KASAN: slab-out-of-bounds Read in _decode

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: slab-out-of-bounds Read in _decode_session6				1	1650d	1650d	0/1	auto-closed as invalid on 2020/09/13 07:38
linux-4.19	KASAN: slab-out-of-bounds Read in _decode_session6				23	1065d	1720d	0/1	auto-closed as invalid on 2022/04/20 21:31
upstream	KASAN: slab-out-of-bounds Read in _decode_session6 net	C			35	2214d	2272d	11/28	fixed on 2018/10/30 01:28
linux-4.14	KASAN: slab-out-of-bounds Read in _decode_session6 (2)				2	927d	946d	0/1	auto-obsoleted due to no activity on 2022/09/05 20:15
linux-4.19	KASAN: slab-out-of-bounds Read in _decode_session6 (2)	C		error	3	653d	794d	0/1	upstream: reported C repro on 2022/09/19 04:38
upstream	KASAN: slab-out-of-bounds Read in _decode_session6 (2) net	C	done	unreliable	26	2192d	2214d	0/28	auto-obsoleted due to no activity on 2022/09/01 19:57

================================================================== audit: type=1400 audit(1536850254.110:8): avc: denied { prog_load } for pid=1791 comm="syz-executor611" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 audit: type=1400 audit(1536850254.110:9): avc: denied { prog_run } for pid=1791 comm="syz-executor611" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 BUG: KASAN: slab-out-of-bounds in _decode_session6+0x124c/0x1370 net/ipv6/xfrm6_policy.c:159 Read of size 1 at addr ffff8801ca01bd87 by task syz-executor611/1791 CPU: 1 PID: 1791 Comm: syz-executor611 Not tainted 4.14.69+ #5 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xb9/0x11b lib/dump_stack.c:53 print_address_description+0x60/0x22b mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409 _decode_session6+0x124c/0x1370 net/ipv6/xfrm6_policy.c:159 __xfrm_decode_session+0x64/0x100 net/xfrm/xfrm_policy.c:2423 xfrm_decode_session include/net/xfrm.h:1201 [inline] vti6_tnl_xmit+0x31b/0x15b0 net/ipv6/ip6_vti.c:550 __netdev_start_xmit include/linux/netdevice.h:4023 [inline] netdev_start_xmit include/linux/netdevice.h:4032 [inline] xmit_one net/core/dev.c:2987 [inline] dev_hard_start_xmit+0x191/0x890 net/core/dev.c:3003 __dev_queue_xmit+0x13d9/0x1f40 net/core/dev.c:3503 __bpf_tx_skb net/core/filter.c:1708 [inline] __bpf_redirect_common net/core/filter.c:1746 [inline] __bpf_redirect+0x5b0/0x990 net/core/filter.c:1753 ____bpf_clone_redirect net/core/filter.c:1786 [inline] bpf_clone_redirect+0x1d4/0x2b0 net/core/filter.c:1758 ___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012 Allocated by task 1791: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551 slab_post_alloc_hook mm/slab.h:442 [inline] slab_alloc_node mm/slub.c:2723 [inline] slab_alloc mm/slub.c:2731 [inline] __kmalloc_track_caller+0x104/0x300 mm/slub.c:4288 __kmalloc_reserve.isra.8+0x2f/0xc0 net/core/skbuff.c:137 pskb_expand_head+0x117/0xb30 net/core/skbuff.c:1461 skb_ensure_writable+0x237/0x2e0 net/core/skbuff.c:5007 __bpf_try_make_writable net/core/filter.c:1403 [inline] bpf_try_make_writable net/core/filter.c:1409 [inline] bpf_try_make_head_writable net/core/filter.c:1417 [inline] ____bpf_clone_redirect net/core/filter.c:1780 [inline] bpf_clone_redirect+0x119/0x2b0 net/core/filter.c:1758 ___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012 Freed by task 484: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524 slab_free_hook mm/slub.c:1389 [inline] slab_free_freelist_hook mm/slub.c:1410 [inline] slab_free mm/slub.c:2966 [inline] kfree+0xf5/0x310 mm/slub.c:3897 load_elf_binary+0x1c4c/0x4530 fs/binfmt_elf.c:1096 search_binary_handler+0x13f/0x6c0 fs/exec.c:1638 exec_binprm fs/exec.c:1680 [inline] do_execveat_common.isra.14+0x1109/0x1d60 fs/exec.c:1802 do_execve fs/exec.c:1847 [inline] SYSC_execve fs/exec.c:1928 [inline] SyS_execve+0x34/0x40 fs/exec.c:1923 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 The buggy address belongs to the object at ffff8801ca01bb80 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 7 bytes to the right of 512-byte region [ffff8801ca01bb80, ffff8801ca01bd80) The buggy address belongs to the page: page:ffffea0007280680 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000008100(slab|head) raw: 4000000000008100 0000000000000000 0000000000000000 00000001800c000c raw: 0000000000000000 0000000200000001 ffff8801da802c00 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801ca01bc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801ca01bd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801ca01bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801ca01be00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801ca01be80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================

