syzbot

 sign-in | mailing list | source | docs
🐞 Open [106]
🐞 Fixed [1]
🐞 Invalid [166]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in ip_local_deliver

Status: public: reported C repro on 2019/04/11 00:00
Reported-by: syzbot+aafa720f6b294e50ab2f@syzkaller.appspotmail.com
First crash: 2145d, last: 2116d

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1548959347.245:7): avc:  denied  { map } for  pid=1789 comm="syz-executor397" path="/root/syz-executor397221435" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: use-after-free in nf_hook include/linux/netfilter.h:198 [inline]
BUG: KASAN: use-after-free in NF_HOOK include/linux/netfilter.h:248 [inline]
BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 net/ipv4/ip_input.c:257
Read of size 8 at addr ffff8881d1d02010 by task syz-executor397/1792

CPU: 1 PID: 1792 Comm: syz-executor397 Not tainted 4.14.96+ #20
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x10e lib/dump_stack.c:53
 print_address_description+0x60/0x226 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0x88/0x2a5 mm/kasan/report.c:393

Allocated by task 1792:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
 slab_post_alloc_hook mm/slab.h:442 [inline]
 slab_alloc_node mm/slub.c:2723 [inline]
 slab_alloc mm/slub.c:2731 [inline]
 kmem_cache_alloc+0xd2/0x2d0 mm/slub.c:2736
 __build_skb+0x2e/0x2d0 net/core/skbuff.c:281
 build_skb+0x1a/0x1f0 net/core/skbuff.c:312
 tun_build_skb drivers/net/tun.c:1354 [inline]
 tun_get_user+0x248b/0x3790 drivers/net/tun.c:1467
 tun_chr_write_iter+0xcf/0x180 drivers/net/tun.c:1596
 call_write_iter include/linux/fs.h:1784 [inline]
 do_iter_readv_writev+0x379/0x580 fs/read_write.c:678
 do_iter_write fs/read_write.c:957 [inline]
 do_iter_write+0x152/0x550 fs/read_write.c:938
 vfs_writev+0x146/0x2d0 fs/read_write.c:1002
 do_writev+0xc9/0x240 fs/read_write.c:1037
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289

Freed by task 1792:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1389 [inline]
 slab_free_freelist_hook mm/slub.c:1410 [inline]
 slab_free mm/slub.c:2966 [inline]
 kmem_cache_free+0xc4/0x330 mm/slub.c:2988
 kfree_skbmem net/core/skbuff.c:582 [inline]
 kfree_skbmem+0xa0/0x100 net/core/skbuff.c:576
 __kfree_skb net/core/skbuff.c:642 [inline]
 kfree_skb+0xcd/0x350 net/core/skbuff.c:659
 ip_frag_queue net/ipv4/ip_fragment.c:507 [inline]
 ip_defrag+0x5f4/0x3b50 net/ipv4/ip_fragment.c:699
 ip_local_deliver+0x165/0x450 net/ipv4/ip_input.c:253
 dst_input include/net/dst.h:465 [inline]
 ip_rcv_finish+0x5c9/0x1490 net/ipv4/ip_input.c:397
 NF_HOOK include/linux/netfilter.h:250 [inline]
 ip_rcv+0x9e2/0xf7a net/ipv4/ip_input.c:493
 __netif_receive_skb_core+0x1364/0x2c60 net/core/dev.c:4477
 __netif_receive_skb+0x55/0x1f0 net/core/dev.c:4515
 netif_receive_skb_internal+0xec/0x5c0 net/core/dev.c:4588
 tun_rx_batched.isra.0+0x45d/0x730 drivers/net/tun.c:1218
 tun_get_user+0xd95/0x3790 drivers/net/tun.c:1570
 tun_chr_write_iter+0xcf/0x180 drivers/net/tun.c:1596
 call_write_iter include/linux/fs.h:1784 [inline]
 do_iter_readv_writev+0x379/0x580 fs/read_write.c:678
 do_iter_write fs/read_write.c:957 [inline]
 do_iter_write+0x152/0x550 fs/read_write.c:938
 vfs_writev+0x146/0x2d0 fs/read_write.c:1002
 do_writev+0xc9/0x240 fs/read_write.c:1037
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289

