syz ci-upstream-kasan-gce-selinux-root
2019/06/27 04:27 upstream 249155c20f9b 7509bf36 .config console log report syz ci-upstream-kasan-gce
2019/06/27 03:58 upstream 249155c20f9b 7509bf36 .config console log report syz ci-upstream-kasan-gce-smack-root
2019/06/27 04:27 net-old ee4297420d56 7509bf36 .config console log report syz ci-upstream-net-this-kasan-gce
2019/06/27 04:25 net-next-old 177d935a1370 7509bf36 .config console log report syz ci-upstream-net-kasan-gce
2019/07/03 14:46 linux-next f9ca7f5a1eb9 55565fa0 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2019/05/10 06:53 net-next-old 601e6bcc4ef0 018207ef .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.