syzbot

 sign-in | mailing list | source | docs
🐞 Open [196]
🐞 Fixed [42]
🐞 Invalid [470]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: slab-out-of-bounds Read in string

Status: public: reported C repro on 2019/04/13 00:00
Reported-by: syzbot+73f69d5e72ddfb632a22@syzkaller.appspotmail.com
First crash: 2492d, last: 2490d
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in string (3) usb media syz 3 2031d 2031d 0/28 closed as invalid on 2019/05/03 14:05
upstream KASAN: slab-out-of-bounds Read in string (2) overlayfs 14 2239d 2246d 11/28 fixed on 2018/10/11 14:33
upstream KASAN: slab-out-of-bounds Read in string kernel C 129 2482d 2492d 4/28 fixed on 2018/02/14 17:52

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 lib/vsprintf.c:592
Read of size 1 at addr ffff8801c8ea9350 by task syzkaller453322/3332

CPU: 1 PID: 3332 Comm: syzkaller453322 Not tainted 4.9.78-ge9dabe6 #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c16f7740 ffffffff81d943a9 ffffea000723aa40 ffff8801c8ea9350
 0000000000000000 ffff8801c8ea9350 ffff8801c16f799c ffff8801c16f7778
 ffffffff8153dc23 ffff8801c8ea9350 0000000000000001 0000000000000000
Call Trace:
 [<ffffffff81d943a9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d943a9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153dc23>] print_address_description+0x73/0x280 mm/kasan/report.c:252
 [<ffffffff8153e145>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8153e145>] kasan_report+0x275/0x360 mm/kasan/report.c:408
 [<ffffffff8153e244>] __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:426
 [<ffffffff81db6388>] string+0x1e8/0x200 lib/vsprintf.c:592
 [<ffffffff81dbf31d>] vsnprintf+0x7ad/0x16d0 lib/vsprintf.c:2044
 [<ffffffff8117a65f>] __request_module+0x14f/0x750 kernel/kmod.c:146
 [<ffffffff8313beeb>] xt_request_find_target+0x8b/0xb0 net/netfilter/x_tables.c:256
 [<ffffffff8338465a>] find_check_entry net/ipv4/netfilter/ip_tables.c:567 [inline]
 [<ffffffff8338465a>] translate_table+0x177a/0x1e30 net/ipv4/netfilter/ip_tables.c:745
 [<ffffffff810002b8>] ? 0xffffffff810002b8
 [<ffffffff83386eee>] do_replace net/ipv4/netfilter/ip_tables.c:1151 [inline]
 [<ffffffff83386eee>] do_ipt_set_ctl+0x2be/0x470 net/ipv4/netfilter/ip_tables.c:1687
 [<ffffffff830a1a67>] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
 [<ffffffff830a1a67>] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
 [<ffffffff83211b81>] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1248
 [<ffffffff832bf075>] udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2083
 [<ffffffff82ede275>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706
 [<ffffffff82edb230>] SYSC_setsockopt net/socket.c:1772 [inline]
 [<ffffffff82edb230>] SyS_setsockopt+0x160/0x250 net/socket.c:1751
 [<ffffffff838b2c6e>] entry_SYSCALL_64_fastpath+0x29/0xe8

Allocated by task 3332:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 xt_alloc_table_info+0x71/0x100 net/netfilter/x_tables.c:959
 do_replace net/ipv4/netfilter/ip_tables.c:1140 [inline]
 do_ipt_set_ctl+0x242/0x470 net/ipv4/netfilter/ip_tables.c:1687
 nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
 nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
 ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1248
 udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2083
 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706
 SYSC_setsockopt net/socket.c:1772 [inline]
 SyS_setsockopt+0x160/0x250 net/socket.c:1751
 entry_SYSCALL_64_fastpath+0x29/0xe8

Freed by task 1915:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0x103/0x300 mm/slub.c:3878
 free_bprm+0x19d/0x200 fs/exec.c:1395
 do_execveat_common.isra.37+0x17df/0x1f10 fs/exec.c:1795
 do_execve fs/exec.c:1830 [inline]
 SYSC_execve fs/exec.c:1911 [inline]
 SyS_execve+0x42/0x50 fs/exec.c:1906
 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280
 return_from_SYSCALL_64+0x0/0x7e

