syzbot |
sign-in | mailing list | source | docs |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| linux-4.19 | KASAN: use-after-free Read in pneigh_get_next | syz | done | 1 | 1985d | 1985d | 1/1 | fixed on 2019/12/16 09:09 | |
| upstream | KASAN: use-after-free Read in pneigh_get_next net | syz | done | 2 | 1985d | 1985d | 12/28 | fixed on 2019/07/10 21:40 |
audit: type=1400 audit(1560767694.018:9): avc: denied { dac_override } for pid=2121 comm="syz-executor.0" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.4+0x273/0x2b0 net/core/neighbour.c:2652
Read of size 8 at addr ffff8801c61b1120 by task syz-executor.0/2402
CPU: 1 PID: 2402 Comm: syz-executor.0 Not tainted 4.9.141+ #1
ffff8801c5c77250 ffffffff81b42e79 ffffea0007186c40 ffff8801c61b1120
0000000000000000 ffff8801c61b1120 ffff8801c61b1120 ffff8801c5c77288
ffffffff815009b8 ffff8801c61b1120 0000000000000008 0000000000000000
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff815009b8>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
[<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814f3074>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
[<ffffffff82331e83>] pneigh_get_next.isra.4+0x273/0x2b0 net/core/neighbour.c:2652
[<ffffffff82336911>] neigh_seq_next+0xb1/0x1e0 net/core/neighbour.c:2734
[<ffffffff8158113b>] seq_read+0xa0b/0x12d0 fs/seq_file.c:270
[<ffffffff8165c00d>] proc_reg_read+0xfd/0x180 fs/proc/inode.c:203
[<ffffffff81509df5>] do_loop_readv_writev.part.1+0xd5/0x280 fs/read_write.c:718
[<ffffffff8150b49e>] do_loop_readv_writev fs/read_write.c:707 [inline]
[<ffffffff8150b49e>] do_readv_writev+0x56e/0x7b0 fs/read_write.c:873
[<ffffffff8150b764>] vfs_readv+0x84/0xc0 fs/read_write.c:897
[<ffffffff815ac2a1>] kernel_readv fs/splice.c:363 [inline]
[<ffffffff815ac2a1>] default_file_splice_read+0x451/0x7f0 fs/splice.c:435
[<ffffffff815ab39c>] do_splice_to+0x10c/0x170 fs/splice.c:899
[<ffffffff815ab63f>] splice_direct_to_actor+0x23f/0x7e0 fs/splice.c:971
[<ffffffff815abd83>] do_splice_direct+0x1a3/0x270 fs/splice.c:1080
[<ffffffff8150d780>] do_sendfile+0x4f0/0xc30 fs/read_write.c:1393
[<ffffffff8150f864>] SYSC_sendfile64 fs/read_write.c:1454 [inline]
[<ffffffff8150f864>] SyS_sendfile64+0x144/0x160 fs/read_write.c:1440
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Allocated by task 2404:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
__kmalloc+0x12f/0x310 mm/slub.c:3741
kmalloc include/linux/slab.h:495 [inline]
pneigh_lookup+0x17d/0x3f0 net/core/neighbour.c:594
arp_req_set_public net/ipv4/arp.c:992 [inline]
arp_req_set+0x443/0x570 net/ipv4/arp.c:1008
arp_ioctl+0x32a/0x670 net/ipv4/arp.c:1203
inet_ioctl+0x90/0x1d0 net/ipv4/af_inet.c:895
sock_do_ioctl+0x6a/0xb0 net/socket.c:905
sock_ioctl+0x32d/0x3c0 net/socket.c:991
vfs_ioctl fs/ioctl.c:43 [inline]
file_ioctl fs/ioctl.c:493 [inline]
do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
SYSC_ioctl fs/ioctl.c:694 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 2401:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xfb/0x310 mm/slub.c:3878
pneigh_ifdown_and_unlock net/core/neighbour.c:674 [inline]
neigh_ifdown+0x1da/0x2a0 net/core/neighbour.c:258
arp_ifdown+0x1c/0x20 net/ipv4/arp.c:1249
inetdev_destroy net/ipv4/devinet.c:306 [inline]
inetdev_event+0x6f2/0x10b0 net/ipv4/devinet.c:1480
notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x55/0x70 net/core/dev.c:1647
call_netdevice_notifiers net/core/dev.c:1663 [inline]
rollback_registered_many+0x6e5/0xb50 net/core/dev.c:6860
rollback_registered+0xee/0x1b0 net/core/dev.c:6901
unregister_netdevice_queue+0x1aa/0x230 net/core/dev.c:7888
unregister_netdevice include/linux/netdevice.h:2465 [inline]
__tun_detach+0x821/0xa00 drivers/net/tun.c:575
tun_detach drivers/net/tun.c:585 [inline]
tun_chr_close+0x44/0x60 drivers/net/tun.c:2392
__fput+0x263/0x700 fs/file_table.c:208
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x10c/0x180 kernel/task_work.c:116
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x129/0x150 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:263 [inline]
do_syscall_64+0x3e2/0x550 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the object at ffff8801c61b1120
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
64-byte region [ffff8801c61b1120, ffff8801c61b1160)
The buggy address belongs to the page:
page:ffffea0007186c40 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000080(slab)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c61b1000: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
ffff8801c61b1080: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801c61b1100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff8801c61b1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801c61b1200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2019/06/17 10:43 | https://android.googlesource.com/kernel/common android-4.9 | 8fe428403e30 | 442206d7 | .config | console log | report | syz | ci-android-49-kasan-gce | ||||
| 2019/06/15 14:27 | https://android.googlesource.com/kernel/common android-4.9 | 0c1ee05e1e72 | 442206d7 | .config | console log | report | syz | ci-android-49-kasan-gce-root | ||||
| 2019/06/15 13:57 | https://android.googlesource.com/kernel/common android-4.9 | 8fe428403e30 | 442206d7 | .config | console log | report | syz | ci-android-49-kasan-gce | ||||
| 2019/06/17 14:40 | https://android.googlesource.com/kernel/common android-4.9 | 8fe428403e30 | 442206d7 | .config | console log | report | syz | ci-android-49-kasan-gce-386 | ||||
| 2019/06/15 14:27 | https://android.googlesource.com/kernel/common android-4.9 | 8fe428403e30 | 442206d7 | .config | console log | report | syz | ci-android-49-kasan-gce-386 | ||||
| 2019/07/18 08:43 | https://android.googlesource.com/kernel/common android-4.9 | 8fe428403e30 | 7bb222f7 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2019/06/17 09:38 | https://android.googlesource.com/kernel/common android-4.9 | 8fe428403e30 | 442206d7 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2019/06/15 13:25 | https://android.googlesource.com/kernel/common android-4.9 | 8fe428403e30 | 442206d7 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2019/06/14 19:20 | https://android.googlesource.com/kernel/common android-4.9 | 8fe428403e30 | 442206d7 | .config | console log | report | ci-android-49-kasan-gce |