syzbot

 sign-in | mailing list | source | docs
🐞 Open [712] 🐞 Fixed [297] 🐞 Invalid [838] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

general protection fault in icmp_timeout_obj_to_nlattr

Status: fixed on 2019/11/28 09:46
Reported-by: syzbot+49fe421ccb70e8e92862@syzkaller.appspotmail.com
Fix commit: ab69a2304210 Revert "tipc: fix modprobe tipc failed after switch order of device registration"
First crash: 1848d, last: 1845d
Fix bisection: fixed by (bisect log) :
commit ab69a230421065b48ef93d3e6daf332e71c931dc
Author: David S. Miller <davem@davemloft.net>
Date: Fri May 17 19:15:05 2019 +0000

  Revert "tipc: fix modprobe tipc failed after switch order of device registration"

  
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in icmp_timeout_obj_to_nlattr netfilter C 13 2005d 2009d 11/26 fixed on 2018/11/12 21:25

Sample crash report:
netlink: 'syz-executor306': attribute type 2 has an invalid length.
audit: type=1400 audit(1554928203.773:38): avc:  denied  { write } for  pid=7889 comm="syz-executor306" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7889 Comm: syz-executor306 Not tainted 4.19.34 #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:icmp_timeout_obj_to_nlattr+0x77/0x120 net/netfilter/nf_conntrack_proto_icmp.c:304
Code: b5 41 c7 00 f1 f1 f1 f1 c7 40 04 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 80 83 d4 fb 4c 89 e0 48 c1 e8 03 <42> 0f b6 14 38 4c 89 e0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 74
RSP: 0018:ffff888093d273d8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff110127a4e7b RCX: ffffffff8599425b
RDX: 0000000000000000 RSI: ffffffff8596b3c0 RDI: ffff88808feb4ac0
RBP: ffff888093d27460 R08: ffff888097086100 R09: ffff888096fcc828
R10: ffffed1012df9904 R11: ffff888096fcc820 R12: 0000000000000000
R13: ffff888093d27438 R14: ffff88808feb4ac0 R15: dffffc0000000000
FS:  000000000070e880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000280 CR3: 00000000a5f9f000 CR4: 00000000001406f0
Call Trace:
 cttimeout_default_fill_info net/netfilter/nfnetlink_cttimeout.c:424 [inline]
 cttimeout_default_get+0x69a/0xa80 net/netfilter/nfnetlink_cttimeout.c:471
 nfnetlink_rcv_msg+0xd12/0xfe0 net/netfilter/nfnetlink.c:228
 netlink_rcv_skb+0x180/0x460 net/netlink/af_netlink.c:2454
 nfnetlink_rcv+0x1c0/0x460 net/netfilter/nfnetlink.c:560
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x53c/0x720 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xdd/0x130 net/socket.c:632
 ___sys_sendmsg+0x806/0x930 net/socket.c:2115
 __sys_sendmsg+0x105/0x1d0 net/socket.c:2153
 __do_sys_sendmsg net/socket.c:2162 [inline]
 __se_sys_sendmsg net/socket.c:2160 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4401e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffcad173118 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401e9
RDX: 0000000000000000 RSI: 0000000020dddfc8 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a70
R13: 0000000000401b00 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 9bcf58594e267ea9 ]---
RIP: 0010:icmp_timeout_obj_to_nlattr+0x77/0x120 net/netfilter/nf_conntrack_proto_icmp.c:304
Code: b5 41 c7 00 f1 f1 f1 f1 c7 40 04 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 80 83 d4 fb 4c 89 e0 48 c1 e8 03 <42> 0f b6 14 38 4c 89 e0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 74
RSP: 0018:ffff888093d273d8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff110127a4e7b RCX: ffffffff8599425b
RDX: 0000000000000000 RSI: ffffffff8596b3c0 RDI: ffff88808feb4ac0
RBP: ffff888093d27460 R08: ffff888097086100 R09: ffff888096fcc828
R10: ffffed1012df9904 R11: ffff888096fcc820 R12: 0000000000000000
R13: ffff888093d27438 R14: ffff88808feb4ac0 R15: dffffc0000000000
FS:  000000000070e880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000000a5f9f000 CR4: 00000000001406f0

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/04/10 20:34 linux-4.19.y 4d552acf3370 65b612b7 .config console log report syz C ci2-linux-4-19
2019/04/13 00:31 linux-4.19.y 4d552acf3370 4f421599 .config console log report ci2-linux-4-19
2019/04/10 18:43 linux-4.19.y 4d552acf3370 65b612b7 .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.