syzbot


UBSAN: shift-out-of-bounds in tcf_pedit_init

Status: upstream: reported C repro on 2022/05/12 21:18
Reported-by: syzbot+8ed8fc4c57e9dcf23ca6@syzkaller.appspotmail.com
Fix commit: 4d42d54a7d6a net/sched: act_pedit: sanitize shift argument before usage
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 137d, last: 130d

Cause bisection: introduced by (bisect log) :
commit 8b796475fd7882663a870456466a4fb315cc1bd6
Author: Paolo Abeni <pabeni@redhat.com>
Date: Tue May 10 14:57:34 2022 +0000

  net/sched: act_pedit: really ensure the skb is writable

Crash: UBSAN: shift-out-of-bounds in tcf_pedit_init (log)
Repro: C syz .config
Patch testing requests:
Created Duration User Patch Repo Result
2022/05/13 08:52 15m pabeni@redhat.com patch git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git master OK
2022/05/13 08:14 9m pabeni@redhat.com patch git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git master report log

Sample crash report:
netlink: 28 bytes leftover after parsing attributes in process `syz-executor344'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor344'.
================================================================================
UBSAN: shift-out-of-bounds in net/sched/act_pedit.c:238:43
shift exponent 1400735974 is too large for 32-bit type 'unsigned int'
CPU: 1 PID: 3598 Comm: syz-executor344 Not tainted 5.18.0-rc5-syzkaller-00165-g810c2f0a3f86 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 ubsan_epilogue+0xb/0x50 lib/ubsan.c:151
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x187 lib/ubsan.c:322
 tcf_pedit_init.cold+0x1a/0x1f net/sched/act_pedit.c:238
 tcf_action_init_1+0x414/0x690 net/sched/act_api.c:1367
 tcf_action_init+0x530/0x8d0 net/sched/act_api.c:1432
 tcf_action_add+0xf9/0x480 net/sched/act_api.c:1956
 tc_ctl_action+0x346/0x470 net/sched/act_api.c:2015
 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5993
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:725
 ____sys_sendmsg+0x6e2/0x800 net/socket.c:2413
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fc8b8641b59
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd04b44b58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc8b8641b59
RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003
RBP: 00007fc8b8605d00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc8b8605d90
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
================================================================================

Crashes (59):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-net-this-kasan-gce 2022/05/12 21:43 net 810c2f0a3f86 9ad6612a .config log report syz C UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-this-kasan-gce 2022/05/12 21:14 net 810c2f0a3f86 9ad6612a .config log report syz C UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-linux-next-kasan-gce-root 2022/05/12 21:16 linux-next 187b9ac8c348 9ad6612a .config log report syz C UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-smack-root 2022/05/19 10:08 upstream f993aed406ea 50c53f39 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-root 2022/05/17 19:25 upstream 42226c989789 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-root 2022/05/17 17:08 upstream 42226c989789 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-selinux-root 2022/05/17 01:56 upstream 42226c989789 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-smack-root 2022/05/16 21:32 upstream 42226c989789 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-root 2022/05/16 20:37 upstream 42226c989789 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce 2022/05/16 20:29 upstream 42226c989789 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce 2022/05/16 14:02 upstream 42226c989789 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-selinux-root 2022/05/15 06:51 upstream 2fe1020d73ca 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-qemu-upstream 2022/05/15 05:49 upstream 2fe1020d73ca 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce 2022/05/15 03:12 upstream 2fe1020d73ca 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-selinux-root 2022/05/15 00:26 upstream 2fe1020d73ca 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-root 2022/05/14 23:56 upstream ec7f49619d8e 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-smack-root 2022/05/14 23:53 upstream 2fe1020d73ca 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-root 2022/05/14 13:24 upstream ec7f49619d8e 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce 2022/05/13 16:39 upstream f3f19f939c11 107f6434 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-selinux-root 2022/05/13 13:30 upstream f3f19f939c11 107f6434 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-root 2022/05/13 13:03 upstream f3f19f939c11 107f6434 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-selinux-root 2022/05/13 12:27 upstream f3f19f939c11 107f6434 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-root 2022/05/13 11:34 upstream f3f19f939c11 107f6434 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-kasan-gce-selinux-root 2022/05/13 09:01 upstream f3f19f939c11 9ad6612a .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-qemu-upstream-386 2022/05/15 06:01 upstream 2fe1020d73ca 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-this-kasan-gce 2022/05/15 14:18 net 9500acc631db 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-this-kasan-gce 2022/05/14 16:41 net 9500acc631db 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-this-kasan-gce 2022/05/14 15:59 net 9500acc631db 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-this-kasan-gce 2022/05/14 05:11 net 9500acc631db 107f6434 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-this-kasan-gce 2022/05/12 21:00 net 810c2f0a3f86 9ad6612a .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/19 21:59 net-next c1318b39c7d3 50c53f39 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/19 19:20 net-next c1318b39c7d3 50c53f39 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/19 02:07 net-next a3641ca416a3 50c53f39 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/18 23:33 net-next a3641ca416a3 50c53f39 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/18 18:48 net-next a3641ca416a3 50c53f39 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/17 14:40 net-next f7b88d9ae91e 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/17 11:23 net-next f7b88d9ae91e 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/17 09:37 net-next f7b88d9ae91e 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/16 22:14 net-next d887ae3247e0 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/16 19:06 net-next d887ae3247e0 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/16 03:57 net-next d9713088158b 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/15 22:59 net-next d9713088158b 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/15 21:24 net-next d9713088158b 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/15 11:10 net-next d9713088158b 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/15 06:13 net-next d9713088158b 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/14 21:38 net-next d9713088158b 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/14 18:29 net-next d9713088158b 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/14 15:17 net-next d9713088158b 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-net-kasan-gce 2022/05/13 21:06 net-next b67fd3d9d942 107f6434 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-linux-next-kasan-gce-root 2022/05/20 04:18 linux-next 3f7bdc402fb0 cb1ac2e7 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-linux-next-kasan-gce-root 2022/05/19 00:39 linux-next 3f7bdc402fb0 50c53f39 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-linux-next-kasan-gce-root 2022/05/16 03:57 linux-next 1e1b28b936ae 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-linux-next-kasan-gce-root 2022/05/14 23:50 linux-next 1e1b28b936ae 744a39e2 .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-linux-next-kasan-gce-root 2022/05/13 07:04 linux-next 187b9ac8c348 9ad6612a .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
ci-upstream-linux-next-kasan-gce-root 2022/05/12 21:04 linux-next 187b9ac8c348 9ad6612a .config log report info UBSAN: shift-out-of-bounds in tcf_pedit_init
* Struck through repros no longer work on HEAD.