syzbot

 sign-in | mailing list | source | docs
🐞 Open [106] 🐞 Fixed [1] 🐞 Invalid [166] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in corrupted

Status: public: reported C repro on 2019/08/03 12:36
Reported-by: syzbot+631a0ad335de6bfd5116@syzkaller.appspotmail.com
First crash: 1726d, last: 1725d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in corrupted mm C 2 2171d 2173d 8/26 fixed on 2018/07/09 18:05
linux-4.14 KASAN: use-after-free Read in corrupted syz error 1 786d 1256d 0/1 upstream: reported syz repro on 2020/11/15 10:58
upstream KASAN: use-after-free Read in corrupted (3) kernel syz done 1 1764d 1764d 12/26 fixed on 2019/08/27 17:15
upstream KASAN: use-after-free Read in corrupted (2) usb syz 1 1826d 1826d 0/26 closed as invalid on 2019/04/25 11:05
upstream KASAN: use-after-free Read in corrupted (4) C done error 10 361d 1352d 0/26 upstream: reported C repro on 2020/08/11 12:47

Sample crash report:
audit: type=1400 audit(1564931184.289:8): avc:  denied  { prog_load } for  pid=1778 comm="syz-executor912" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
audit: type=1400 audit(1564931184.319:9): avc:  denied  { prog_run } for  pid=1778 comm="syz-executor912" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
==================================================================
BUG: KASAN: use-after-free in _copy_to_user+0x9d/0xd0 lib/usercopy.c:27
Read of size 931 at addr ffff8881c33ffff3 by task syz-executor912/1778

CPU: 0 PID: 1778 Comm: syz-executor912 Not tainted 4.14.136+ #27
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xca/0x134 lib/dump_stack.c:53
 print_address_description+0x60/0x226 mm/kasan/report.c:187
 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316

The buggy address belongs to the page:
page:ffffea00070cffc0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea00070cffe0 ffffea00070cffe0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881c33ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881c33fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881c33fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                             ^
 ffff8881c3400000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881c3400080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/08/04 15:09 android-4.14 20c71e6d5a16 6affd8e8 .config console log report syz C ci-android-414-kasan-gce-root
2019/08/03 11:35 android-4.14 2ea8815046b7 6affd8e8 .config console log report syz C ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.