syzbot |
sign-in | mailing list | source | docs |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| linux-4.19 | KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user | C | done | 3 | 1711d | 1716d | 1/1 | fixed on 2020/04/16 05:11 | |
| upstream | KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user selinux | C | done | 1 | 1698d | 1696d | 15/28 | fixed on 2020/05/10 10:42 |
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1584907391.239:36): avc: denied { map } for pid=7333 comm="syz-executor381" path="/root/syz-executor381074400" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x1e3/0x3b0 security/selinux/xfrm.c:102
Read of size 768 at addr ffff888086059374 by task syz-executor381/7333
CPU: 0 PID: 7333 Comm: syz-executor381 Not tainted 4.14.174-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
memcpy+0x20/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
selinux_xfrm_alloc_user+0x1e3/0x3b0 security/selinux/xfrm.c:102
security_xfrm_policy_alloc+0x76/0xb0 security/security.c:1574
copy_from_user_sec_ctx net/xfrm/xfrm_user.c:1418 [inline]
xfrm_policy_construct+0x287/0x570 net/xfrm/xfrm_user.c:1583
xfrm_add_acquire+0x1f5/0x990 net/xfrm/xfrm_user.c:2218
xfrm_user_rcv_msg+0x37d/0x5f0 net/xfrm/xfrm_user.c:2613
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2621
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4405f9
RSP: 002b:00007fff85641518 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004405f9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401e80
R13: 0000000000401f10 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 7333:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3696
__kmalloc_reserve.isra.0+0x35/0xd0 net/core/skbuff.c:137
__alloc_skb+0xca/0x4c0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:980 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1159 [inline]
netlink_sendmsg+0x7de/0xbe0 net/netlink/af_netlink.c:1853
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff888086059240
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 308 bytes inside of
1024-byte region [ffff888086059240, ffff888086059640)
The buggy address belongs to the page:
page:ffffea0002181600 count:1 mapcount:0 mapping:ffff888086058040 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff888086058040 0000000000000000 0000000100000007
raw: ffffea00029880a0 ffffea00025512a0 ffff88812fe56ac0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888086059500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888086059580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888086059600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff888086059680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff888086059700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2020/03/22 20:05 | linux-4.14.y | 01364dad1d45 | 78267cec | .config | console log | report | syz | C | ci2-linux-4-14 |