KASAN: slab-out-of-bounds Read in __xfrm_decode

Kernel	Title	Repro	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: slab-out-of-bounds Read in __xfrm_decode_session (2) net			7	1117d	1353d	0/28	auto-closed as invalid on 2022/04/04 17:22
upstream	KMSAN: kernel-infoleak in copyout (2) net	C		6723	567d	1736d	22/28	fixed on 2023/06/08 14:41
linux-5.15	KASAN: slab-out-of-bounds Read in __xfrm_decode_session origin:upstream	C	error	7	414d	601d	0/3	auto-obsoleted due to no activity on 2024/02/16 23:16
upstream	KASAN: slab-out-of-bounds Read in __xfrm_decode_session net			20	1569d	1854d	0/28	auto-closed as invalid on 2021/01/07 14:52
linux-6.1	KASAN: use-after-free Read in __xfrm_decode_session			4	460d	591d	0/3	auto-obsoleted due to no activity on 2024/01/01 21:03
upstream	KMSAN: kernel-infoleak in _copy_to_iter (7) net	C		138977	671d	1023d	22/28	fixed on 2023/02/24 13:50
upstream	KMSAN: uninit-value in __xfrm_decode_session (4) net	C		8	431d	478d	0/28	closed as invalid on 2023/12/14 11:46

================================================================== BUG: KASAN: slab-out-of-bounds in decode_session6 net/xfrm/xfrm_policy.c:3412 [inline] BUG: KASAN: slab-out-of-bounds in __xfrm_decode_session+0x1670/0x1e5c net/xfrm/xfrm_policy.c:3518 Read of size 1 at addr ffff0000da2bf741 by task syz.3.32/4526 CPU: 0 PID: 4526 Comm: syz.3.32 Tainted: G W 6.1.121-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call trace: dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x174/0x4c0 mm/kasan/report.c:427 kasan_report+0xd4/0x130 mm/kasan/report.c:531 __asan_report_load1_noabort+0x2c/0x38 mm/kasan/report_generic.c:348 decode_session6 net/xfrm/xfrm_policy.c:3412 [inline] __xfrm_decode_session+0x1670/0x1e5c net/xfrm/xfrm_policy.c:3518 xfrm_decode_session_reverse include/net/xfrm.h:1184 [inline] icmpv6_route_lookup+0x398/0x558 net/ipv6/icmp.c:394 icmp6_send+0xe18/0x1b8c net/ipv6/icmp.c:603 __icmpv6_send include/linux/icmpv6.h:28 [inline] icmpv6_send include/linux/icmpv6.h:49 [inline] ip6_link_failure+0x44/0x4a8 net/ipv6/route.c:2793 dst_link_failure include/net/dst.h:423 [inline] ip6_tnl_xmit+0x1010/0x2698 net/ipv6/ip6_tunnel.c:1284 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1400 [inline] ip6_tnl_start_xmit+0xda8/0x142c net/ipv6/ip6_tunnel.c:1449 __netdev_start_xmit include/linux/netdevice.h:4888 [inline] netdev_start_xmit include/linux/netdevice.h:4902 [inline] xmit_one net/core/dev.c:3627 [inline] dev_hard_start_xmit+0x25c/0x9a4 net/core/dev.c:3643 sch_direct_xmit+0x234/0x548 net/sched/sch_generic.c:342 qdisc_restart net/sched/sch_generic.c:407 [inline] __qdisc_run+0x904/0x239c net/sched/sch_generic.c:415 __dev_xmit_skb net/core/dev.c:3925 [inline] __dev_queue_xmit+0xcac/0x34d0 net/core/dev.c:4267 dev_queue_xmit include/linux/netdevice.h:3043 [inline] neigh_connected_output+0x344/0x3d4 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:544 [inline] ip6_finish_output2+0xdb8/0x1b54 net/ipv6/ip6_output.c:138 ip6_fragment+0x1b74/0x2a80 net/ipv6/ip6_output.c:960 __ip6_finish_output net/ipv6/ip6_output.c:203 [inline] ip6_finish_output+0x444/0x940 net/ipv6/ip6_output.c:216 NF_HOOK_COND include/linux/netfilter.h:291 [inline] ip6_output+0x274/0x594 net/ipv6/ip6_output.c:237 dst_output include/net/dst.h:444 [inline] ip6_local_out+0x120/0x160 net/ipv6/output_core.c:161 ip6_send_skb+0x19c/0x570 net/ipv6/ip6_output.c:2008 udp_v6_send_skb+0xa0c/0x1760 net/ipv6/udp.c:1305 udpv6_sendmsg+0x19d8/0x28c8 net/ipv6/udp.c:1600 inet6_sendmsg+0xb4/0xd8 net/ipv6/af_inet6.c:668 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:730 [inline] ____sys_sendmsg+0x55c/0x848 net/socket.c:2519 ___sys_sendmsg net/socket.c:2573 [inline] __sys_sendmsg+0x26c/0x33c net/socket.c:2602 __do_sys_sendmsg net/socket.c:2611 [inline] __se_sys_sendmsg net/socket.c:2609 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2609 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Allocated by task 4332: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:52 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:211 [inline] kmalloc_trace+0x7c/0x94 mm/slab_common.c:1031 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:699 [inline] snmp6_alloc_dev net/ipv6/addrconf.c:354 [inline] ipv6_add_dev+0x530/0xfd0 net/ipv6/addrconf.c:404 addrconf_notify+0x4fc/0xc94 net/ipv6/addrconf.c:3598 notifier_call_chain kernel/notifier.c:87 [inline] raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:455 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers+0x138/0x1b8 net/core/dev.c:2022 register_netdevice+0x117c/0x150c net/core/dev.c:10192 __ip_tunnel_create+0x23c/0x304 net/ipv4/ip_tunnel.c:267 ip_tunnel_init_net+0x1e0/0x5b0 net/ipv4/ip_tunnel.c:1100 ipgre_tap_init_net+0x38/0x48 net/ipv4/ip_gre.c:1700 ops_init+0x2e4/0x54c net/core/net_namespace.c:138 setup_net+0x424/0xaac net/core/net_namespace.c:335 copy_net_ns+0x2ec/0x58c net/core/net_namespace.c:498 create_new_namespaces+0x344/0x614 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x108/0x158 kernel/nsproxy.c:226 ksys_unshare+0x424/0x7e4 kernel/fork.c:3201 __do_sys_unshare kernel/fork.c:3272 [inline] __se_sys_unshare kernel/fork.c:3270 [inline] __arm64_sys_unshare+0x3c/0x50 kernel/fork.c:3270 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 The buggy address belongs to the object at ffff0000da2be000 which belongs to the cache kmalloc-cg-4k of size 4096 The buggy address is located 1857 bytes to the right of 4096-byte region [ffff0000da2be000, ffff0000da2bf000) The buggy address belongs to the physical page: page:00000000cb6f133d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a2b8 head:00000000cb6f133d order:3 compound_mapcount:0 compound_pincount:0 flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0003500 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000da2bf600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000da2bf680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000da2bf700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff0000da2bf780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000da2bf800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================

Crashes (1):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2024/12/26 09:29	linux-6.1.y	29f02ec58a94	444551c4	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-linux-6-1-kasan-arm64	KASAN: slab-out-of-bounds Read in __xfrm_decode_session

Crashes (1):

Assets (help?)