Title | Replies (including bot) | Last reply |
---|---|---|
KASAN: use-after-free Read in route4_get | 1 (3) | 2020/03/19 02:03 |
syzbot |
sign-in | mailing list | source | docs |
Title | Replies (including bot) | Last reply |
---|---|---|
KASAN: use-after-free Read in route4_get | 1 (3) | 2020/03/19 02:03 |
Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|---|
linux-4.14 | KASAN: use-after-free Read in route4_get | syz | error | 3 | 1648d | 1732d | 0/1 | upstream: reported syz repro on 2020/03/05 03:16 | |
linux-4.19 | KASAN: use-after-free Read in route4_get (2) | C | error | 2 | 1145d | 1176d | 0/1 | upstream: reported C repro on 2021/09/12 17:58 | |
linux-4.19 | KASAN: use-after-free Read in route4_get | 7 | 1713d | 1720d | 0/1 | auto-closed as invalid on 2020/07/22 04:44 |
================================================================== BUG: KASAN: use-after-free in route4_get+0x3e1/0x420 net/sched/cls_route.c:235 Read of size 4 at addr ffff8880a6ad6340 by task syz-executor193/9646 CPU: 1 PID: 9646 Comm: syz-executor193 Not tainted 5.6.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:374 __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:641 route4_get+0x3e1/0x420 net/sched/cls_route.c:235 tc_new_tfilter+0x7a9/0x20b0 net/sched/cls_api.c:2082 rtnetlink_rcv_msg+0x810/0xad0 net/core/rtnetlink.c:5427 netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2478 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6b9/0x7d0 net/socket.c:2343 ___sys_sendmsg+0x100/0x170 net/socket.c:2397 __sys_sendmsg+0xec/0x1b0 net/socket.c:2430 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x44c3d9 Code: e8 7c e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 05 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f51dd98ace8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000006e8a28 RCX: 000000000044c3d9 RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000007 RBP: 00000000006e8a20 R08: 0000000000000065 R09: 0000000000000000 R10: 0000000000000014 R11: 0000000000000246 R12: 00000000006e8a2c R13: 00007fff6ce670bf R14: 00007f51dd98b9c0 R15: 20c49ba5e353f7cf Allocated by task 9646: save_stack+0x1b/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:515 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488 kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] route4_change+0x2a9/0x2250 net/sched/cls_route.c:493 tc_new_tfilter+0xa59/0x20b0 net/sched/cls_api.c:2103 rtnetlink_rcv_msg+0x810/0xad0 net/core/rtnetlink.c:5427 netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2478 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6b9/0x7d0 net/socket.c:2343 ___sys_sendmsg+0x100/0x170 net/socket.c:2397 __sys_sendmsg+0xec/0x1b0 net/socket.c:2430 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 7: save_stack+0x1b/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:476 __cache_free mm/slab.c:3426 [inline] kfree+0x109/0x2b0 mm/slab.c:3757 route4_delete_filter_work+0x17/0x20 net/sched/cls_route.c:266 process_one_work+0x94b/0x1690 kernel/workqueue.c:2266 worker_thread+0x96/0xe20 kernel/workqueue.c:2412 kthread+0x357/0x430 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff8880a6ad6300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 64 bytes inside of 192-byte region [ffff8880a6ad6300, ffff8880a6ad63c0) The buggy address belongs to the page: page:ffffea00029ab580 refcount:1 mapcount:0 mapping:ffff8880aa000000 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00023ceec8 ffffea00024bc688 ffff8880aa000000 raw: 0000000000000000 ffff8880a6ad6000 0000000100000010 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a6ad6200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880a6ad6280: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc >ffff8880a6ad6300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a6ad6380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880a6ad6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2020/03/19 02:02 | upstream | 5076190daded | 0a96a13c | .config | console log | report | syz | C | ci-upstream-kasan-gce | |||
2020/03/19 03:25 | upstream | 5076190daded | 0a96a13c | .config | console log | report | syz | ci-upstream-kasan-gce-386 | ||||
2020/04/12 01:13 | linux-next | 11ecafc691e1 | a8c6a3f8 | .config | console log | report | syz | ci-upstream-linux-next-kasan-gce-root | ||||
2020/03/18 21:47 | upstream | 5076190daded | 0a96a13c | .config | console log | report | ci-upstream-kasan-gce-smack-root | |||||
2020/03/17 15:31 | upstream | fb33c6510d55 | 749688d2 | .config | console log | report | ci-upstream-kasan-gce-root | |||||
2020/03/12 12:06 | upstream | e6e6ec48dd0f | d850e9d0 | .config | console log | report | ci-upstream-kasan-gce-smack-root | |||||
2020/03/23 00:40 | net-next-old | 09984483db08 | 78267cec | .config | console log | report | ci-upstream-net-kasan-gce | |||||
2020/03/14 14:50 | net-next-old | 1d3435793123 | 749688d2 | .config | console log | report | ci-upstream-net-kasan-gce |