syzbot


KASAN: slab-out-of-bounds Read in tun_net_xmit

Status: public: reported C repro on 2019/04/10 16:04
Reported-by: syzbot+159d91b9d655a16c32cb@syzkaller.appspotmail.com
First crash: 1990d, last: 1929d
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in tun_net_xmit net 2 2386d 2376d 0/26 closed as invalid on 2017/12/06 12:46
android-49 KASAN: slab-out-of-bounds Read in tun_net_xmit syz 3386 1600d 1834d 0/3 public: reported syz repro on 2019/04/14 09:28
upstream KASAN: slab-out-of-bounds Read in tun_net_xmit (2) net C 10 1938d 2106d 11/26 fixed on 2019/01/15 20:25

Sample crash report:
urandom_read: 1 callbacks suppressed
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1546193831.052:8): avc:  denied  { map } for  pid=1783 comm="syz-executor910" path="/root/syz-executor910660043" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in __ptr_ring_produce include/linux/ptr_ring.h:109 [inline]
BUG: KASAN: slab-out-of-bounds in ptr_ring_produce include/linux/ptr_ring.h:132 [inline]
BUG: KASAN: slab-out-of-bounds in skb_array_produce include/linux/skb_array.h:48 [inline]
BUG: KASAN: slab-out-of-bounds in tun_net_xmit+0xf18/0x1010 drivers/net/tun.c:916
Read of size 8 at addr ffff8881c6efa650 by task syz-executor910/1786

CPU: 1 PID: 1786 Comm: syz-executor910 Not tainted 4.14.91+ #30
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x11b lib/dump_stack.c:53
 print_address_description+0x60/0x22b mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
 __ptr_ring_produce include/linux/ptr_ring.h:109 [inline]
 ptr_ring_produce include/linux/ptr_ring.h:132 [inline]
 skb_array_produce include/linux/skb_array.h:48 [inline]
 tun_net_xmit+0xf18/0x1010 drivers/net/tun.c:916
 __netdev_start_xmit include/linux/netdevice.h:4030 [inline]
 netdev_start_xmit include/linux/netdevice.h:4039 [inline]
 xmit_one net/core/dev.c:3009 [inline]
 dev_hard_start_xmit+0x191/0x890 net/core/dev.c:3025
 sch_direct_xmit+0x280/0x520 net/sched/sch_generic.c:186
 __dev_xmit_skb net/core/dev.c:3218 [inline]
 __dev_queue_xmit+0x16fd/0x1f40 net/core/dev.c:3493
 neigh_hh_output include/net/neighbour.h:490 [inline]
 neigh_output include/net/neighbour.h:498 [inline]
 ip6_finish_output2+0x1136/0x1f90 net/ipv6/ip6_output.c:120
 ip6_finish_output+0x62e/0xb10 net/ipv6/ip6_output.c:154
 NF_HOOK_COND include/linux/netfilter.h:239 [inline]
 ip6_output+0x1dd/0x680 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:459 [inline]
 ip6_local_out+0x94/0x170 net/ipv6/output_core.c:176
 ip6_send_skb+0x98/0x2e0 net/ipv6/ip6_output.c:1686
 udp_v6_send_skb+0x4e3/0xe70 net/ipv6/udp.c:1081
 udpv6_sendmsg+0x1f07/0x2510 net/ipv6/udp.c:1353
 inet_sendmsg+0x168/0x540 net/ipv4/af_inet.c:781
 sock_sendmsg_nosec net/socket.c:645 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:655
 SYSC_sendto net/socket.c:1762 [inline]
 SyS_sendto+0x211/0x340 net/socket.c:1730
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441ba9
RSP: 002b:00007ffeef0893f8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441ba9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000008470 R08: 00000000200001c0 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000402990 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 1785:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
 __kmalloc+0x153/0x340 mm/slub.c:3760
 __kmalloc_node include/linux/slab.h:356 [inline]
 kmalloc_node include/linux/slab.h:530 [inline]
 kvmalloc_node+0x42/0xd0 mm/util.c:397
 kvmalloc include/linux/mm.h:531 [inline]
 kvmalloc_array include/linux/mm.h:547 [inline]
 __ptr_ring_init_queue_alloc include/linux/ptr_ring.h:455 [inline]
 ptr_ring_resize_multiple include/linux/ptr_ring.h:613 [inline]
 skb_array_resize_multiple include/linux/skb_array.h:200 [inline]
 tun_queue_resize drivers/net/tun.c:2815 [inline]
 tun_device_event+0x450/0xc50 drivers/net/tun.c:2833
 notifier_call_chain+0x114/0x1b0 kernel/notifier.c:93
 call_netdevice_notifiers+0x6e/0xa0 net/core/dev.c:1687
 dev_ifsioc+0x735/0x840 net/core/dev_ioctl.c:311
 dev_ioctl+0x25f/0xce0 net/core/dev_ioctl.c:566
 sock_do_ioctl+0x92/0xb0 net/socket.c:980
 sock_ioctl+0x263/0x430 net/socket.c:1070
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8881c6efa648
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of
 8-byte region [ffff8881c6efa648, ffff8881c6efa650)
The buggy address belongs to the page:
page:ffffea00071bbe80 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 0000000000000000 0000000000000000 0000000180aa00aa
raw: dead000000000100 dead000000000200 ffff8881da803c00 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881c6efa500: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
 ffff8881c6efa580: fc fb fc fc fb fc fc fb fc fc fb fc fc 00 fc fc
>ffff8881c6efa600: 00 fc fc fb fc fc fb fc fc 00 fc fc fc fc fc fc
                                                 ^
 ffff8881c6efa680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881c6efa700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/12/30 18:19 android-4.14 7d2d5fc1acda 9942de5f .config console log report syz C ci-android-414-kasan-gce-root
2019/01/09 01:25 android-4.14 3c207c880674 010ed08b .config console log report ci-android-414-kasan-gce-root
2018/11/09 00:27 android-4.14 6c95b90db52b e85d2a61 .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.