syzbot


KASAN: use-after-free Read in batadv_interface_tx

Status: fixed on 2019/03/06 07:43
Subsystems: batman
[Documentation on labels]
Reported-by: syzbot+7d20bc3f1ddddc0f9079@syzkaller.appspotmail.com
Fix commit: 9114daa825fc batman-adv: Force mac header to start of data on xmit
First crash: 2174d, last: 2132d
Discussions (9)
Title Replies (including bot) Last reply
[PATCH 3.16 000/202] 3.16.66-rc1 review 205 (205) 2019/04/28 15:45
[PATCH 4.20 00/50] 4.20.9-stable review 62 (62) 2019/02/24 18:25
[PATCH 3.18 000/108] 3.18.135-stable review 112 (112) 2019/02/20 00:18
[PATCH 4.4 000/143] 4.4.175-stable review 153 (153) 2019/02/20 00:16
[PATCH 4.19 00/44] 4.19.22-stable review 48 (48) 2019/02/14 22:23
[PATCH 4.9 00/24] 4.9.157-stable review 30 (30) 2019/02/14 22:22
[PATCH 4.14 00/35] 4.14.100-stable review 41 (41) 2019/02/14 22:21
[PATCH 0/3] pull request for net: batman-adv 2019-02-01 5 (5) 2019/02/01 18:19
KASAN: use-after-free Read in batadv_interface_tx 0 (1) 2018/12/31 05:51

Sample crash report:
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KASAN: use-after-free in batadv_interface_tx+0x160a/0x18b0 net/batman-adv/soft-interface.c:226
Read of size 2 at addr ffff88809f96aa4b by task syz-executor871/8379

