syzbot


KASAN: stack-out-of-bounds Read in xfrm_selector_match (2)

Status: public: reported C repro on 2019/04/13 00:00
Reported-by: syzbot+0a66740f17d0f2c9d881@syzkaller.appspotmail.com
First crash: 1962d, last: 1617d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 KASAN: stack-out-of-bounds Read in xfrm_selector_match C 672 1971d 2438d 0/3 closed as invalid on 2018/11/08 02:37
upstream KASAN: stack-out-of-bounds Read in xfrm_selector_match net 368 2269d 2275d 4/26 fixed on 2018/02/13 04:59
upstream KASAN: stack-out-of-bounds Read in xfrm_selector_match (2) net 1 1287d 1284d 15/26 fixed on 2020/11/16 12:12
android-44 KASAN: stack-out-of-bounds Read in xfrm_selector_match C 36 1981d 1814d 0/2 public: reported C repro on 2019/04/11 08:44
android-414 KASAN: stack-out-of-bounds Read in xfrm_selector_match 1 1619d 1619d 0/1 auto-closed as invalid on 2020/02/19 14:26

Sample crash report:
random: crng init done
==================================================================
BUG: KASAN: stack-out-of-bounds in memcmp+0x126/0x160 lib/string.c:768
Read of size 1 at addr ffff8801c4537880 by task syz-executor300/2048

CPU: 1 PID: 2048 Comm: syz-executor300 Not tainted 4.9.135+ #65
 ffff8801c4537350 ffffffff81b42b89 ffffea0007114dc0 ffff8801c4537880
 0000000000000000 ffff8801c4537880 ffff8801c4537868 ffff8801c4537388
 ffffffff815009ad ffff8801c4537880 0000000000000001 0000000000000000
Call Trace:
 [<ffffffff81b42b89>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b42b89>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff815009ad>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff81500db7>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff81500db7>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff814f2f64>] __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 [<ffffffff81b5f686>] memcmp+0x126/0x160 lib/string.c:768
 [<ffffffff8263ebe0>] addr_match include/net/xfrm.h:843 [inline]
 [<ffffffff8263ebe0>] __xfrm6_selector_match net/xfrm/xfrm_policy.c:90 [inline]
 [<ffffffff8263ebe0>] xfrm_selector_match+0x6a0/0xe40 net/xfrm/xfrm_policy.c:104
 [<ffffffff8263f4c7>] xfrm_sk_policy_lookup+0x147/0x430 net/xfrm/xfrm_policy.c:1283
 [<ffffffff8263f96c>] xfrm_lookup+0x1bc/0xc00 net/xfrm/xfrm_policy.c:2242
 [<ffffffff82641249>] xfrm_lookup_route+0x39/0x140 net/xfrm/xfrm_policy.c:2379
 [<ffffffff8269376b>] ip6_dst_lookup_flow+0x17b/0x210 net/ipv6/ip6_output.c:1096
 [<ffffffff8273b9d4>] tcp_v6_connect+0xd34/0x1ad0 net/ipv6/tcp_ipv6.c:248
 [<ffffffff82593f80>] __inet_stream_connect+0x6e0/0xbf0 net/ipv4/af_inet.c:627
 [<ffffffff824e405a>] tcp_sendmsg_fastopen net/ipv4/tcp.c:1116 [inline]
 [<ffffffff824e405a>] tcp_sendmsg+0x218a/0x2fd0 net/ipv4/tcp.c:1145
 [<ffffffff82594bf3>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770
 [<ffffffff822a030b>] sock_sendmsg_nosec net/socket.c:648 [inline]
 [<ffffffff822a030b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
 [<ffffffff822a4390>] SYSC_sendto net/socket.c:1683 [inline]
 [<ffffffff822a4390>] SyS_sendto+0x220/0x370 net/socket.c:1651
 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 [<ffffffff82816b93>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

The buggy address belongs to the page:
page:ffffea0007114dc0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c4537780: 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 00
 ffff8801c4537800: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
>ffff8801c4537880: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                   ^
 ffff8801c4537900: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00
 ffff8801c4537980: f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/11/14 14:37 https://android.googlesource.com/kernel/common android-4.9 109a48ed2f69 5f5f6d14 .config console log report syz C ci-android-49-kasan-gce-root
2018/11/14 14:08 https://android.googlesource.com/kernel/common android-4.9 109a48ed2f69 5f5f6d14 .config console log report syz C ci-android-49-kasan-gce
2019/10/24 14:37 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 d01bb02a .config console log report ci-android-49-kasan-gce
2019/01/02 09:19 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 3d85f48c .config console log report ci-android-49-kasan-gce
2018/11/22 20:05 https://android.googlesource.com/kernel/common android-4.9 c3282d18a9f4 87815d9d .config console log report ci-android-49-kasan-gce-root
2018/11/22 18:58 https://android.googlesource.com/kernel/common android-4.9 c3282d18a9f4 2ee77802 .config console log report ci-android-49-kasan-gce-root
2018/11/22 17:11 https://android.googlesource.com/kernel/common android-4.9 c3282d18a9f4 2ee77802 .config console log report ci-android-49-kasan-gce-root
2018/11/22 17:07 https://android.googlesource.com/kernel/common android-4.9 c3282d18a9f4 2ee77802 .config console log report ci-android-49-kasan-gce-root
2018/11/22 16:12 https://android.googlesource.com/kernel/common android-4.9 c3282d18a9f4 2ee77802 .config console log report ci-android-49-kasan-gce-root
2018/11/22 15:00 https://android.googlesource.com/kernel/common android-4.9 c3282d18a9f4 2ee77802 .config console log report ci-android-49-kasan-gce-root
2018/11/22 14:38 https://android.googlesource.com/kernel/common android-4.9 c3282d18a9f4 2ee77802 .config console log report ci-android-49-kasan-gce-root
2018/11/18 03:01 https://android.googlesource.com/kernel/common android-4.9 109a48ed2f69 adf636a8 .config console log report ci-android-49-kasan-gce
2018/11/14 13:45 https://android.googlesource.com/kernel/common android-4.9 109a48ed2f69 5f5f6d14 .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.