syzbot


UBSAN: array-index-out-of-bounds in alg_bind

Status: fixed on 2021/03/10 01:48
Subsystems: crypto
[Documentation on labels]
Reported-by: syzbot+92ead4eb8e26a26d465e@syzkaller.appspotmail.com
Fix commit: 92eb6c3060eb crypto: af_alg - avoid undefined behavior accessing salg_name
First crash: 1275d, last: 1215d
Cause bisection: failed (error log, bisect log)
  
Discussions (6)
Title Replies (including bot) Last reply
[PATCH 4.14 000/242] 4.14.213-rc1 review 245 (245) 2021/01/13 01:20
[PATCH 5.10 00/40] 5.10.3-rc1 review 60 (60) 2021/01/06 23:56
[PATCH 4.19 000/346] 4.19.164-rc1 review 356 (356) 2021/01/02 11:29
[PATCH 5.4 000/453] 5.4.86-rc1 review 465 (465) 2020/12/30 09:22
[PATCH] crypto: af_alg - avoid undefined behavior accessing salg_name 8 (8) 2020/11/06 07:01
UBSAN: array-index-out-of-bounds in alg_bind 5 (7) 2020/11/02 02:17
Last patch testing requests (1)
Created Duration User Patch Repo Result
2020/11/03 23:35 12m anant.thazhemadam@gmail.com patch upstream report log

Sample crash report:
================================================================================
UBSAN: array-index-out-of-bounds in crypto/af_alg.c:166:2
index 98 is out of range for type '__u8 [64]'
CPU: 1 PID: 8468 Comm: syz-executor983 Not tainted 5.10.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x137/0x1be lib/dump_stack.c:118
 ubsan_epilogue lib/ubsan.c:148 [inline]
 __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:356
 alg_bind+0x738/0x740 crypto/af_alg.c:166
 __sys_bind+0x283/0x360 net/socket.c:1656
 __do_sys_bind net/socket.c:1667 [inline]
 __se_sys_bind net/socket.c:1665 [inline]
 __x64_sys_bind+0x76/0x80 net/socket.c:1665
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4402c9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe05301528 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402c9
RDX: 000000000000007b RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ad0
R13: 0000000000401b60 R14: 0000000000000000 R15: 0000000000000000
================================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 8468 Comm: syz-executor983 Not tainted 5.10.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x137/0x1be lib/dump_stack.c:118
 panic+0x291/0x800 kernel/panic.c:231
 ubsan_epilogue lib/ubsan.c:162 [inline]
 __ubsan_handle_out_of_bounds+0x12b/0x130 lib/ubsan.c:356
 alg_bind+0x738/0x740 crypto/af_alg.c:166
 __sys_bind+0x283/0x360 net/socket.c:1656
 __do_sys_bind net/socket.c:1667 [inline]
 __se_sys_bind net/socket.c:1665 [inline]
 __x64_sys_bind+0x76/0x80 net/socket.c:1665
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4402c9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe05301528 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402c9
RDX: 000000000000007b RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ad0
R13: 0000000000401b60 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (700):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/11/02 02:17 upstream 3cea11cd5e3b 8bc4594f .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/12/15 01:22 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/14 23:04 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/14 20:33 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/14 19:33 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/14 15:05 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/14 01:57 upstream 6bff9bb8a292 b22a7ec3 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/14 00:20 upstream 6bff9bb8a292 b22a7ec3 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 18:47 upstream 6bff9bb8a292 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 13:25 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 12:49 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 11:19 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 09:39 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 08:30 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 05:35 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 04:34 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 02:46 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 01:36 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/12 18:09 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/12 15:54 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/12 14:59 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/12 13:20 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/12 12:19 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/12 10:38 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/12 02:40 upstream 33dc9614dc20 ba24ffcd .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/11 20:33 upstream 33dc9614dc20 ba24ffcd .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/11 16:32 upstream 33dc9614dc20 ba24ffcd .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/11 06:11 upstream a2f5ea9e314b f900b48c .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/11 02:38 upstream a2f5ea9e314b f900b48c .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/11 00:02 upstream a2f5ea9e314b f900b48c .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/10 21:46 upstream a2f5ea9e314b f900b48c .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/10 20:12 upstream a2f5ea9e314b f900b48c .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/10 17:38 upstream a2f5ea9e314b f900b48c .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/10 10:12 upstream a68a0262abda c090b4da .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/10 07:55 upstream a68a0262abda c090b4da .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/10 06:45 upstream a68a0262abda c090b4da .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/10 02:58 upstream a68a0262abda c090b4da .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/10 01:17 upstream a68a0262abda c090b4da .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/09 22:58 upstream a68a0262abda c090b4da .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/09 15:06 upstream 7d8761ba27fc 40cc414d .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/09 13:57 upstream 7d8761ba27fc 40cc414d .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/09 11:52 upstream 7d8761ba27fc 40cc414d .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/09 09:22 upstream 7d8761ba27fc 40cc414d .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/09 02:51 upstream 7d8761ba27fc a7f7f4a4 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/08 21:11 upstream cd796ed33450 a7f7f4a4 .config console log report info ci-upstream-kasan-gce-smack-root
2020/10/16 04:32 upstream 726eb70e0d34 6e262c73 .config console log report info ci-upstream-kasan-gce-smack-root
2020/10/15 19:47 upstream 726eb70e0d34 63869021 .config console log report info ci-upstream-kasan-gce-smack-root
* Struck through repros no longer work on HEAD.