syzbot

 sign-in | mailing list | source | docs
🐞 Open [142] 🐞 Fixed [16] 🐞 Invalid [163] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Write in nf_nat_cleanup_conntrack

Status: public: reported C repro on 2019/04/12 00:00
Reported-by: syzbot+2fb7dd390046afa11ce0@syzkaller.appspotmail.com
First crash: 2300d, last: 1630d

Sample crash report:
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
==================================================================
BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:247 [inline]
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:619 [inline]
BUG: KASAN: use-after-free in hlist_del_rcu include/linux/rculist.h:342 [inline]
BUG: KASAN: use-after-free in nf_nat_cleanup_conntrack+0x1ec/0x210 net/netfilter/nf_nat_core.c:691
Write of size 8 at addr ffff8800ad887fe0 by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.138-gcf21a9a #64
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 1026c8b0aa603825 ffff8801db307a38 ffffffff81e0ed0d
 ffffea0002b621c0 ffff8800ad887fe0 0000000000000001 ffff8800ad887fe0
 ffff8801da244000 ffff8801db307a70 ffffffff81515a16 ffff8800ad887fe0
Call Trace:
 <IRQ>  [<ffffffff81e0ed0d>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff81e0ed0d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff81515a16>] print_address_description+0x6c/0x216 mm/kasan/report.c:252
 [<ffffffff81515d35>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff81515d35>] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408
 [<ffffffff814f98c7>] __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:434
 [<ffffffff8312dcec>] __write_once_size include/linux/compiler.h:247 [inline]
 [<ffffffff8312dcec>] __hlist_del include/linux/list.h:619 [inline]
 [<ffffffff8312dcec>] hlist_del_rcu include/linux/rculist.h:342 [inline]
 [<ffffffff8312dcec>] nf_nat_cleanup_conntrack+0x1ec/0x210 net/netfilter/nf_nat_core.c:691
 [<ffffffff830f9120>] __nf_ct_ext_destroy+0x140/0x2a0 net/netfilter/nf_conntrack_extend.c:40
 [<ffffffff830d6f37>] nf_ct_ext_destroy include/net/netfilter/nf_conntrack_extend.h:80 [inline]
 [<ffffffff830d6f37>] nf_conntrack_free+0x77/0x130 net/netfilter/nf_conntrack_core.c:904
 [<ffffffff830d975a>] destroy_conntrack+0x26a/0x380 net/netfilter/nf_conntrack_core.c:365
 [<ffffffff830c1f09>] nf_conntrack_destroy+0x99/0x1a0 net/netfilter/core.c:389
 [<ffffffff82f35438>] nf_conntrack_put include/linux/skbuff.h:3364 [inline]
 [<ffffffff82f35438>] skb_release_head_state+0x158/0x210 net/core/skbuff.c:649
 [<ffffffff82f372c5>] skb_release_all+0x15/0x60 net/core/skbuff.c:659
 [<ffffffff82f37325>] __kfree_skb+0x15/0x20 net/core/skbuff.c:675
 [<ffffffff82f37427>] kfree_skb+0xf7/0x3e0 net/core/skbuff.c:696
 [<ffffffff833374d2>] frag_kfree_skb net/ipv4/inet_fragment.c:294 [inline]
 [<ffffffff833374d2>] inet_frag_destroy+0x182/0x2e0 net/ipv4/inet_fragment.c:313
 [<ffffffff83205f24>] inet_frag_put include/net/inet_frag.h:123 [inline]
 [<ffffffff83205f24>] ipq_put net/ipv4/ip_fragment.c:172 [inline]
 [<ffffffff83205f24>] ip_expire+0x154/0x770 net/ipv4/ip_fragment.c:256
 [<ffffffff81290a8c>] call_timer_fn+0x18c/0x870 kernel/time/timer.c:1185
 [<ffffffff812917b2>] __run_timers kernel/time/timer.c:1261 [inline]
 [<ffffffff812917b2>] run_timer_softirq+0x642/0xb90 kernel/time/timer.c:1444
 [<ffffffff838c5bec>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
 [<ffffffff8113f8ad>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8113f8ad>] irq_exit+0x10d/0x140 kernel/softirq.c:391
 [<ffffffff838c5351>] exiting_irq arch/x86/include/asm/apic.h:653 [inline]
 [<ffffffff838c5351>] smp_apic_timer_interrupt+0x81/0xa0 arch/x86/kernel/apic/apic.c:926
 [<ffffffff838c4290>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741
 <EOI>  [<ffffffff810cc306>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49
 [<ffffffff81025cf5>] arch_safe_halt arch/x86/include/asm/paravirt.h:117 [inline]
 [<ffffffff81025cf5>] default_idle+0x55/0x3c0 arch/x86/kernel/process.c:290
 [<ffffffff81027240>] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:281
 [<ffffffff8121bc07>] default_idle_call+0x57/0x70 kernel/sched/idle.c:93
 [<ffffffff8121c3af>] cpuidle_idle_call kernel/sched/idle.c:157 [inline]
 [<ffffffff8121c3af>] cpu_idle_loop kernel/sched/idle.c:253 [inline]
 [<ffffffff8121c3af>] cpu_startup_entry+0x6af/0x780 kernel/sched/idle.c:301
 [<ffffffff810a9e54>] start_secondary+0x324/0x400 arch/x86/kernel/smpboot.c:242