CPU: 1 PID: 8379 Comm: syz-executor871 Not tainted 4.20.0+ #395
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113
 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187
 kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145
 batadv_interface_tx+0x160a/0x18b0 net/batman-adv/soft-interface.c:226
 __netdev_start_xmit include/linux/netdevice.h:4382 [inline]
 netdev_start_xmit include/linux/netdevice.h:4391 [inline]
 dev_direct_xmit+0x36c/0x6a0 net/core/dev.c:3930
 packet_direct_xmit+0xfb/0x170 net/packet/af_packet.c:246
 packet_snd net/packet/af_packet.c:2932 [inline]
 packet_sendmsg+0x298a/0x6ad0 net/packet/af_packet.c:2957
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:631
 __sys_sendto+0x3d7/0x670 net/socket.c:1788
 __do_sys_sendto net/socket.c:1800 [inline]
 __se_sys_sendto net/socket.c:1796 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1796
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441eb9
Code: e8 4c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 04 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffee312ce58 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441eb9
RDX: 000000000000000e RSI: 0000000020000180 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 00000000004028d0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 8368:
 save_stack+0x43/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 kasan_kmalloc+0xcb/0xd0 mm/kasan/common.c:482
 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:397
 kmem_cache_alloc+0x130/0x730 mm/slab.c:3541
 getname_flags+0xd0/0x590 fs/namei.c:140
 user_path_at_empty+0x2d/0x50 fs/namei.c:2608
 user_path_at include/linux/namei.h:57 [inline]
 do_faccessat+0x254/0x800 fs/open.c:378
 __do_sys_access fs/open.c:430 [inline]
 __se_sys_access fs/open.c:428 [inline]
 __x64_sys_access+0x59/0x80 fs/open.c:428
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8368:
 save_stack+0x43/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:444
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:452
 __cache_free mm/slab.c:3485 [inline]
 kmem_cache_free+0x83/0x290 mm/slab.c:3747
 putname+0xf2/0x130 fs/namei.c:261
 filename_lookup+0x39a/0x520 fs/namei.c:2357
 user_path_at_empty+0x40/0x50 fs/namei.c:2608
 user_path_at include/linux/namei.h:57 [inline]
 do_faccessat+0x254/0x800 fs/open.c:378
 __do_sys_access fs/open.c:430 [inline]
 __se_sys_access fs/open.c:428 [inline]
 __x64_sys_access+0x59/0x80 fs/open.c:428
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809f96a2c0
 which belongs to the cache names_cache of size 4096
The buggy address is located 1931 bytes inside of
 4096-byte region [ffff88809f96a2c0, ffff88809f96b2c0)
The buggy address belongs to the page:
page:ffffea00027e5a80 count:1 mapcount:0 mapping:ffff88821bc49080 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea0002810f08 ffffea00027d0388 ffff88821bc49080
raw: 0000000000000000 ffff88809f96a2c0 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809f96a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809f96a980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809f96aa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff88809f96aa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809f96ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (54):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/12/29 15:52 upstream 903b77c63167 a40793d7 .config console log report syz C ci-upstream-kasan-gce-root
2018/12/29 09:49 upstream f346b0becb1b e33ad0f1 .config console log report syz C ci-upstream-kasan-gce-root
2018/12/29 09:02 upstream f346b0becb1b e33ad0f1 .config console log report syz C ci-upstream-kasan-gce-smack-root
2018/12/29 06:40 upstream f346b0becb1b e33ad0f1 .config console log report syz C ci-upstream-kasan-gce
2018/12/29 06:23 upstream f346b0becb1b e33ad0f1 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2018/12/29 01:00 upstream 00c569b567c7 e33ad0f1 .config console log report syz C ci-upstream-kasan-gce
2018/12/27 14:45 upstream fc2fd5f0f1aa 43cf01dd .config console log report syz C ci-upstream-kasan-gce
2018/12/29 09:01 upstream f346b0becb1b e33ad0f1 .config console log report syz C ci-upstream-kasan-gce-386
2018/12/27 09:12 upstream eed9688f8513 e747ec98 .config console log report syz C ci-upstream-kasan-gce-386
2018/12/29 00:45 net-old a3c9311f62b4 e33ad0f1 .config console log report syz C ci-upstream-net-this-kasan-gce
2018/12/27 09:33 net-old 38355a5f9a22 e747ec98 .config console log report syz C ci-upstream-net-this-kasan-gce
2018/12/29 00:50 net-next-old b71acb0e3721 e33ad0f1 .config console log report syz C ci-upstream-net-kasan-gce
2018/12/29 14:22 linux-next 6a1d293238c1 a40793d7 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/12/29 06:22 linux-next 6a1d293238c1 e33ad0f1 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/02/07 06:37 upstream 8834f5600cf3 d25487bc .config console log report ci-upstream-kasan-gce-selinux-root
2019/02/07 00:57 upstream 8834f5600cf3 d25487bc .config console log report ci-upstream-kasan-gce-selinux-root
2019/02/04 09:47 upstream 8834f5600cf3 c198d5dd .config console log report ci-upstream-kasan-gce-root
2019/02/03 06:46 upstream 12491ed354d2 c198d5dd .config console log report ci-upstream-kasan-gce
2019/01/30 21:31 upstream 1c0490ce9022 aa432daf .config console log report ci-upstream-kasan-gce
2019/01/29 03:18 upstream 4aa9fc2a435a aa432daf .config console log report ci-upstream-kasan-gce-root
2019/01/14 03:16 upstream 1c7fc5cbc339 c3f3344c .config console log report ci-upstream-kasan-gce
2019/01/12 15:39 upstream 4b3c31c8d4dd c3f3344c .config console log report ci-upstream-kasan-gce
2019/01/12 02:43 upstream de6629eb262e c3f3344c .config console log report ci-upstream-kasan-gce-root
2019/01/05 08:30 upstream 3fed6ae4b027 53be0a37 .config console log report ci-upstream-kasan-gce-selinux-root
2019/01/30 11:57 net-old 62967898789d aa432daf .config console log report ci-upstream-net-this-kasan-gce
2019/01/23 07:47 net-old 56cb4e503499 b1ff06b2 .config console log report ci-upstream-net-this-kasan-gce
2019/01/22 01:49 net-old 49a57857aeea badbbeee .config console log report ci-upstream-net-this-kasan-gce
2019/01/19 23:19 net-old 3e64cf7a435e 8aa587b0 .config console log report ci-upstream-net-this-kasan-gce
2019/01/09 20:15 net-old d972f3dce8d1 45c0c1b1 .config console log report ci-upstream-net-this-kasan-gce
2019/01/04 18:04 net-old 96d4f267e40f 0127e3ba .config console log report ci-upstream-net-this-kasan-gce
2019/02/06 21:05 net-next-old 5661f29ade24 d25487bc .config console log report ci-upstream-net-kasan-gce
2019/02/06 07:15 net-next-old bfbae2eafe05 d672172c .config console log report ci-upstream-net-kasan-gce
2019/02/06 00:00 net-next-old 5468e82f7034 d672172c .config console log report ci-upstream-net-kasan-gce
2019/02/04 06:51 net-next-old 9fb20801dab4 c198d5dd .config console log report ci-upstream-net-kasan-gce
2019/02/03 06:46 net-next-old a68a8481353a c198d5dd .config console log report ci-upstream-net-kasan-gce
2019/02/02 20:45 net-next-old d6b0a01faa6a c198d5dd .config console log report ci-upstream-net-kasan-gce
2019/02/01 03:36 net-next-old 630afc7734ba 0e8ea0a3 .config console log report ci-upstream-net-kasan-gce
2019/01/29 05:36 net-next-old 085c4c7dd2b6 aa432daf .config console log report ci-upstream-net-kasan-gce
2019/01/25 05:41 net-next-old 254764e55652 bfab9cd8 .config console log report ci-upstream-net-kasan-gce
2019/01/20 20:35 net-next-old 4e15cbe82996 fd37a550 .config console log report ci-upstream-net-kasan-gce
2019/01/17 04:07 net-next-old bdbe8cc1a30c c2faf9b2 .config console log report ci-upstream-net-kasan-gce
2019/01/10 19:53 net-next-old b71acb0e3721 db9b6579 .config console log report ci-upstream-net-kasan-gce
2019/01/08 03:18 net-next-old b71acb0e3721 69d69aa9 .config console log report ci-upstream-net-kasan-gce
2019/01/07 19:10 net-next-old b71acb0e3721 69d69aa9 .config console log report ci-upstream-net-kasan-gce
2019/01/07 03:25 net-next-old b71acb0e3721 ee332608 .config console log report ci-upstream-net-kasan-gce
2019/01/06 02:09 net-next-old b71acb0e3721 53be0a37 .config console log report ci-upstream-net-kasan-gce
2018/12/27 10:03 net-next-old 90cadbbf341d e747ec98 .config console log report ci-upstream-net-kasan-gce
2018/12/27 04:41 net-next-old 90cadbbf341d e747ec98 .config console log report ci-upstream-net-kasan-gce
2019/01/17 16:28 linux-next a37d50ca3b83 769e75ed .config console log report ci-upstream-linux-next-kasan-gce-root
2019/01/12 11:48 linux-next b808822a75a3 c3f3344c .config console log report ci-upstream-linux-next-kasan-gce-root
2019/01/11 18:39 linux-next b808822a75a3 c3f3344c .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.