syzbot


general protection fault in nft_chain_parse_hook

Status: fixed on 2020/02/18 14:31
Subsystems: netfilter
[Documentation on labels]
Reported-by: syzbot+156a04714799b1d480bc@syzkaller.appspotmail.com
Fix commit: 826035498ec1 netfilter: nf_tables: add __nft_chain_type_get()
First crash: 1534d, last: 1519d
Cause bisection: introduced by (bisect log) :
commit 98319cb9089844d76e65a6cce5bfbd165e698735
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue Jan 9 01:48:47 2018 +0000

  netfilter: nf_tables: get rid of struct nft_af_info abstraction

Crash: general protection fault in nft_chain_parse_hook (log)
Repro: C syz .config
  
Discussions (6)
Title Replies (including bot) Last reply
[PATCH 4.19 00/92] 4.19.100-stable review 98 (98) 2020/01/31 13:57
[PATCH 5.4 000/104] 5.4.16-stable review 113 (113) 2020/01/29 15:36
[PATCH 0/7] Netfilter fixes for net 9 (9) 2020/01/25 20:40
[PATCH nf] netfilter: nf_tables: add __nft_chain_type_get() 1 (1) 2020/01/22 13:19
[PATCH nf] netfilter: nf_tables: check for valid chain type pointer before dereference 5 (5) 2020/01/21 14:35
general protection fault in nft_chain_parse_hook 0 (3) 2020/01/17 18:57
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 general protection fault in nft_chain_parse_hook C done 5 1520d 1533d 1/1 fixed on 2020/02/28 16:14