The buggy address belongs to the page:
page:ffffea0002b621c0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8800ad887e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8800ad887f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8800ad887f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff8800ad888000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8800ad888080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (1203):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/03 02:02 https://android.googlesource.com/kernel/common android-4.4 cf21a9ac5ee4 574780b0 .config console log report syz C ci-android-44-kasan-gce
2018/07/03 01:26 https://android.googlesource.com/kernel/common android-4.4 cf21a9ac5ee4 574780b0 .config console log report syz ci-android-44-kasan-gce-386
2019/11/19 14:46 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 5bc70212 .config console log report ci-android-44-kasan-gce
2019/11/14 01:59 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 048f2d49 .config console log report ci-android-44-kasan-gce
2019/11/13 13:12 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 048f2d49 .config console log report ci-android-44-kasan-gce
2019/10/31 16:39 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b a41ca8fa .config console log report ci-android-44-kasan-gce
2019/10/25 13:52 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b d01bb02a .config console log report ci-android-44-kasan-gce
2019/10/21 12:19 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 8c88c9c1 .config console log report ci-android-44-kasan-gce
2019/10/09 20:10 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 312c6a5a .config console log report ci-android-44-kasan-gce
2019/10/04 07:56 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b fc17ba49 .config console log report ci-android-44-kasan-gce
2019/07/26 22:46 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 3e5d1beb .config console log report ci-android-44-kasan-gce
2019/07/09 02:56 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b f62e1e85 .config console log report ci-android-44-kasan-gce
2019/04/29 00:35 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b b617407b .config console log report ci-android-44-kasan-gce
2019/04/20 08:02 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b b0e8efcb .config console log report ci-android-44-kasan-gce
2019/03/23 13:07 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 3361bde5 .config console log report ci-android-44-kasan-gce
2019/03/20 07:41 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 2458c1c6 .config console log report ci-android-44-kasan-gce
2019/03/19 20:24 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b e4549234 .config console log report ci-android-44-kasan-gce
2019/11/12 01:41 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 048f2d49 .config console log report ci-android-44-kasan-gce-386
2019/11/03 00:36 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b a41ca8fa .config console log report ci-android-44-kasan-gce-386
2019/10/31 06:44 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b a41ca8fa .config console log report ci-android-44-kasan-gce-386
2019/10/21 15:17 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b b24d2b8a .config console log report ci-android-44-kasan-gce-386
2019/10/13 12:31 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 2f661ec4 .config console log report ci-android-44-kasan-gce-386
2019/10/09 14:08 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 312c6a5a .config console log report ci-android-44-kasan-gce-386
2019/10/09 00:42 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b b1ebbfef .config console log report ci-android-44-kasan-gce-386
2019/10/07 01:19 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b f3f7d9c8 .config console log report ci-android-44-kasan-gce-386
2019/10/03 02:05 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 2e29b534 .config console log report ci-android-44-kasan-gce-386
2019/09/27 02:50 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 2f1548bc .config console log report ci-android-44-kasan-gce-386
2019/09/26 14:35 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 24d405a3 .config console log report ci-android-44-kasan-gce-386
2019/09/24 00:40 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 1e9788a0 .config console log report ci-android-44-kasan-gce-386
2019/09/03 03:35 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 14544a56 .config console log report ci-android-44-kasan-gce-386
2019/08/21 11:22 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 4ea67ff8 .config console log report ci-android-44-kasan-gce-386
2019/08/19 08:02 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b b8ceabfc .config console log report ci-android-44-kasan-gce-386
2019/08/18 08:31 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 55bf8926 .config console log report ci-android-44-kasan-gce-386
2019/08/17 13:36 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 8fd428a1 .config console log report ci-android-44-kasan-gce-386
2019/08/12 19:51 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b acb51638 .config console log report ci-android-44-kasan-gce-386
2019/07/28 09:55 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b c85e1c5b .config console log report ci-android-44-kasan-gce-386
2019/07/19 11:31 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 7bb222f7 .config console log report ci-android-44-kasan-gce-386
2019/07/04 17:54 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 55565fa0 .config console log report ci-android-44-kasan-gce-386
2019/06/29 20:00 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 7509bf36 .config console log report ci-android-44-kasan-gce-386
2019/05/31 08:40 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b d9aaf3c2 .config console log report ci-android-44-kasan-gce-386
2019/05/30 10:32 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b d9aaf3c2 .config console log report ci-android-44-kasan-gce-386
2019/05/25 05:35 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 85c57315 .config console log report ci-android-44-kasan-gce-386
2019/05/03 22:45 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b d28f4ce5 .config console log report ci-android-44-kasan-gce-386
2019/04/15 17:06 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 505ab413 .config console log report ci-android-44-kasan-gce-386
2019/04/06 05:50 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b fa763482 .config console log report ci-android-44-kasan-gce-386
2019/03/31 14:55 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 0c624d4d .config console log report ci-android-44-kasan-gce-386
* Struck through repros no longer work on HEAD.