syzbot


KASAN: use-after-free Read in tls_write_space

Status: upstream: reported C repro on 2019/04/26 18:51
Reported-by: syzbot+3bf555e71f18e95ca90e@syzkaller.appspotmail.com
First crash: 1798d, last: 645d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in tls_write_space net C 924 1698d 2093d 0/26 closed as dup on 2019/08/19 21:22
linux-4.19 KASAN: use-after-free Read in tls_write_space C done 25 1185d 1810d 1/1 fixed on 2021/01/29 07:30
Last patch testing requests (6)
Created Duration User Patch Repo Result
2023/03/01 19:32 21m retest repro linux-4.14.y report log
2023/03/01 18:32 11m retest repro linux-4.14.y report log
2023/03/01 17:32 12m retest repro linux-4.14.y report log
2022/11/10 21:30 10m retest repro linux-4.14.y report log
2022/11/10 20:30 10m retest repro linux-4.14.y report log
2022/11/10 19:30 10m retest repro linux-4.14.y report log
Fix bisection attempts (17)
Created Duration User Patch Repo Result
2022/03/14 22:13 0m bisect fix linux-4.14.y error job log (0)
2022/02/12 21:15 41m bisect fix linux-4.14.y job log (0) log
2022/01/13 20:34 40m bisect fix linux-4.14.y job log (0) log
2021/12/14 20:02 32m bisect fix linux-4.14.y job log (0) log
2021/11/14 19:26 35m bisect fix linux-4.14.y job log (0) log
2021/10/15 18:54 32m bisect fix linux-4.14.y job log (0) log
2021/09/15 18:23 30m bisect fix linux-4.14.y job log (0) log
2021/08/16 17:44 38m bisect fix linux-4.14.y job log (0) log
2021/07/17 17:07 37m bisect fix linux-4.14.y job log (0) log
2021/06/17 16:25 30m bisect fix linux-4.14.y job log (0) log
2021/04/09 06:50 38m bisect fix linux-4.14.y job log (0) log
2021/02/22 06:21 38m bisect fix linux-4.14.y job log (0) log
2021/02/18 15:42 19m bisect fix linux-4.14.y error job log (0)
2021/02/12 10:22 1m bisect fix linux-4.14.y error job log (0)
2021/01/13 09:42 39m bisect fix linux-4.14.y job log (0) log
2020/12/14 09:04 38m bisect fix linux-4.14.y job log (0) log
2020/11/14 08:26 37m bisect fix linux-4.14.y job log (0) log

Sample crash report:
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000007
RBP: 00007fbe3814d194 R08: 0000000000000001 R09: 0000000000000034
R10: 0000800100022007 R11: 0000000000000246 R12: 00007fbe3818050c
R13: 00007fbe380662f0 R14: 00007fbe38180508 R15: 0000000000000001
==================================================================
BUG: KASAN: use-after-free in tls_write_space+0x238/0x2d0 net/tls/tls_main.c:222
Read of size 1 at addr ffff8880a1c6dd70 by task syz-executor323/7972

CPU: 1 PID: 7972 Comm: syz-executor323 Not tainted 4.14.284-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load1_noabort+0x68/0x70 mm/kasan/report.c:427
 tls_write_space+0x238/0x2d0 net/tls/tls_main.c:222
 tcp_new_space net/ipv4/tcp_input.c:5117 [inline]
 tcp_check_space.part.0+0x2ef/0x590 net/ipv4/tcp_input.c:5138
 tcp_check_space+0xa6/0xd0 net/ipv4/tcp_input.c:5143
 tcp_write_xmit+0x661/0x53c0 net/ipv4/tcp_output.c:2403
 __tcp_push_pending_frames+0xa0/0x2d0 net/ipv4/tcp_output.c:2582
 tcp_send_fin+0x16d/0xc00 net/ipv4/tcp_output.c:3134
 tcp_close+0x979/0xed0 net/ipv4/tcp.c:2225
 tls_sk_proto_close+0x584/0x8b0 net/tls/tls_main.c:295
 inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:450
 __sock_release+0xcd/0x2b0 net/socket.c:602
 sock_close+0x15/0x20 net/socket.c:1139
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa44/0x2850 kernel/exit.c:868
 do_group_exit+0x100/0x2e0 kernel/exit.c:965
 get_signal+0x38d/0x1ca0 kernel/signal.c:2412
 do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792
 exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7fbe380f6e99
RSP: 002b:00007fbe380a82e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 00000000006d0000 RBX: 00007fbe381804e0 RCX: 00007fbe380f6e99
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000003
RBP: 00007fbe3814d194 R08: 0000000000000000 R09: 0000000000000000
R10: 00008080fffffffe R11: 0000000000000246 R12: 00007fbe381804ec
R13: 00007fbe380a82f0 R14: 00007fbe381804e8 R15: 0000000000022000