Sample crash report:
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 10425 Comm: syz-executor262 Not tainted 5.5.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:nft_chain_parse_hook+0x386/0xa10 net/netfilter/nf_tables_api.c:1767
Code: e8 5f 27 0e fb 41 83 fd 05 0f 87 62 05 00 00 e8 d0 25 0e fb 49 8d 7c 24 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a6 05 00 00 44 89 e9 be 01 00
RSP: 0018:ffffc90001d07100 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffffc90001d072b0 RCX: ffffffff8666cfa1
RDX: 0000000000000003 RSI: ffffffff8666cfb0 RDI: 0000000000000018
RBP: ffffc90001d071f0 R08: ffff8880a46f6140 R09: 0000000000000000
R10: fffff520003a0e2f R11: ffffc90001d0717f R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90001d071c8
FS:  0000000001a8c880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005580e5f5b150 CR3: 000000008de5a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 nf_tables_addchain.constprop.0+0x1c1/0x1520 net/netfilter/nf_tables_api.c:1888
 nf_tables_newchain+0x1033/0x1820 net/netfilter/nf_tables_api.c:2196
 nfnetlink_rcv_batch+0xf42/0x17a0 net/netfilter/nfnetlink.c:433
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline]
 nfnetlink_rcv+0x3e7/0x460 net/netfilter/nfnetlink.c:561
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:659
 ____sys_sendmsg+0x753/0x880 net/socket.c:2330
 ___sys_sendmsg+0x100/0x170 net/socket.c:2384
 __sys_sendmsg+0x105/0x1d0 net/socket.c:2417
 __do_sys_sendmsg net/socket.c:2426 [inline]
 __se_sys_sendmsg net/socket.c:2424 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440559
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe99bd0088 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440559
RDX: 0000000004000000 RSI: 000000002000d400 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 0000000000000003 R09: 00000000004002c8
R10: 0000000000000009 R11: 0000000000000246 R12: 0000000000401de0
R13: 0000000000401e70 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 178134b50b13c7e3 ]---
RIP: 0010:nft_chain_parse_hook+0x386/0xa10 net/netfilter/nf_tables_api.c:1767
Code: e8 5f 27 0e fb 41 83 fd 05 0f 87 62 05 00 00 e8 d0 25 0e fb 49 8d 7c 24 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a6 05 00 00 44 89 e9 be 01 00
RSP: 0018:ffffc90001d07100 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffffc90001d072b0 RCX: ffffffff8666cfa1
RDX: 0000000000000003 RSI: ffffffff8666cfb0 RDI: 0000000000000018
RBP: ffffc90001d071f0 R08: ffff8880a46f6140 R09: 0000000000000000
R10: fffff520003a0e2f R11: ffffc90001d0717f R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90001d071c8
FS:  0000000001a8c880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005580e5f5b150 CR3: 000000008de5a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (48):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/01/16 21:37 upstream f5ae2ea6347a 3de7aabb .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/01/16 21:05 upstream f5ae2ea6347a 3de7aabb .config console log report syz C ci-upstream-kasan-gce-root
2020/01/16 18:36 upstream f5ae2ea6347a 3de7aabb .config console log report syz C ci-upstream-kasan-gce
2020/01/16 18:28 upstream f5ae2ea6347a 3de7aabb .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/01/16 18:02 upstream f5ae2ea6347a 3de7aabb .config console log report syz C ci-upstream-kasan-gce-386
2020/01/16 18:30 net-old 567110f147b3 3de7aabb .config console log report syz C ci-upstream-net-this-kasan-gce
2020/01/16 18:39 net-next-old 1ccf6c13d9c7 3de7aabb .config console log report syz C ci-upstream-net-kasan-gce
2020/01/19 12:27 linux-next 2747d5fdab78 bc8bc756 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/01/25 23:07 upstream d5d359b0ac3f 2e95ab33 .config console log report ci-upstream-kasan-gce-smack-root
2020/01/25 07:29 upstream 6381b442836e 2e95ab33 .config console log report ci-upstream-kasan-gce-smack-root
2020/01/25 07:14 upstream 6381b442836e 2e95ab33 .config console log report ci-upstream-kasan-gce
2020/01/24 00:21 upstream 4703d9119972 2e95ab33 .config console log report ci-upstream-kasan-gce
2020/01/21 10:32 upstream d96d875ef5dd 8eda0b95 .config console log report ci-upstream-kasan-gce-root
2020/01/21 10:30 upstream d96d875ef5dd 8eda0b95 .config console log report ci-upstream-kasan-gce-selinux-root
2020/01/21 10:02 upstream d96d875ef5dd 8eda0b95 .config console log report ci-upstream-kasan-gce-smack-root
2020/01/20 20:59 upstream def9d2780727 d2557fb5 .config console log report ci-upstream-kasan-gce-root
2020/01/20 20:42 upstream def9d2780727 d2557fb5 .config console log report ci-upstream-kasan-gce
2020/01/20 18:17 upstream def9d2780727 d2557fb5 .config console log report ci-upstream-kasan-gce
2020/01/20 10:01 upstream def9d2780727 0342f8c7 .config console log report ci-upstream-kasan-gce
2020/01/19 16:56 upstream 8f8972a3127f 0342f8c7 .config console log report ci-upstream-kasan-gce-root
2020/01/18 00:44 upstream ab7541c3addd 3de7aabb .config console log report ci-upstream-kasan-gce-root
2020/01/17 21:33 upstream ab7541c3addd 3de7aabb .config console log report ci-upstream-kasan-gce
2020/01/17 20:45 upstream ab7541c3addd 3de7aabb .config console log report ci-upstream-kasan-gce-smack-root
2020/01/17 19:22 upstream f4353c3e2aaf 3de7aabb .config console log report ci-upstream-kasan-gce-smack-root
2020/01/17 19:03 upstream f4353c3e2aaf 3de7aabb .config console log report ci-upstream-kasan-gce-smack-root
2020/01/17 19:02 upstream f4353c3e2aaf 3de7aabb .config console log report ci-upstream-kasan-gce-selinux-root
2020/01/17 13:34 upstream f4353c3e2aaf 3de7aabb .config console log report ci-upstream-kasan-gce-root
2020/01/16 19:26 upstream f5ae2ea6347a 3de7aabb .config console log report ci-upstream-kasan-gce-selinux-root
2020/01/15 22:55 upstream 51d69817519f f9b69507 .config console log report ci-upstream-kasan-gce-selinux-root
2020/01/24 12:01 upstream 4703d9119972 2e95ab33 .config console log report ci-upstream-kasan-gce-386
2020/01/16 17:01 upstream f5ae2ea6347a 3de7aabb .config console log report ci-upstream-kasan-gce-386
2020/01/25 07:06 net-old 623c8d5c74c6 2e95ab33 .config console log report ci-upstream-net-this-kasan-gce
2020/01/23 07:26 net-old 5311a69aaca3 3334d684 .config console log report ci-upstream-net-this-kasan-gce
2020/01/20 20:58 net-old 7008ee121089 d2557fb5 .config console log report ci-upstream-net-this-kasan-gce
2020/01/20 16:44 net-old 7008ee121089 d2557fb5 .config console log report ci-upstream-net-this-kasan-gce
2020/01/18 21:18 net-old e02d9c4c68dc 3de7aabb .config console log report ci-upstream-net-this-kasan-gce
2020/01/25 07:05 net-next-old 08a45c59f16e 2e95ab33 .config console log report ci-upstream-net-kasan-gce
2020/01/20 17:55 net-next-old b3f7e3f23a76 d2557fb5 .config console log report ci-upstream-net-kasan-gce
2020/01/20 09:43 net-next-old b3f7e3f23a76 0342f8c7 .config console log report ci-upstream-net-kasan-gce
2020/01/18 18:45 net-next-old 9aaa29494030 3de7aabb .config console log report ci-upstream-net-kasan-gce
2020/01/17 13:22 net-next-old 6bc803803526 3de7aabb .config console log report ci-upstream-net-kasan-gce
2020/01/15 18:01 net-next-old 4e2fa6b90275 f9b69507 .config console log report ci-upstream-net-kasan-gce
2020/01/30 16:39 linux-next 2747d5fdab78 5ed23f9a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/01/30 02:03 linux-next 2747d5fdab78 5ed23f9a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/01/29 00:09 linux-next 2747d5fdab78 c8e81ce4 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/01/27 17:49 linux-next 2747d5fdab78 dd56146d .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.