syzbot


KASAN: slab-out-of-bounds Read in _decode_session6

Status: public: reported C repro on 2019/04/11 00:00
Reported-by: syzbot+18756312f2d82f808f44@syzkaller.appspotmail.com
First crash: 2094d, last: 2012d
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: slab-out-of-bounds Read in _decode_session6 1 1469d 1469d 0/1 auto-closed as invalid on 2020/09/13 07:38
linux-4.19 KASAN: slab-out-of-bounds Read in _decode_session6 23 884d 1539d 0/1 auto-closed as invalid on 2022/04/20 21:31
upstream KASAN: slab-out-of-bounds Read in _decode_session6 net C 35 2033d 2091d 11/26 fixed on 2018/10/30 01:28
linux-4.14 KASAN: slab-out-of-bounds Read in _decode_session6 (2) 2 746d 765d 0/1 auto-obsoleted due to no activity on 2022/09/05 20:15
linux-4.19 KASAN: slab-out-of-bounds Read in _decode_session6 (2) C error 3 472d 613d 0/1 upstream: reported C repro on 2022/09/19 04:38
upstream KASAN: slab-out-of-bounds Read in _decode_session6 (2) net C done unreliable 26 2011d 2033d 0/26 auto-obsoleted due to no activity on 2022/09/01 19:57

Sample crash report:
==================================================================
audit: type=1400 audit(1536850254.110:8): avc:  denied  { prog_load } for  pid=1791 comm="syz-executor611" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
audit: type=1400 audit(1536850254.110:9): avc:  denied  { prog_run } for  pid=1791 comm="syz-executor611" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
BUG: KASAN: slab-out-of-bounds in _decode_session6+0x124c/0x1370 net/ipv6/xfrm6_policy.c:159
Read of size 1 at addr ffff8801ca01bd87 by task syz-executor611/1791

CPU: 1 PID: 1791 Comm: syz-executor611 Not tainted 4.14.69+ #5
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x11b lib/dump_stack.c:53
 print_address_description+0x60/0x22b mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
 _decode_session6+0x124c/0x1370 net/ipv6/xfrm6_policy.c:159
 __xfrm_decode_session+0x64/0x100 net/xfrm/xfrm_policy.c:2423
 xfrm_decode_session include/net/xfrm.h:1201 [inline]
 vti6_tnl_xmit+0x31b/0x15b0 net/ipv6/ip6_vti.c:550
 __netdev_start_xmit include/linux/netdevice.h:4023 [inline]
 netdev_start_xmit include/linux/netdevice.h:4032 [inline]
 xmit_one net/core/dev.c:2987 [inline]
 dev_hard_start_xmit+0x191/0x890 net/core/dev.c:3003
 __dev_queue_xmit+0x13d9/0x1f40 net/core/dev.c:3503
 __bpf_tx_skb net/core/filter.c:1708 [inline]
 __bpf_redirect_common net/core/filter.c:1746 [inline]
 __bpf_redirect+0x5b0/0x990 net/core/filter.c:1753
 ____bpf_clone_redirect net/core/filter.c:1786 [inline]
 bpf_clone_redirect+0x1d4/0x2b0 net/core/filter.c:1758
 ___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012

Allocated by task 1791:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
 slab_post_alloc_hook mm/slab.h:442 [inline]
 slab_alloc_node mm/slub.c:2723 [inline]
 slab_alloc mm/slub.c:2731 [inline]
 __kmalloc_track_caller+0x104/0x300 mm/slub.c:4288
 __kmalloc_reserve.isra.8+0x2f/0xc0 net/core/skbuff.c:137
 pskb_expand_head+0x117/0xb30 net/core/skbuff.c:1461
 skb_ensure_writable+0x237/0x2e0 net/core/skbuff.c:5007
 __bpf_try_make_writable net/core/filter.c:1403 [inline]
 bpf_try_make_writable net/core/filter.c:1409 [inline]
 bpf_try_make_head_writable net/core/filter.c:1417 [inline]
 ____bpf_clone_redirect net/core/filter.c:1780 [inline]
 bpf_clone_redirect+0x119/0x2b0 net/core/filter.c:1758
 ___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012

