syzbot

 sign-in | mailing list | source | docs
🐞 Open [106]
🐞 Fixed [1]
🐞 Invalid [166]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Write in ip_check_defrag

Status: public: reported C repro on 2019/04/11 00:00
Reported-by: syzbot+5d3fd175a41000b3bdc5@syzkaller.appspotmail.com
First crash: 2145d, last: 2116d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 KASAN: use-after-free Write in ip_check_defrag C 303 2116d 2053d 0/3 public: reported C repro on 2019/04/11 08:44

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1548028813.797:7): avc:  denied  { map } for  pid=1787 comm="syz-executor815" path="/root/syz-executor815147165" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in skb_clear_hash include/linux/skbuff.h:1128 [inline]
BUG: KASAN: use-after-free in ip_check_defrag net/ipv4/ip_fragment.c:747 [inline]
BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523 net/ipv4/ip_fragment.c:712
Write of size 4 at addr ffff8881d15ff6dc by task syz-executor815/1791

CPU: 1 PID: 1791 Comm: syz-executor815 Not tainted 4.14.94+ #12
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x10e lib/dump_stack.c:53
 print_address_description+0x60/0x226 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0x88/0x2a5 mm/kasan/report.c:393

Allocated by task 1791:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
 slab_post_alloc_hook mm/slab.h:442 [inline]
 slab_alloc_node mm/slub.c:2723 [inline]
 slab_alloc mm/slub.c:2731 [inline]
 kmem_cache_alloc+0xd2/0x2d0 mm/slub.c:2736
 skb_clone+0x126/0x310 net/core/skbuff.c:1278
 skb_share_check include/linux/skbuff.h:1538 [inline]
 ip_check_defrag net/ipv4/ip_fragment.c:734 [inline]
 ip_check_defrag+0x2bc/0x523 net/ipv4/ip_fragment.c:712
 packet_rcv_fanout+0x4d1/0x5e0 net/packet/af_packet.c:1463
 deliver_skb net/core/dev.c:1881 [inline]
 dev_queue_xmit_nit+0x21a/0x960 net/core/dev.c:1937

Freed by task 1791:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1389 [inline]
 slab_free_freelist_hook mm/slub.c:1410 [inline]
 slab_free mm/slub.c:2966 [inline]
 kmem_cache_free+0xc4/0x330 mm/slub.c:2988
 kfree_skbmem net/core/skbuff.c:582 [inline]
 kfree_skbmem+0xa0/0x100 net/core/skbuff.c:576
 __kfree_skb net/core/skbuff.c:642 [inline]
 kfree_skb+0xcd/0x350 net/core/skbuff.c:659
 ip_frag_queue net/ipv4/ip_fragment.c:507 [inline]
 ip_defrag+0x5f4/0x3b50 net/ipv4/ip_fragment.c:699
 ip_check_defrag net/ipv4/ip_fragment.c:745 [inline]
 ip_check_defrag+0x39b/0x523 net/ipv4/ip_fragment.c:712
 packet_rcv_fanout+0x4d1/0x5e0 net/packet/af_packet.c:1463
 deliver_skb net/core/dev.c:1881 [inline]
 dev_queue_xmit_nit+0x21a/0x960 net/core/dev.c:1937

The buggy address belongs to the object at ffff8881d15ff640
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 156 bytes inside of
 224-byte region [ffff8881d15ff640, ffff8881d15ff720)
The buggy address belongs to the page:
page:ffffea0007457fc0 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d15ff580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
 ffff8881d15ff600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8881d15ff680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff8881d15ff700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881d15ff780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (5184):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/01/21 00:02 android-4.14 5a76363f1262 fd37a550 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/13 05:30 android-4.14 fab7352ca8d1 c3f3344c .config console log report syz C ci-android-414-kasan-gce-root
2019/01/13 02:13 android-4.14 fab7352ca8d1 c3f3344c .config console log report syz C ci-android-414-kasan-gce-root
2019/01/11 11:27 android-4.14 fab7352ca8d1 80dde172 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/10 00:22 android-4.14 2aee898fff5a 45c0c1b1 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/09 19:13 android-4.14 2aee898fff5a 45c0c1b1 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/30 07:07 android-4.14 63d1657d00e0 aa432daf .config console log report syz ci-android-414-kasan-gce-root
2019/01/09 19:50 android-4.14 2aee898fff5a 45c0c1b1 .config console log report syz ci-android-414-kasan-gce-root
2019/02/07 09:11 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/07 08:37 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/07 07:32 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/07 06:59 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/07 05:54 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/07 04:55 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/07 03:48 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/07 03:04 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/07 01:57 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/07 01:23 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/07 00:16 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 23:16 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 22:28 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 21:24 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 20:21 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 19:24 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 18:19 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 17:14 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 16:55 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 15:53 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 14:33 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 13:27 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 12:15 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 11:23 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 10:23 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 09:39 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 08:38 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 08:31 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 07:31 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 06:28 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 06:18 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 05:18 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 04:08 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 02:49 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 02:08 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 01:06 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 23:21 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 22:12 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 21:07 android-4.14 71c835d2a50c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 20:13 android-4.14 71c835d2a50c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 19:10 android-4.14 71c835d2a50c d672172c .config console log report ci-android-414-kasan-gce-root
2019/01/09 18:24 android-4.14 2aee898fff5a 45c0c1b1 .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.