KASAN: stack-out-of-bounds Read in xfrm_selector

Kernel	Title	Repro	Count	Last	Reported	Patched	Status
android-49	KASAN: stack-out-of-bounds Read in xfrm_selector_match	C	672	2210d	2678d	0/3	closed as invalid on 2018/11/08 02:37
upstream	KASAN: stack-out-of-bounds Read in xfrm_selector_match net		368	2508d	2515d	4/28	fixed on 2018/02/13 04:59
upstream	KASAN: stack-out-of-bounds Read in xfrm_selector_match (2) net		1	1526d	1524d	15/28	fixed on 2020/11/16 12:12
android-44	KASAN: stack-out-of-bounds Read in xfrm_selector_match	C	36	2221d	2053d	0/2	public: reported C repro on 2019/04/11 08:44
android-414	KASAN: stack-out-of-bounds Read in xfrm_selector_match		1	1859d	1859d	0/1	auto-closed as invalid on 2020/02/19 14:26

random: crng init done ================================================================== BUG: KASAN: stack-out-of-bounds in memcmp+0x126/0x160 lib/string.c:768 Read of size 1 at addr ffff8801c4537880 by task syz-executor300/2048 CPU: 1 PID: 2048 Comm: syz-executor300 Not tainted 4.9.135+ #65 ffff8801c4537350 ffffffff81b42b89 ffffea0007114dc0 ffff8801c4537880 0000000000000000 ffff8801c4537880 ffff8801c4537868 ffff8801c4537388 ffffffff815009ad ffff8801c4537880 0000000000000001 0000000000000000 Call Trace: [<ffffffff81b42b89>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81b42b89>] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [<ffffffff815009ad>] print_address_description+0x6c/0x234 mm/kasan/report.c:256 [<ffffffff81500db7>] kasan_report_error mm/kasan/report.c:355 [inline] [<ffffffff81500db7>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412 [<ffffffff814f2f64>] __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 [<ffffffff81b5f686>] memcmp+0x126/0x160 lib/string.c:768 [<ffffffff8263ebe0>] addr_match include/net/xfrm.h:843 [inline] [<ffffffff8263ebe0>] __xfrm6_selector_match net/xfrm/xfrm_policy.c:90 [inline] [<ffffffff8263ebe0>] xfrm_selector_match+0x6a0/0xe40 net/xfrm/xfrm_policy.c:104 [<ffffffff8263f4c7>] xfrm_sk_policy_lookup+0x147/0x430 net/xfrm/xfrm_policy.c:1283 [<ffffffff8263f96c>] xfrm_lookup+0x1bc/0xc00 net/xfrm/xfrm_policy.c:2242 [<ffffffff82641249>] xfrm_lookup_route+0x39/0x140 net/xfrm/xfrm_policy.c:2379 [<ffffffff8269376b>] ip6_dst_lookup_flow+0x17b/0x210 net/ipv6/ip6_output.c:1096 [<ffffffff8273b9d4>] tcp_v6_connect+0xd34/0x1ad0 net/ipv6/tcp_ipv6.c:248 [<ffffffff82593f80>] __inet_stream_connect+0x6e0/0xbf0 net/ipv4/af_inet.c:627 [<ffffffff824e405a>] tcp_sendmsg_fastopen net/ipv4/tcp.c:1116 [inline] [<ffffffff824e405a>] tcp_sendmsg+0x218a/0x2fd0 net/ipv4/tcp.c:1145 [<ffffffff82594bf3>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770 [<ffffffff822a030b>] sock_sendmsg_nosec net/socket.c:648 [inline] [<ffffffff822a030b>] sock_sendmsg+0xbb/0x110 net/socket.c:658 [<ffffffff822a4390>] SYSC_sendto net/socket.c:1683 [inline] [<ffffffff822a4390>] SyS_sendto+0x220/0x370 net/socket.c:1651 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 [<ffffffff82816b93>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb The buggy address belongs to the page: page:ffffea0007114dc0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000000() page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801c4537780: 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 00 ffff8801c4537800: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 >ffff8801c4537880: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff8801c4537900: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 ffff8801c4537980: f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================

Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager
2018/11/14 14:37	https://android.googlesource.com/kernel/common android-4.9	109a48ed2f69	5f5f6d14	.config	console log	report	syz	C	ci-android-49-kasan-gce-root
2018/11/14 14:08	https://android.googlesource.com/kernel/common android-4.9	109a48ed2f69	5f5f6d14	.config	console log	report	syz	C	ci-android-49-kasan-gce
2019/10/24 14:37	https://android.googlesource.com/kernel/common android-4.9	8fe428403e30	d01bb02a	.config	console log	report			ci-android-49-kasan-gce
2019/01/02 09:19	https://android.googlesource.com/kernel/common android-4.9	8fe428403e30	3d85f48c	.config	console log	report			ci-android-49-kasan-gce
2018/11/22 20:05	https://android.googlesource.com/kernel/common android-4.9	c3282d18a9f4	87815d9d	.config	console log	report			ci-android-49-kasan-gce-root
2018/11/22 18:58	https://android.googlesource.com/kernel/common android-4.9	c3282d18a9f4	2ee77802	.config	console log	report			ci-android-49-kasan-gce-root
2018/11/22 17:11	https://android.googlesource.com/kernel/common android-4.9	c3282d18a9f4	2ee77802	.config	console log	report			ci-android-49-kasan-gce-root
2018/11/22 17:07	https://android.googlesource.com/kernel/common android-4.9	c3282d18a9f4	2ee77802	.config	console log	report			ci-android-49-kasan-gce-root
2018/11/22 16:12	https://android.googlesource.com/kernel/common android-4.9	c3282d18a9f4	2ee77802	.config	console log	report			ci-android-49-kasan-gce-root
2018/11/22 15:00	https://android.googlesource.com/kernel/common android-4.9	c3282d18a9f4	2ee77802	.config	console log	report			ci-android-49-kasan-gce-root
2018/11/22 14:38	https://android.googlesource.com/kernel/common android-4.9	c3282d18a9f4	2ee77802	.config	console log	report			ci-android-49-kasan-gce-root
2018/11/18 03:01	https://android.googlesource.com/kernel/common android-4.9	109a48ed2f69	adf636a8	.config	console log	report			ci-android-49-kasan-gce
2018/11/14 13:45	https://android.googlesource.com/kernel/common android-4.9	109a48ed2f69	5f5f6d14	.config	console log	report			ci-android-49-kasan-gce