Allocated by task 7973:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
 kmalloc include/linux/slab.h:488 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 tls_init+0xb1/0x4e0 net/tls/tls_main.c:518
 tcp_set_ulp+0x18f/0x4c0 net/ipv4/tcp_ulp.c:127
 do_tcp_setsockopt.constprop.0+0x1f6/0x1c10 net/ipv4/tcp.c:2549
 tcp_setsockopt net/ipv4/tcp.c:2832 [inline]
 tcp_setsockopt+0xa7/0xc0 net/ipv4/tcp.c:2824
 SYSC_setsockopt net/socket.c:1865 [inline]
 SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 7972:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 tls_ctx_free net/tls/tls_main.c:252 [inline]
 tls_ctx_free net/tls/tls_main.c:246 [inline]
 tls_sk_proto_close+0x568/0x8b0 net/tls/tls_main.c:290
 inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:450
 __sock_release+0xcd/0x2b0 net/socket.c:602
 sock_close+0x15/0x20 net/socket.c:1139
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa44/0x2850 kernel/exit.c:868
 do_group_exit+0x100/0x2e0 kernel/exit.c:965
 get_signal+0x38d/0x1ca0 kernel/signal.c:2412
 do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792
 exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff8880a1c6dd00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 112 bytes inside of
 192-byte region [ffff8880a1c6dd00, ffff8880a1c6ddc0)
The buggy address belongs to the page:
page:ffffea0002871b40 count:1 mapcount:0 mapping:ffff8880a1c6d000 index:0xffff8880a1c6d500
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880a1c6d000 ffff8880a1c6d500 000000010000000a
raw: ffffea0002861520 ffffea0002912de0 ffff88813fe74040 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a1c6dc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880a1c6dc80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a1c6dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8880a1c6dd80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880a1c6de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (283):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/06/23 08:41 linux-4.14.y 84bae26850e3 912f5df7 .config console log report syz C ci2-linux-4-14 KASAN: use-after-free Read in tls_write_space
2019/11/04 03:22 linux-4.14.y ddef1e8e3f6e b35fad31 .config console log report syz C ci2-linux-4-14
2019/10/10 17:21 linux-4.14.y 42327896f194 d52eff28 .config console log report syz C ci2-linux-4-14
2021/05/18 16:25 linux-4.14.y 7d7d1c0ab3eb a343ba6b .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in tls_write_space
2021/05/15 06:08 linux-4.14.y 7d7d1c0ab3eb 8bdd5343 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in tls_write_space
2021/05/05 13:39 linux-4.14.y 7d7d1c0ab3eb 06c27ff5 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in tls_write_space
2021/05/02 19:36 linux-4.14.y 7d7d1c0ab3eb 77e2b668 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in tls_write_space
2021/03/10 06:50 linux-4.14.y 1d177c0872ab 26967e35 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in tls_write_space
2021/03/10 03:57 linux-4.14.y 1d177c0872ab 26967e35 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in tls_write_space
2020/10/15 08:26 linux-4.14.y cbfa1702aaf6 63869021 .config console log report info ci2-linux-4-14
2020/10/12 12:00 linux-4.14.y cbfa1702aaf6 4a77ae0b .config console log report info ci2-linux-4-14
2020/10/12 10:58 linux-4.14.y cbfa1702aaf6 4a77ae0b .config console log report info ci2-linux-4-14
