syzbot


KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2

Status: fixed on 2021/04/13 19:14
Subsystems: trace bpf
[Documentation on labels]
Reported-by: syzbot+845923d2172947529b58@syzkaller.appspotmail.com
Fix commit: befe6d946551 tracepoint: Do not fail unregistering a probe due to memory failure
First crash: 1486d, last: 1327d
Cause bisection: introduced by (bisect log) :
commit 0a93dc1c18fd86f936bcb44f72dc044c0ea826a8
Author: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Date: Wed Oct 12 11:11:16 2016 +0000

  [media] dvb-core: don't break long lines

Crash: WARNING in nf_unregister_net_hook (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit befe6d946551d65cddbd32b9cb0170b0249fd5ed
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date: Wed Nov 18 14:34:05 2020 +0000

  tracepoint: Do not fail unregistering a probe due to memory failure

  
Discussions (1)
Title Replies (including bot) Last reply
KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 1 (3) 2021/04/13 17:20
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 BUG: unable to handle kernel paging request in bpf_trace_run2 C 4 1329d 1484d 0/2 auto-obsoleted due to no activity on 2023/04/17 21:30
upstream KASAN: slab-use-after-free Read in bpf_trace_run2 bpf trace C error 653 190d 208d 25/28 fixed on 2024/05/22 23:16
Fix bisection attempts (4)
Created Duration User Patch Repo Result
2021/03/31 23:37 4h01m bisect fix bpf-next OK (1) job log
2021/01/31 07:47 18m bisect fix bpf-next OK (0) job log log
2020/12/16 09:40 16m bisect fix bpf-next OK (0) job log log
2020/10/22 02:46 18m bisect fix bpf-next OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in __bpf_trace_run kernel/trace/bpf_trace.c:1937 [inline]
BUG: KASAN: vmalloc-out-of-bounds in bpf_trace_run2+0x397/0x3d0 kernel/trace/bpf_trace.c:1974
Read of size 8 at addr ffffc90000e76030 by task syz-executor514/6838

CPU: 0 PID: 6838 Comm: syz-executor514 Not tainted 5.9.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 __bpf_trace_run kernel/trace/bpf_trace.c:1937 [inline]
 bpf_trace_run2+0x397/0x3d0 kernel/trace/bpf_trace.c:1974
 trace_sys_enter include/trace/events/syscalls.h:18 [inline]
 syscall_trace_enter kernel/entry/common.c:64 [inline]
 syscall_enter_from_user_mode+0x22c/0x290 kernel/entry/common.c:82
 do_syscall_64+0xf/0x70 arch/x86/entry/common.c:41
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4441ba
Code: 25 18 00 00 00 00 74 01 f0 48 0f b1 3d ef f9 28 00 48 39 c2 75 da f3 c3 0f 1f 84 00 00 00 00 00 48 63 ff b8 e4 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 f3 c3 0f 1f 40 00 48 c7 c2 d0 ff ff ff f7
RSP: 002b:00007ffeec2fd9d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e4
RAX: ffffffffffffffda RBX: 0000000000001ac2 RCX: 00000000004441ba
RDX: 0000000000000000 RSI: 00007ffeec2fd9e0 RDI: 0000000000000001
RBP: 000000000000e4f7 R08: 0000000000001ab6 R09: 00000000022b5880
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004022d0
R13: 0000000000402360 R14: 0000000000000000 R15: 0000000000000000


Memory state around the buggy address:
 ffffc90000e75f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90000e75f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90000e76000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                                     ^
 ffffc90000e76080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90000e76100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/09/19 21:45 bpf-next 70b971118e07 53ce8104 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2021/02/26 11:15 bpf 557c223b643a 76f7fc95 .config console log report info ci-upstream-bpf-kasan-gce KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2
2020/09/22 02:46 upstream ba4f184e126b 9e1fa68e .config console log report info ci-upstream-kasan-gce-root
2020/11/09 20:12 net-old 4e0396c59559 64069d48 .config console log report info ci-upstream-net-this-kasan-gce
2021/01/01 07:47 bpf-next 482ec343f40a 79264ae3 .config console log report info ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.