syzbot


KASAN: stack-out-of-bounds Read in xfrm_state_find

Status: upstream: reported C repro on 2023/01/01 00:40
Bug presence: origin:upstream
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+ada7c035554bcee65580@syzkaller.appspotmail.com
First crash: 570d, last: 85d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: failed (error log, bisect log)
  
Discussions (1)
Title Replies (including bot) Last reply
[PATCH] net: Fix invalid ip_route_output_ports() call 12 (12) 2023/03/30 07:56
Bug presence (4)
Date Name Commit Repro Result
2023/06/19 android13-5.15-lts (ToT) 36f4f6fb72d5 C [report] KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
2023/05/05 lts (merge base) d86dfc4d95cd C [report] KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
2023/05/05 upstream (ToT) 418d5c98319f C [report] KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
2023/06/19 upstream (ToT) dbad9ce9397e C Didn't crash
Similar bugs (14)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (3) net C 10353 2370d 2437d 4/27 fixed on 2018/01/31 00:24
android-44 KASAN: stack-out-of-bounds Read in xfrm_state_find C 842 1698d 1930d 0/2 public: reported C repro on 2019/04/12 00:00
android-54 KASAN: stack-out-of-bounds Read in xfrm_state_find C 1 570d 570d 0/2 upstream: reported C repro on 2023/01/01 01:05
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (5) net C done 654 2003d 2305d 13/27 fixed on 2019/11/11 16:48
upstream KMSAN: uninit-value in xfrm_state_find net C error done 215 432d 2231d 22/27 fixed on 2023/07/01 16:05
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find (2) syz error error 1 570d 570d 0/2 auto-obsoleted due to no activity on 2023/05/14 02:28
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find net C 365 2466d 2538d 0/27 closed as invalid on 2017/10/23 16:19
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find 1 989d 989d 0/2 closed as invalid on 2022/02/03 13:56
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find C 4151 2031d 2542d 0/3 closed as invalid on 2019/01/01 20:10
android-414 KASAN: stack-out-of-bounds Read in xfrm_state_find C 137 2004d 1931d 0/1 public: reported C repro on 2019/04/11 00:00
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (2) net C 93 2448d 2456d 3/27 fixed on 2017/11/18 01:42
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find (2) C 392 1694d 1931d 0/3 public: reported C repro on 2019/04/11 08:44
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (4) net C 102 2314d 2365d 4/27 fixed on 2018/03/23 18:14
upstream KMSAN: uninit-value in xfrm_state_find (2) net 19 106d 264d 0/27 auto-obsoleted due to no activity on 2024/07/18 11:50
Last patch testing requests (6)
Created Duration User Patch Repo Result
2023/09/14 09:34 10m retest repro android13-5.15-lts report log
2023/06/14 12:20 8m tudor.ambarus@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.4-rc2 report log
2023/06/14 08:41 15m tudor.ambarus@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.4-rc3 OK log
2023/06/14 08:10 15m tudor.ambarus@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.4-rc6 OK log
2023/06/14 07:39 9m tudor.ambarus@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git master report log
2023/01/03 07:53 8m tudor.ambarus@linaro.org upstream report log
Fix bisection attempts (15)
Created Duration User Patch Repo Result
2024/05/30 21:44 6m bisect fix android13-5.15-lts error job log
2024/04/30 07:44 1h07m bisect fix android13-5.15-lts OK (0) job log log
2024/03/29 18:55 2h40m bisect fix android13-5.15-lts OK (0) job log log
2024/02/28 11:00 46m bisect fix android13-5.15-lts OK (0) job log log
2024/01/23 13:37 45m bisect fix android13-5.15-lts OK (0) job log log
2023/12/24 10:49 44m bisect fix android13-5.15-lts OK (0) job log log
2023/11/23 20:52 46m bisect fix android13-5.15-lts OK (0) job log log
2023/10/21 05:26 59m bisect fix android13-5.15-lts OK (0) job log log
2023/09/21 03:12 1h01m bisect fix android13-5.15-lts OK (0) job log log
2023/07/06 03:52 1h13m bisect fix android13-5.15-lts OK (0) job log log
2023/06/03 05:38 16m bisect fix android13-5.15-lts OK (0) job log log
2023/05/04 04:58 39m bisect fix android13-5.15-lts OK (0) job log log
2023/04/03 22:53 18m bisect fix android13-5.15-lts OK (0) job log log
2023/03/04 22:30 22m bisect fix android13-5.15-lts OK (0) job log log
2023/02/02 20:19 19m bisect fix android13-5.15-lts OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2f9a/0x3510 net/xfrm/xfrm_state.c:1092
Read of size 4 at addr ffffc900001d0a38 by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.15.78-syzkaller-00911-gc73b4619ad86 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3d0 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0x1a6/0x1f0 mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 jhash2 include/linux/jhash.h:138 [inline]
 __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
 __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
 __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
 xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
 xfrm_state_find+0x2f9a/0x3510 net/xfrm/xfrm_state.c:1092
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2393 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2438 [inline]
 xfrm_resolve_and_create_bundle+0x66d/0x2c80 net/xfrm/xfrm_policy.c:2731
 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2966 [inline]
 xfrm_lookup_with_ifid+0xa1c/0x2640 net/xfrm/xfrm_policy.c:3097
 xfrm_lookup net/xfrm/xfrm_policy.c:3194 [inline]
 xfrm_lookup_route+0x3b/0x160 net/xfrm/xfrm_policy.c:3205
 ip_route_output_flow+0x1e7/0x310 net/ipv4/route.c:2889
 ip_route_output_ports include/net/route.h:169 [inline]
 igmpv3_newpack+0x413/0x1080 net/ipv4/igmp.c:369
 add_grhead+0x84/0x320 net/ipv4/igmp.c:440
 add_grec+0x12f8/0x1600 net/ipv4/igmp.c:574
 igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
 igmp_ifc_timer_expire+0x8b0/0xf90 net/ipv4/igmp.c:810
 call_timer_fn+0x35/0x270 kernel/time/timer.c:1427
 expire_timers+0x21b/0x3a0 kernel/time/timer.c:1472
 __run_timers+0x598/0x6f0 kernel/time/timer.c:1743
 run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1756
 __do_softirq+0x27e/0x5dc kernel/softirq.c:565
 invoke_softirq+0xb/0x50 kernel/softirq.c:425
 __irq_exit_rcu+0x4f/0xb0 kernel/softirq.c:647
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:659
 sysvec_apic_timer_interrupt+0x9a/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:40 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:75 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:110 [inline]
RIP: 0010:acpi_idle_do_entry drivers/acpi/processor_idle.c:553 [inline]
RIP: 0010:acpi_idle_enter+0x411/0x6d0 drivers/acpi/processor_idle.c:688
Code: 8b 1b 48 89 de 48 83 e6 08 31 ff e8 19 c2 a8 fc 48 83 e3 08 0f 85 a2 00 00 00 66 90 e8 e8 bc a8 fc 0f 00 2d 11 d5 c5 00 fb f4 <fa> e9 98 00 00 00 49 83 c7 04 4c 89 f8 48 c1 e8 03 42 8a 04 30 84
RSP: 0018:ffffc90000157c70 EFLAGS: 000002d3
RAX: ffffffff84c8e2a8 RBX: 0000000000000000 RCX: ffff888100372780
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000157cb0 R08: ffffffff84c8e297 R09: ffffed102006e4f1
R10: ffffed102006e4f1 R11: 1ffff1102006e4f0 R12: 0000000000000001
R13: ffff888103bbd804 R14: dffffc0000000000 R15: ffff888105db5064
 cpuidle_enter_state+0x5d0/0x14a0 drivers/cpuidle/cpuidle.c:249
 cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:364
 call_cpuidle kernel/sched/idle.c:158 [inline]
 cpuidle_idle_call kernel/sched/idle.c:239 [inline]
 do_idle+0x379/0x5e0 kernel/sched/idle.c:306
 cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:403
 start_secondary+0xde/0xf0 arch/x86/kernel/smpboot.c:270
 secondary_startup_64_no_verify+0xb1/0xbb
 </TASK>


