KASAN: slab-out-of-bounds Read in bpf_skb_change

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: slab-out-of-bounds Read in bpf_skb_change_proto	C		done	2	1786d	1933d	1/1	fixed on 2020/02/05 13:33
upstream	KASAN: slab-out-of-bounds Read in bpf_skb_change_proto bpf net	C			2	2358d	2358d	8/28	fixed on 2018/07/09 18:05

audit: type=1400 audit(1567424350.964:7): avc: denied { map } for pid=1769 comm="syz-executor612" path="/root/syz-executor612500582" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 audit: type=1400 audit(1567424350.964:8): avc: denied { prog_load } for pid=1769 comm="syz-executor612" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 audit: type=1400 audit(1567424351.014:9): avc: denied { prog_run } for pid=1769 comm="syz-executor612" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 ================================================================== BUG: KASAN: slab-out-of-bounds in bpf_skb_proto_xlat net/core/filter.c:2151 [inline] BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_proto net/core/filter.c:2189 [inline] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xcc2/0x1080 net/core/filter.c:2164 Read of size 2 at addr ffff8881d0836eb8 by task syz-executor612/1769 CPU: 1 PID: 1769 Comm: syz-executor612 Not tainted 4.14.141+ #40 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xca/0x134 lib/dump_stack.c:53 print_address_description+0x60/0x226 mm/kasan/report.c:187 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316 bpf_skb_proto_xlat net/core/filter.c:2151 [inline] ____bpf_skb_change_proto net/core/filter.c:2189 [inline] bpf_skb_change_proto+0xcc2/0x1080 net/core/filter.c:2164 ___bpf_prog_run+0x2478/0x5510 kernel/bpf/core.c:1086 Allocated by task 269: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:495 slab_post_alloc_hook mm/slab.h:439 [inline] slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2800 [inline] kmem_cache_alloc+0xee/0x360 mm/slub.c:2805 prepare_creds+0x25/0x370 kernel/cred.c:255 selinux_setprocattr+0x2a3/0x870 security/selinux/hooks.c:6049 security_setprocattr+0x7a/0xb0 security/security.c:1274 proc_pid_attr_write+0x1cb/0x290 fs/proc/base.c:2590 __vfs_write+0xf9/0x5a0 fs/read_write.c:482 vfs_write+0x17f/0x4d0 fs/read_write.c:546 SYSC_write fs/read_write.c:594 [inline] SyS_write+0x102/0x250 fs/read_write.c:586 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 0xffffffffffffffff Freed by task 347: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x164/0x210 mm/kasan/common.c:457 slab_free_hook mm/slub.c:1407 [inline] slab_free_freelist_hook mm/slub.c:1458 [inline] slab_free mm/slub.c:3039 [inline] kmem_cache_free+0xd7/0x3b0 mm/slub.c:3055 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2699 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline] rcu_process_callbacks+0x59f/0xf60 kernel/rcu/tree.c:2946 __do_softirq+0x234/0x9ec kernel/softirq.c:288 The buggy address belongs to the object at ffff8881d0836e00 which belongs to the cache cred_jar of size 168 The buggy address is located 16 bytes to the right of 168-byte region [ffff8881d0836e00, ffff8881d0836ea8) The buggy address belongs to the page: page:ffffea0007420d80 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000200(slab) raw: 4000000000000200 0000000000000000 0000000000000000 0000000100100010 raw: dead000000000100 dead000000000200 ffff8881da823c00 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d0836d80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ffff8881d0836e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881d0836e80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881d0836f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881d0836f80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ==================================================================

Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager
2019/09/02 11:42	android-4.14	a9d0871a562e	db7c31ca	.config	console log	report	syz	C	ci-android-414-kasan-gce-root
2019/08/09 22:02	android-4.14	57ac921eaff1	ede31a9b	.config	console log	report	syz	C	ci-android-414-kasan-gce-root
2018/10/01 13:24	android-4.14	84ae3e35e1ce	48a50c6b	.config	console log	report	syz	C	ci-android-414-kasan-gce-root
2018/09/28 21:49	android-4.14	56aae8ee7423	137d7c66	.config	console log	report	syz		ci-android-414-kasan-gce-root
2019/11/18 06:29	android-4.14	460dc7c31cef	d5696d51	.config	console log	report			ci-android-414-kasan-gce-root
2019/10/09 13:20	android-4.14	3150b5bf7ab8	312c6a5a	.config	console log	report			ci-android-414-kasan-gce-root
2019/09/07 21:27	android-4.14	4eccd8013349	a60cb4cd	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/23 15:45	android-4.14	a3ac63b18873	24fa2ad8	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/02 19:00	android-4.14	e6fa8a2046e5	a316a2af	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/01 12:47	android-4.14	84ae3e35e1ce	48a50c6b	.config	console log	report			ci-android-414-kasan-gce-root
2018/09/28 21:37	android-4.14	56aae8ee7423	137d7c66	.config	console log	report			ci-android-414-kasan-gce-root