Freed by task 484:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1389 [inline]
 slab_free_freelist_hook mm/slub.c:1410 [inline]
 slab_free mm/slub.c:2966 [inline]
 kfree+0xf5/0x310 mm/slub.c:3897
 load_elf_binary+0x1c4c/0x4530 fs/binfmt_elf.c:1096
 search_binary_handler+0x13f/0x6c0 fs/exec.c:1638
 exec_binprm fs/exec.c:1680 [inline]
 do_execveat_common.isra.14+0x1109/0x1d60 fs/exec.c:1802
 do_execve fs/exec.c:1847 [inline]
 SYSC_execve fs/exec.c:1928 [inline]
 SyS_execve+0x34/0x40 fs/exec.c:1923
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff8801ca01bb80
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 7 bytes to the right of
 512-byte region [ffff8801ca01bb80, ffff8801ca01bd80)
The buggy address belongs to the page:
page:ffffea0007280680 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000008100(slab|head)
raw: 4000000000008100 0000000000000000 0000000000000000 00000001800c000c
raw: 0000000000000000 0000000200000001 ffff8801da802c00 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801ca01bc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801ca01bd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801ca01bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff8801ca01be00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801ca01be80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (42):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/09/13 14:53 android-4.14 fc59235394b2 19e9088b .config console log report syz C ci-android-414-kasan-gce-root
2018/08/31 17:54 android-4.14 47350a9f13c6 a4718693 .config console log report syz C ci-android-414-kasan-gce-root
2018/11/20 05:27 android-4.14 4e76528bd48d 9bc2a903 .config console log report ci-android-414-kasan-gce-root
2018/11/13 08:03 android-4.14 97c308ca4091 74dbb806 .config console log report ci-android-414-kasan-gce-root
2018/11/09 21:46 android-4.14 87485dbe777b f9815aaf .config console log report ci-android-414-kasan-gce-root
2018/11/09 21:09 android-4.14 87485dbe777b f9815aaf .config console log report ci-android-414-kasan-gce-root
2018/11/07 12:24 android-4.14 d4e5dea08bbf 8bd6bd63 .config console log report ci-android-414-kasan-gce-root
2018/11/02 13:57 android-4.14 4ed22187defd 1f38e9ae .config console log report ci-android-414-kasan-gce-root
2018/10/31 17:54 android-4.14 4ed22187defd 89781090 .config console log report ci-android-414-kasan-gce-root
2018/10/21 00:25 android-4.14 c556d1ffe528 ecb386fe .config console log report ci-android-414-kasan-gce-root
2018/10/18 13:42 android-4.14 6d46bcc5a747 d257b2d2 .config console log report ci-android-414-kasan-gce-root
2018/10/18 13:41 android-4.14 6d46bcc5a747 d257b2d2 .config console log report ci-android-414-kasan-gce-root
2018/10/12 11:12 android-4.14 b7e40c3d444a ba6ddb43 .config console log report ci-android-414-kasan-gce-root
2018/10/09 02:06 android-4.14 d33692e8014d 8b311eaf .config console log report ci-android-414-kasan-gce-root
2018/10/04 05:56 android-4.14 cf748a3e868e 8b311eaf .config console log report ci-android-414-kasan-gce-root
2018/10/04 05:54 android-4.14 cf748a3e868e 8b311eaf .config console log report ci-android-414-kasan-gce-root
2018/09/23 09:05 android-4.14 666c420fa3ea 37079712 .config console log report ci-android-414-kasan-gce-root
2018/09/20 19:31 android-4.14 666c420fa3ea 6cee973c .config console log report ci-android-414-kasan-gce-root
2018/09/20 19:31 android-4.14 666c420fa3ea 6cee973c .config console log report ci-android-414-kasan-gce-root
2018/09/20 15:50 android-4.14 6b8243a1c14c 565a5452 .config console log report ci-android-414-kasan-gce-root
2018/09/13 12:39 android-4.14 fc59235394b2 19e9088b .config console log report ci-android-414-kasan-gce-root
2018/09/07 14:29 android-4.14 b859aa7d7a0c 69cfeb80 .config console log report ci-android-414-kasan-gce-root
2018/09/07 13:54 android-4.14 b859aa7d7a0c 69cfeb80 .config console log report ci-android-414-kasan-gce-root
2018/09/07 13:54 android-4.14 b859aa7d7a0c 69cfeb80 .config console log report ci-android-414-kasan-gce-root
2018/09/07 13:08 android-4.14 b859aa7d7a0c e30d3b52 .config console log report ci-android-414-kasan-gce-root
2018/09/07 03:08 android-4.14 b859aa7d7a0c e30d3b52 .config console log report ci-android-414-kasan-gce-root
2018/09/07 00:24 android-4.14 b859aa7d7a0c e30d3b52 .config console log report ci-android-414-kasan-gce-root
2018/09/06 08:46 android-4.14 b859aa7d7a0c 873745f2 .config console log report ci-android-414-kasan-gce-root
2018/09/06 08:45 android-4.14 b859aa7d7a0c 873745f2 .config console log report ci-android-414-kasan-gce-root
2018/09/05 12:32 android-4.14 36b4801b9aad 196410e4 .config console log report ci-android-414-kasan-gce-root
2018/09/05 02:59 android-4.14 e9a6a1abd019 a4718693 .config console log report ci-android-414-kasan-gce-root
2018/09/04 04:49 android-4.14 47350a9f13c6 a4718693 .config console log report ci-android-414-kasan-gce-root
2018/09/03 21:01 android-4.14 47350a9f13c6 a4718693 .config console log report ci-android-414-kasan-gce-root
2018/09/03 16:17 android-4.14 47350a9f13c6 a4718693 .config console log report ci-android-414-kasan-gce-root
2018/08/31 23:44 android-4.14 47350a9f13c6 a4718693 .config console log report ci-android-414-kasan-gce-root
2018/08/31 23:44 android-4.14 47350a9f13c6 a4718693 .config console log report ci-android-414-kasan-gce-root
2018/08/31 20:24 android-4.14 47350a9f13c6 a4718693 .config console log report ci-android-414-kasan-gce-root
2018/08/31 20:16 android-4.14 47350a9f13c6 a4718693 .config console log report ci-android-414-kasan-gce-root
2018/08/31 20:15 android-4.14 47350a9f13c6 a4718693 .config console log report ci-android-414-kasan-gce-root
2018/08/31 17:20 android-4.14 47350a9f13c6 a4718693 .config console log report ci-android-414-kasan-gce-root
2018/08/31 17:12 android-4.14 47350a9f13c6 a4718693 .config console log report ci-android-414-kasan-gce-root
2018/08/30 04:04 android-4.14 47350a9f13c6 6c7e9d3d .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.