Memory state around the buggy address:
 ffffc900001d0900: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc900001d0980: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>ffffc900001d0a00: 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
                                        ^
 ffffc900001d0a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc900001d0b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	8b 1b                	mov    (%rbx),%ebx
   2:	48 89 de             	mov    %rbx,%rsi
   5:	48 83 e6 08          	and    $0x8,%rsi
   9:	31 ff                	xor    %edi,%edi
   b:	e8 19 c2 a8 fc       	callq  0xfca8c229
  10:	48 83 e3 08          	and    $0x8,%rbx
  14:	0f 85 a2 00 00 00    	jne    0xbc
  1a:	66 90                	xchg   %ax,%ax
  1c:	e8 e8 bc a8 fc       	callq  0xfca8bd09
  21:	0f 00 2d 11 d5 c5 00 	verw   0xc5d511(%rip)        # 0xc5d539
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	fa                   	cli <-- trapping instruction
  2b:	e9 98 00 00 00       	jmpq   0xc8
  30:	49 83 c7 04          	add    $0x4,%r15
  34:	4c 89 f8             	mov    %r15,%rax
  37:	48 c1 e8 03          	shr    $0x3,%rax
  3b:	42 8a 04 30          	mov    (%rax,%r14,1),%al
  3f:	84                   	.byte 0x84

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/01/01 00:34 android13-5.15-lts c73b4619ad86 ab32d508 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: stack-out-of-bounds Read in xfrm_state_find
2023/01/01 00:09 android13-5.15-lts c73b4619ad86 ab32d508 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: stack-out-of-bounds Read in xfrm_state_find
* Struck through repros no longer work on HEAD.