2020/10/02 15:43 linux-4.14.y cbfa1702aaf6 062c9832 .config console log report info ci2-linux-4-14
2020/09/30 08:12 linux-4.14.y cbfa1702aaf6 8516f6d3 .config console log report info ci2-linux-4-14
2020/09/07 21:38 linux-4.14.y 2f166cdcf8a9 abf9ba4f .config console log report ci2-linux-4-14
2020/09/05 11:25 linux-4.14.y 2f166cdcf8a9 abf9ba4f .config console log report ci2-linux-4-14
2020/09/05 03:56 linux-4.14.y 2f166cdcf8a9 abf9ba4f .config console log report ci2-linux-4-14
2020/09/01 05:02 linux-4.14.y d7e78d08fa77 d5a3ae1f .config console log report ci2-linux-4-14
2020/08/30 05:16 linux-4.14.y d7e78d08fa77 d5a3ae1f .config console log report ci2-linux-4-14
2020/08/27 22:15 linux-4.14.y d7e78d08fa77 816e0689 .config console log report ci2-linux-4-14
2020/08/26 04:58 linux-4.14.y 6a24ca2506d6 344da168 .config console log report ci2-linux-4-14
2020/08/25 16:01 linux-4.14.y 6a24ca2506d6 344da168 .config console log report ci2-linux-4-14
2020/08/25 10:19 linux-4.14.y 6a24ca2506d6 344da168 .config console log report ci2-linux-4-14
2020/08/22 04:03 linux-4.14.y 6a24ca2506d6 6436ce4b .config console log report ci2-linux-4-14
2020/08/06 10:05 linux-4.14.y ca4f2c56d416 4ca1c0ea .config console log report ci2-linux-4-14
2020/08/04 21:24 linux-4.14.y 7f2c5eb458b8 02034dac .config console log report ci2-linux-4-14
2020/08/01 11:28 linux-4.14.y 7f2c5eb458b8 8df85ed9 .config console log report ci2-linux-4-14
2020/07/31 15:22 linux-4.14.y 7f2c5eb458b8 8df85ed9 .config console log report ci2-linux-4-14
2020/07/29 15:12 linux-4.14.y e5a54aa2d312 19a8de55 .config console log report ci2-linux-4-14
2020/07/27 18:16 linux-4.14.y 69b94dd6dcd1 cb93dc6a .config console log report ci2-linux-4-14
2020/07/27 06:20 linux-4.14.y 69b94dd6dcd1 cb93dc6a .config console log report ci2-linux-4-14
2020/07/25 10:55 linux-4.14.y 69b94dd6dcd1 1f7cc1ca .config console log report ci2-linux-4-14
2020/07/24 22:45 linux-4.14.y 69b94dd6dcd1 0a13649c .config console log report ci2-linux-4-14
2020/07/24 09:33 linux-4.14.y 69b94dd6dcd1 70c104a1 .config console log report ci2-linux-4-14
2020/07/22 02:50 linux-4.14.y b850307b279c 21f1765e .config console log report ci2-linux-4-14
2020/07/21 22:47 linux-4.14.y b850307b279c e562dd8a .config console log report ci2-linux-4-14
2020/07/15 17:51 linux-4.14.y b850307b279c ada108d0 .config console log report ci2-linux-4-14
2020/07/13 21:10 linux-4.14.y b850307b279c ce4c95b3 .config console log report ci2-linux-4-14
2020/06/22 15:44 linux-4.14.y b850307b279c 1afe1535 .config console log report ci2-linux-4-14
2020/06/21 23:20 linux-4.14.y b850307b279c 4f2acff9 .config console log report ci2-linux-4-14
2020/06/21 03:38 linux-4.14.y b850307b279c c655ec77 .config console log report ci2-linux-4-14
2020/06/19 15:06 linux-4.14.y b850307b279c 123cf502 .config console log report ci2-linux-4-14
2020/06/19 03:24 linux-4.14.y b850307b279c bc258b50 .config console log report ci2-linux-4-14
2020/06/17 18:13 linux-4.14.y b850307b279c b6c46f43 .config console log report ci2-linux-4-14
2020/06/16 03:27 linux-4.14.y b850307b279c baca2611 .config console log report ci2-linux-4-14
2020/06/16 01:51 linux-4.14.y b850307b279c baca2611 .config console log report ci2-linux-4-14
2020/06/14 03:19 linux-4.14.y b850307b279c a61674a5 .config console log report ci2-linux-4-14
2019/04/26 17:50 linux-4.14.y 68d7a45eec10 b617407b .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.