Crashes (42):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager
2018/09/13 14:53	android-4.14	fc59235394b2	19e9088b	.config	console log	report	syz	C	ci-android-414-kasan-gce-root
2018/08/31 17:54	android-4.14	47350a9f13c6	a4718693	.config	console log	report	syz	C	ci-android-414-kasan-gce-root
2018/11/20 05:27	android-4.14	4e76528bd48d	9bc2a903	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/13 08:03	android-4.14	97c308ca4091	74dbb806	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/09 21:46	android-4.14	87485dbe777b	f9815aaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/09 21:09	android-4.14	87485dbe777b	f9815aaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/07 12:24	android-4.14	d4e5dea08bbf	8bd6bd63	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/02 13:57	android-4.14	4ed22187defd	1f38e9ae	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/31 17:54	android-4.14	4ed22187defd	89781090	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/21 00:25	android-4.14	c556d1ffe528	ecb386fe	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/18 13:42	android-4.14	6d46bcc5a747	d257b2d2	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/18 13:41	android-4.14	6d46bcc5a747	d257b2d2	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/12 11:12	android-4.14	b7e40c3d444a	ba6ddb43	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/09 02:06	android-4.14	d33692e8014d	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/04 05:56	android-4.14	cf748a3e868e	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/04 05:54	android-4.14	cf748a3e868e	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/23 09:05	android-4.14	666c420fa3ea	37079712	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/20 19:31	android-4.14	666c420fa3ea	6cee973c	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/20 19:31	android-4.14	666c420fa3ea	6cee973c	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/20 15:50	android-4.14	6b8243a1c14c	565a5452	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/13 12:39	android-4.14	fc59235394b2	19e9088b	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/07 14:29	android-4.14	b859aa7d7a0c	69cfeb80	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/07 13:54	android-4.14	b859aa7d7a0c	69cfeb80	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/07 13:54	android-4.14	b859aa7d7a0c	69cfeb80	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/07 13:08	android-4.14	b859aa7d7a0c	e30d3b52	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/07 03:08	android-4.14	b859aa7d7a0c	e30d3b52	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/07 00:24	android-4.14	b859aa7d7a0c	e30d3b52	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/06 08:46	android-4.14	b859aa7d7a0c	873745f2	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/06 08:45	android-4.14	b859aa7d7a0c	873745f2	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/05 12:32	android-4.14	36b4801b9aad	196410e4	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/05 02:59	android-4.14	e9a6a1abd019	a4718693	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/04 04:49	android-4.14	47350a9f13c6	a4718693	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/03 21:01	android-4.14	47350a9f13c6	a4718693	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/03 16:17	android-4.14	47350a9f13c6	a4718693	.config	console log	report			ci-android-414-kasan-gce-root
2018/08/31 23:44	android-4.14	47350a9f13c6	a4718693	.config	console log	report			ci-android-414-kasan-gce-root
2018/08/31 23:44	android-4.14	47350a9f13c6	a4718693	.config	console log	report			ci-android-414-kasan-gce-root
2018/08/31 20:24	android-4.14	47350a9f13c6	a4718693	.config	console log	report			ci-android-414-kasan-gce-root
2018/08/31 20:16	android-4.14	47350a9f13c6	a4718693	.config	console log	report			ci-android-414-kasan-gce-root
2018/08/31 20:15	android-4.14	47350a9f13c6	a4718693	.config	console log	report			ci-android-414-kasan-gce-root
2018/08/31 17:20	android-4.14	47350a9f13c6	a4718693	.config	console log	report			ci-android-414-kasan-gce-root
2018/08/31 17:12	android-4.14	47350a9f13c6	a4718693	.config	console log	report			ci-android-414-kasan-gce-root
2018/08/30 04:04	android-4.14	47350a9f13c6	6c7e9d3d	.config	console log	report			ci-android-414-kasan-gce-root

Crashes (42):

Assets (help?)

2018/09/13 14:53

android-4.14