The buggy address belongs to the object at ffff8801c8ea9280
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 208 bytes inside of
 256-byte region [ffff8801c8ea9280, ffff8801c8ea9380)
The buggy address belongs to the page:
page:ffffea000723aa40 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x8000000000000080(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c8ea9200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c8ea9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801c8ea9300: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
                                                 ^
 ffff8801c8ea9380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8801c8ea9400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (37):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/01/24 21:08 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report syz C ci-android-49-kasan-gce
2018/01/24 19:52 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report syz C ci-android-49-kasan-gce
2018/01/24 19:34 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report syz C ci-android-49-kasan-gce
2018/01/24 20:52 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report syz C ci-android-49-kasan-gce-386
2018/01/24 20:31 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report syz C ci-android-49-kasan-gce-386
2018/01/24 20:20 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report syz C ci-android-49-kasan-gce-386
2018/01/24 19:59 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report syz C ci-android-49-kasan-gce-386
2018/01/24 19:48 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report syz C ci-android-49-kasan-gce-386
2018/01/24 19:38 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report syz C ci-android-49-kasan-gce-386
2018/01/24 19:28 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report syz C ci-android-49-kasan-gce-386
2018/01/27 03:40 https://android.googlesource.com/kernel/common android-4.9 68d447c0a37b 1d18b112 .config console log report ci-android-49-kasan-gce
2018/01/26 03:57 https://android.googlesource.com/kernel/common android-4.9 e37256ce150d 1d18b112 .config console log report ci-android-49-kasan-gce
2018/01/27 01:47 https://android.googlesource.com/kernel/common android-4.9 f518fe49bbaa 1d18b112 .config console log report ci-android-49-kasan-gce-386
2018/01/26 21:14 https://android.googlesource.com/kernel/common android-4.9 f518fe49bbaa 1d18b112 .config console log report ci-android-49-kasan-gce-386
2018/01/26 17:00 https://android.googlesource.com/kernel/common android-4.9 f518fe49bbaa 1d18b112 .config console log report ci-android-49-kasan-gce-386
2018/01/26 10:28 https://android.googlesource.com/kernel/common android-4.9 f518fe49bbaa 1d18b112 .config console log report ci-android-49-kasan-gce-386
2018/01/26 06:00 https://android.googlesource.com/kernel/common android-4.9 e37256ce150d 1d18b112 .config console log report ci-android-49-kasan-gce-386
2018/01/26 03:09 https://android.googlesource.com/kernel/common android-4.9 e37256ce150d 1d18b112 .config console log report ci-android-49-kasan-gce-386
2018/01/26 01:42 https://android.googlesource.com/kernel/common android-4.9 e37256ce150d 1d18b112 .config console log report ci-android-49-kasan-gce-386
2018/01/26 01:26 https://android.googlesource.com/kernel/common android-4.9 e37256ce150d 1d18b112 .config console log report ci-android-49-kasan-gce-386
2018/01/26 01:08 https://android.googlesource.com/kernel/common android-4.9 e37256ce150d 1d18b112 .config console log report ci-android-49-kasan-gce-386
2018/01/26 01:02 https://android.googlesource.com/kernel/common android-4.9 e37256ce150d 1d18b112 .config console log report ci-android-49-kasan-gce-386
2018/01/25 23:18 https://android.googlesource.com/kernel/common android-4.9 e37256ce150d 1d18b112 .config console log report ci-android-49-kasan-gce-386
2018/01/25 20:52 https://android.googlesource.com/kernel/common android-4.9 e37256ce150d 1d18b112 .config console log report ci-android-49-kasan-gce-386
2018/01/25 19:46 https://android.googlesource.com/kernel/common android-4.9 e37256ce150d 6b2a715e .config console log report ci-android-49-kasan-gce-386
2018/01/25 15:18 https://android.googlesource.com/kernel/common android-4.9 29eadc4b5c13 6b2a715e .config console log report ci-android-49-kasan-gce-386
2018/01/25 13:01 https://android.googlesource.com/kernel/common android-4.9 29eadc4b5c13 6b2a715e .config console log report ci-android-49-kasan-gce-386
2018/01/25 12:46 https://android.googlesource.com/kernel/common android-4.9 29eadc4b5c13 6b2a715e .config console log report ci-android-49-kasan-gce-386
2018/01/25 08:48 https://android.googlesource.com/kernel/common android-4.9 29eadc4b5c13 6b2a715e .config console log report ci-android-49-kasan-gce-386
2018/01/25 07:42 https://android.googlesource.com/kernel/common android-4.9 29eadc4b5c13 866f1102 .config console log report ci-android-49-kasan-gce-386
2018/01/25 07:34 https://android.googlesource.com/kernel/common android-4.9 29eadc4b5c13 866f1102 .config console log report ci-android-49-kasan-gce-386
2018/01/25 05:01 https://android.googlesource.com/kernel/common android-4.9 29eadc4b5c13 866f1102 .config console log report ci-android-49-kasan-gce-386
2018/01/25 04:20 https://android.googlesource.com/kernel/common android-4.9 29eadc4b5c13 866f1102 .config console log report ci-android-49-kasan-gce-386
2018/01/25 02:11 https://android.googlesource.com/kernel/common android-4.9 29eadc4b5c13 866f1102 .config console log report ci-android-49-kasan-gce-386
2018/01/24 21:53 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report ci-android-49-kasan-gce-386
2018/01/24 19:11 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report ci-android-49-kasan-gce-386
2018/01/24 19:10 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report ci-android-49-kasan-gce-386
* Struck through repros no longer work on HEAD.