syzbot


KASAN: use-after-free Read in skb_network_protocol

Status: public: reported syz repro on 2019/04/14 08:51
Reported-by: syzbot+6fa257825cf6f87ed2db@syzkaller.appspotmail.com
First crash: 2412d, last: 2412d

Sample crash report:
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
==================================================================
BUG: KASAN: use-after-free in skb_network_protocol+0x462/0x4a0 net/core/dev.c:2519
Read of size 2 at addr ffff8801c978bb8b by task syz-executor0/4095

CPU: 1 PID: 4095 Comm: syz-executor0 Not tainted 4.4.125-g38f41ec #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 6d2f812ce534b1f1 ffff8800bb317708 ffffffff81d067bd
 ffffea000725e2c0 ffff8801c978bb8b 0000000000000000 ffff8801c978bb8b
 0000000000005865 ffff8800bb317740 ffffffff814fea83 ffff8801c978bb8b
Call Trace:
 [<ffffffff81d067bd>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d067bd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff814fea83>] print_address_description+0x73/0x260 mm/kasan/report.c:252
 [<ffffffff814fef95>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff814fef95>] kasan_report+0x285/0x370 mm/kasan/report.c:408
 [<ffffffff814ff1cf>] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:439
 [<ffffffff82e5ae42>] skb_network_protocol+0x462/0x4a0 net/core/dev.c:2519
 [<ffffffff82e5bbf9>] harmonize_features net/core/dev.c:2688 [inline]
 [<ffffffff82e5bbf9>] netif_skb_features+0x369/0x6a0 net/core/dev.c:2744
 [<ffffffff82e5bf58>] validate_xmit_skb.isra.101.part.102+0x28/0x970 net/core/dev.c:2809
 [<ffffffff82e5c94e>] validate_xmit_skb net/core/dev.c:2863 [inline]
 [<ffffffff82e5c94e>] validate_xmit_skb_list+0xae/0x110 net/core/dev.c:2865
 [<ffffffff8342d345>] packet_direct_xmit+0xa5/0x4f0 net/packet/af_packet.c:260
 [<ffffffff834397d2>] packet_snd net/packet/af_packet.c:2828 [inline]
 [<ffffffff834397d2>] packet_sendmsg+0x29b2/0x47e0 net/packet/af_packet.c:2853
 [<ffffffff82df168a>] sock_sendmsg_nosec net/socket.c:625 [inline]
 [<ffffffff82df168a>] sock_sendmsg+0xca/0x110 net/socket.c:635
 [<ffffffff82df25d8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1665
 [<ffffffff82df4ad0>] SyS_sendto+0x40/0x50 net/socket.c:1633
 [<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline]
 [<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459
 [<ffffffff8377b2aa>] sysenter_flags_fixed+0xd/0x17

The buggy address belongs to the page:
page:ffffea000725e2c0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x8000000000000000()
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c978ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801c978bb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8801c978bb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff8801c978bc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801c978bc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/04/17 07:43 https://android.googlesource.com/kernel/common android-4.4 38f41ec1cb31 b80fd3b5 .config console log report syz ci-android-44-kasan-gce-386
* Struck through repros no longer work on HEAD.