The buggy address belongs to the object at ffff8881d1d02000
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 16 bytes inside of
 224-byte region [ffff8881d1d02000, ffff8881d1d020e0)
The buggy address belongs to the page:
page:ffffea0007474080 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d1d01f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881d1d01f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881d1d02000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff8881d1d02080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8881d1d02100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (1379):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/01/31 18:32 android-4.14 63d1657d00e0 0e8ea0a3 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/31 18:13 android-4.14 63d1657d00e0 0e8ea0a3 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/30 07:22 android-4.14 63d1657d00e0 aa432daf .config console log report syz C ci-android-414-kasan-gce-root
2019/01/30 05:46 android-4.14 63d1657d00e0 aa432daf .config console log report syz C ci-android-414-kasan-gce-root
2019/01/30 04:29 android-4.14 63d1657d00e0 aa432daf .config console log report syz C ci-android-414-kasan-gce-root
2019/01/29 03:11 android-4.14 63d1657d00e0 aa432daf .config console log report syz C ci-android-414-kasan-gce-root
2019/01/29 02:39 android-4.14 63d1657d00e0 aa432daf .config console log report syz C ci-android-414-kasan-gce-root
2019/01/29 02:23 android-4.14 63d1657d00e0 aa432daf .config console log report syz C ci-android-414-kasan-gce-root
2019/01/26 21:15 android-4.14 70014b13c28c c73f090a .config console log report syz C ci-android-414-kasan-gce-root
2019/01/26 21:00 android-4.14 70014b13c28c c73f090a .config console log report syz C ci-android-414-kasan-gce-root
2019/01/22 06:47 android-4.14 5a76363f1262 badbbeee .config console log report syz C ci-android-414-kasan-gce-root
2019/01/22 05:08 android-4.14 5a76363f1262 badbbeee .config console log report syz C ci-android-414-kasan-gce-root
2019/01/22 04:37 android-4.14 5a76363f1262 badbbeee .config console log report syz C ci-android-414-kasan-gce-root
2019/01/22 03:48 android-4.14 5a76363f1262 badbbeee .config console log report syz C ci-android-414-kasan-gce-root
2019/01/21 12:47 android-4.14 5a76363f1262 badbbeee .config console log report syz C ci-android-414-kasan-gce-root
2019/01/21 12:32 android-4.14 5a76363f1262 badbbeee .config console log report syz C ci-android-414-kasan-gce-root
2019/01/21 02:34 android-4.14 5a76363f1262 fd37a550 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/20 23:37 android-4.14 5a76363f1262 fd37a550 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/20 22:28 android-4.14 5a76363f1262 fd37a550 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/20 22:08 android-4.14 5a76363f1262 fd37a550 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/19 20:10 android-4.14 5a76363f1262 8aa587b0 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/19 19:53 android-4.14 5a76363f1262 8aa587b0 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/18 17:14 android-4.14 42506d99b820 2103a236 .config console log report syz C ci-android-414-kasan-gce-root
2019/01/17 20:15 android-4.14 42506d99b820 769e75ed .config console log report syz C ci-android-414-kasan-gce-root
2019/01/17 19:55 android-4.14 42506d99b820 769e75ed .config console log report syz C ci-android-414-kasan-gce-root
2019/01/13 05:44 android-4.14 fab7352ca8d1 c3f3344c .config console log report syz C ci-android-414-kasan-gce-root
2019/01/13 02:39 android-4.14 fab7352ca8d1 c3f3344c .config console log report syz C ci-android-414-kasan-gce-root
2019/01/12 21:02 android-4.14 fab7352ca8d1 c3f3344c .config console log report syz C ci-android-414-kasan-gce-root
2019/01/31 19:50 android-4.14 63d1657d00e0 0e8ea0a3 .config console log report syz ci-android-414-kasan-gce-root
2019/02/07 09:27 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/07 07:15 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/07 00:25 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 20:04 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 19:03 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 14:35 android-4.14 ae77ce090bb4 d25487bc .config console log report ci-android-414-kasan-gce-root
2019/02/06 12:23 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 07:19 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 06:09 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 03:58 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/06 01:53 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 22:39 android-4.14 ae77ce090bb4 d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 21:15 android-4.14 71c835d2a50c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 18:49 android-4.14 71c835d2a50c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 16:19 android-4.14 71c835d2a50c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 14:27 android-4.14 71c835d2a50c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 08:58 android-4.14 71c835d2a50c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 05:43 android-4.14 dcc2cc75ff5c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 04:07 android-4.14 dcc2cc75ff5c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 02:08 android-4.14 dcc2cc75ff5c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/05 00:46 android-4.14 dcc2cc75ff5c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/04 21:17 android-4.14 dcc2cc75ff5c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/04 19:40 android-4.14 dcc2cc75ff5c d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/04 18:21 android-4.14 80d7b06534fa d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/04 16:20 android-4.14 80d7b06534fa d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/04 14:44 android-4.14 80d7b06534fa d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/04 13:21 android-4.14 80d7b06534fa d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/04 12:05 android-4.14 80d7b06534fa d672172c .config console log report ci-android-414-kasan-gce-root
2019/02/04 10:52 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/04 09:08 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/04 07:37 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/04 06:30 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/04 02:05 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/03 21:17 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/03 21:00 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/03 19:51 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/03 17:02 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/03 12:36 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/03 11:01 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/03 08:07 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/03 04:55 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/03 02:30 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/02 23:58 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/02 20:53 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/02 18:38 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/02 18:36 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/02 15:49 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/02 13:45 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/02 11:14 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/02 10:08 android-4.14 80d7b06534fa c198d5dd .config console log report ci-android-414-kasan-gce-root
2019/02/02 07:00 android-4.14 80d7b06534fa 564f9a4f .config console log report ci-android-414-kasan-gce-root
2019/02/02 03:37 android-4.14 80d7b06534fa 564f9a4f .config console log report ci-android-414-kasan-gce-root
2019/02/02 00:14 android-4.14 80d7b06534fa 564f9a4f .config console log report ci-android-414-kasan-gce-root
2019/01/09 18:27 android-4.14 2aee898fff5a 45c0c1b1 .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.