syzbot


KMSAN: uninit-value in __nla_validate_parse (3)

Status: fixed on 2024/03/26 19:49
Subsystems: netfilter
[Documentation on labels]
Reported-by: syzbot+3f497b07aa3baf2fb4d0@syzkaller.appspotmail.com
Fix commit: 9a0d18853c28 netlink: add nla be16/32 types to minlen array
First crash: 63d, last: 38d
Discussions (4)
Title Replies (including bot) Last reply
[PATCH net] netlink: validate length of NLA_{BE16,BE32} types 5 (5) 2024/02/26 15:31
[PATCH net] netlink: add nla be16/32 types to minlen array 3 (3) 2024/02/23 03:10
Re: [syzbot] [netfilter?] KMSAN: uninit-value in __nla_validate_parse (3) 1 (1) 2024/02/21 13:59
[syzbot] [netfilter?] KMSAN: uninit-value in __nla_validate_parse (3) 0 (1) 2024/02/20 14:31
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in __nla_validate_parse net 2 1336d 1393d 0/26 auto-closed as invalid on 2020/12/21 04:46
upstream KMSAN: uninit-value in __nla_validate_parse (2) net C 2 1198d 1194d 19/26 fixed on 2021/03/10 01:48
upstream KASAN: global-out-of-bounds Read in __nla_validate_parse net C 5 11d 12d 3/26 upstream: reported C repro on 2024/04/08 05:37
upstream KASAN: stack-out-of-bounds Write in __nla_validate_parse net C done 4 258d 273d 23/26 fixed on 2023/10/12 12:48

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline]
BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline]
BUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline]
BUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631
 nla_validate_range_unsigned lib/nlattr.c:222 [inline]
 nla_validate_int_range lib/nlattr.c:336 [inline]
 validate_nla lib/nlattr.c:575 [inline]
 __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631
 __nla_parse+0x5f/0x70 lib/nlattr.c:728
 nla_parse_deprecated include/net/netlink.h:703 [inline]
 nfnetlink_rcv_msg+0x723/0xde0 net/netfilter/nfnetlink.c:275
 netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2543
 nfnetlink_rcv+0x372/0x4950 net/netfilter/nfnetlink.c:659
 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
 netlink_unicast+0xf49/0x1250 net/netlink/af_netlink.c:1367
 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1908
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
 __sys_sendmsg net/socket.c:2667 [inline]
 __do_sys_sendmsg net/socket.c:2676 [inline]
 __se_sys_sendmsg net/socket.c:2674 [inline]
 __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:3819 [inline]
 slab_alloc_node mm/slub.c:3860 [inline]
 kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
 __alloc_skb+0x352/0x790 net/core/skbuff.c:651
 alloc_skb include/linux/skbuff.h:1296 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1213 [inline]
 netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1883
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
 __sys_sendmsg net/socket.c:2667 [inline]
 __do_sys_sendmsg net/socket.c:2676 [inline]
 __se_sys_sendmsg net/socket.c:2674 [inline]
 __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

CPU: 1 PID: 6352 Comm: syz-executor.1 Not tainted 6.8.0-rc5-syzkaller-00297-gf2e367d6ad3b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
=====================================================

Crashes (24):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/02/25 06:30 upstream f2e367d6ad3b 8d446f15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in __nla_validate_parse
2024/02/17 17:54 upstream c1ca10ceffbb 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in __nla_validate_parse
2024/02/16 14:23 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in __nla_validate_parse
2024/02/29 20:42 upstream 805d849d7c3c 352ab904 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in __nla_validate_parse
2024/02/25 06:27 upstream f2e367d6ad3b 8d446f15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in __nla_validate_parse
2024/02/17 17:20 upstream c1ca10ceffbb 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in __nla_validate_parse
2024/03/12 23:46 bpf-next 5f20e6ab1f65 c35c26ec .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/12 14:37 bpf-next 5f20e6ab1f65 c35c26ec .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/11 23:20 net-next c2b25092864a 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/11 20:26 net-next c2b25092864a 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/11 18:15 net-next c2b25092864a 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/11 13:28 net-next c2b25092864a 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/11 06:12 net-next d7e14e534493 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/11 04:14 net-next d7e14e534493 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/10 22:05 net-next d7e14e534493 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/10 21:46 net-next d7e14e534493 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/10 15:27 net-next d7e14e534493 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/10 15:27 net-next d7e14e534493 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/10 10:55 net-next d7e14e534493 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/10 09:36 net-next d7e14e534493 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/10 08:07 net-next d7e14e534493 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/10 03:34 net-next d7e14e534493 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/09 21:30 net-next d7e14e534493 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
2024/03/09 15:43 net-next d7e14e534493 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in __nla_validate_parse
* Struck through repros no longer work on HEAD.