syzbot

 sign-in | mailing list | source | docs
🐞 Open [1560]
Subsystems
🐞 Fixed [6211]
🐞 Invalid [15664]
Missing Backports [184]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

UBSAN: array-index-out-of-bounds in ip6_rt_copy_init

Status: upstream: reported C repro on 2025/05/01 11:14
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+8f8024317adff163ec5a@syzkaller.appspotmail.com
First crash: 6d23h, last: 6h00m
Cause bisection: introduced by (bisect log) :
commit 557f8c582a9ba8abe6aa0fd734b6f342af106b26
Author: Kees Cook <keescook@chromium.org>
Date: Thu Jan 18 23:06:05 2024 +0000

  ubsan: Reintroduce signed overflow sanitizer

Crash: UBSAN: signed-integer-overflow in __ip_select_ident (log)
Repro: C syz .config
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [net?] UBSAN: array-index-out-of-bounds in ip6_rt_copy_init 2 (3) 2025/05/01 20:44

Sample crash report:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in net/ipv6/route.c:1095:9
index 255 is out of range for type 'const int[12]'
CPU: 1 UID: 0 PID: 5835 Comm: kworker/1:3 Not tainted 6.15.0-rc3-syzkaller-00584-gcc17b4b9c332 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
Workqueue: mld mld_ifc_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 ubsan_epilogue+0xa/0x40 lib/ubsan.c:231
 __ubsan_handle_out_of_bounds+0xe9/0xf0 lib/ubsan.c:453
 ip6_rt_type_to_error net/ipv6/route.c:1095 [inline]
 ip6_rt_init_dst_reject net/ipv6/route.c:1112 [inline]
 ip6_rt_init_dst net/ipv6/route.c:1137 [inline]
 ip6_rt_copy_init+0x8e7/0x970 net/ipv6/route.c:1175
 ip6_rt_pcpu_alloc net/ipv6/route.c:1424 [inline]
 rt6_make_pcpu_route net/ipv6/route.c:1467 [inline]
 ip6_pol_route+0xbac/0x1180 net/ipv6/route.c:2302
 pol_lookup_func include/net/ip6_fib.h:617 [inline]
 fib6_rule_lookup+0x348/0x6f0 net/ipv6/fib6_rules.c:125
 ip6_route_output_flags_noref net/ipv6/route.c:2674 [inline]
 ip6_route_output_flags+0x364/0x5d0 net/ipv6/route.c:2686
 ip6_route_output include/net/ip6_route.h:93 [inline]
 ip6_dst_lookup_tail+0x1ae/0x1510 net/ipv6/ip6_output.c:1128
 ip6_dst_lookup_flow+0x47/0xe0 net/ipv6/ip6_output.c:1259
 udp_tunnel6_dst_lookup+0x231/0x3c0 net/ipv6/ip6_udp_tunnel.c:165
 geneve6_xmit_skb drivers/net/geneve.c:957 [inline]
 geneve_xmit+0xd2e/0x2b70 drivers/net/geneve.c:1043
 __netdev_start_xmit include/linux/netdevice.h:5203 [inline]
 netdev_start_xmit include/linux/netdevice.h:5212 [inline]
 xmit_one net/core/dev.c:3828 [inline]
 dev_hard_start_xmit+0x2d4/0x830 net/core/dev.c:3844
 __dev_queue_xmit+0x1adf/0x3a70 net/core/dev.c:4681
 dev_queue_xmit include/linux/netdevice.h:3349 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip6_finish_output2+0x11bc/0x16a0 net/ipv6/ip6_output.c:141
 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
 ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:226
 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:314
 mld_sendpack+0x800/0xd80 net/ipv6/mcast.c:1868
 mld_send_cr net/ipv6/mcast.c:2169 [inline]
 mld_ifc_work+0x835/0xde0 net/ipv6/mcast.c:2702
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
---[ end trace ]---

Crashes (45):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/04/27 00:45 net-next cc17b4b9c332 c6b4fb39 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/05/01 18:56 net-next deeed351e982 51b137cd .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/05/01 10:05 net-next deeed351e982 ce7952f4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/05/01 07:30 net-next deeed351e982 ce7952f4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/05/01 05:23 net-next deeed351e982 ce7952f4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/05/01 05:05 net-next deeed351e982 ce7952f4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/05/01 00:30 net-next deeed351e982 ce7952f4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/30 21:05 net-next deeed351e982 ce7952f4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/30 13:38 net-next 1f773970a72e 85a5a23f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/30 13:38 net-next 1f773970a72e 85a5a23f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/30 13:36 net-next 1f773970a72e 85a5a23f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/30 13:36 net-next 1f773970a72e 85a5a23f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/30 02:08 net-next ff61a4a5dfc2 aeb6ec69 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/29 23:43 net-next ff61a4a5dfc2 aeb6ec69 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/29 11:17 net-next 0d15a26b247d aeb6ec69 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/29 07:46 net-next 0d15a26b247d aeb6ec69 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/29 07:46 net-next 0d15a26b247d aeb6ec69 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/29 07:46 net-next 0d15a26b247d aeb6ec69 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/29 07:46 net-next 0d15a26b247d aeb6ec69 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/29 07:46 net-next 0d15a26b247d aeb6ec69 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/29 07:46 net-next 0d15a26b247d aeb6ec69 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/29 00:09 net-next f438eee2c8c9 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/28 23:28 net-next f438eee2c8c9 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/28 23:15 net-next f438eee2c8c9 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/28 22:12 net-next f438eee2c8c9 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/28 20:33 net-next f438eee2c8c9 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/28 03:08 net-next cc17b4b9c332 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/28 00:40 net-next cc17b4b9c332 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/27 22:59 net-next cc17b4b9c332 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/27 21:51 net-next cc17b4b9c332 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/27 17:46 net-next cc17b4b9c332 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/27 14:31 net-next cc17b4b9c332 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/27 12:56 net-next cc17b4b9c332 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/27 10:35 net-next cc17b4b9c332 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/27 07:56 net-next cc17b4b9c332 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/27 04:12 net-next cc17b4b9c332 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/26 21:13 net-next cc17b4b9c332 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/26 17:01 net-next cc17b4b9c332 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/26 11:46 net-next cc17b4b9c332 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/25 09:07 net-next 5565acd1e6c4 e3715315 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/25 08:31 net-next 5565acd1e6c4 e3715315 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/25 08:08 net-next 5565acd1e6c4 e3715315 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/25 07:23 net-next 5565acd1e6c4 e3715315 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
2025/04/25 01:44 net-next 5565acd1e6c4 9c80ffa0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce UBSAN: array-index-out-of-bounds in ip6_rt_copy_init
* Struck through repros no longer work on HEAD.