syzbot

 sign-in | mailing list | source | docs
🐞 Open [196]
🐞 Fixed [42]
🐞 Invalid [470]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in ip6t_do_table

Status: public: reported C repro on 2019/10/12 03:56
Reported-by: syzbot+b37bf8c6f9f9a98f8a4f@syzkaller.appspotmail.com
First crash: 1867d, last: 1822d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-44 KASAN: use-after-free Read in ip6t_do_table C 22 1826d 1955d 0/2 public: reported C repro on 2019/07/16 00:29

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ifname_compare_aligned include/linux/netfilter/x_tables.h:369 [inline]
BUG: KASAN: use-after-free in ip6_packet_match net/ipv6/netfilter/ip6_tables.c:89 [inline]
BUG: KASAN: use-after-free in ip6t_do_table+0x1545/0x1860 net/ipv6/netfilter/ip6_tables.c:333
Read of size 8 at addr ffff8801c55b4000 by task syz-executor767/12939

CPU: 0 PID: 12939 Comm: syz-executor767 Not tainted 4.9.194+ #0
 ffff8801cdeef058 ffffffff81b67001 0000000000000000 ffffea0007156d00
 ffff8801c55b4000 0000000000000008 ffffffff82795bb5 ffff8801cdeef090
 ffffffff8150c4f1 0000000000000000 ffff8801c55b4000 ffff8801c55b4000
Call Trace:
 [<00000000f2e5b72f>] __dump_stack lib/dump_stack.c:15 [inline]
 [<00000000f2e5b72f>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<00000000970048f1>] print_address_description+0x6f/0x23a mm/kasan/report.c:256
 [<00000000f26e3890>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<00000000f26e3890>] kasan_report mm/kasan/report.c:413 [inline]
 [<00000000f26e3890>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
 [<00000000ebdfaa76>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:434
 [<00000000e049409b>] ifname_compare_aligned include/linux/netfilter/x_tables.h:369 [inline]
 [<00000000e049409b>] ip6_packet_match net/ipv6/netfilter/ip6_tables.c:89 [inline]
 [<00000000e049409b>] ip6t_do_table+0x1545/0x1860 net/ipv6/netfilter/ip6_tables.c:333
 [<00000000a05f4379>] ip6t_mangle_out net/ipv6/netfilter/ip6table_mangle.c:63 [inline]
 [<00000000a05f4379>] ip6table_mangle_hook+0x2dc/0x6d0 net/ipv6/netfilter/ip6table_mangle.c:85
 [<00000000f3f0f236>] nf_iterate+0x12e/0x310 net/netfilter/core.c:324
 [<00000000e410a366>] nf_hook_slow+0x114/0x1f0 net/netfilter/core.c:355
 [<0000000095e7aeca>] nf_hook_thresh include/linux/netfilter.h:191 [inline]
 [<0000000095e7aeca>] nf_hook include/linux/netfilter.h:203 [inline]
 [<0000000095e7aeca>] __ip6_local_out+0x498/0x630 net/ipv6/output_core.c:166
 [<000000001c35d7ac>] ip6_local_out+0x29/0x180 net/ipv6/output_core.c:176
 [<000000000bb7c638>] ip6_send_skb+0xa2/0x340 net/ipv6/ip6_output.c:1753
 [<000000007308b9d0>] udp_v6_send_skb+0x438/0xe90 net/ipv6/udp.c:974
 [<000000004e5dfeb8>] udp_v6_push_pending_frames+0x245/0x360 net/ipv6/udp.c:1007
 [<0000000051e4d6b2>] udpv6_sendmsg+0x19b0/0x2430 net/ipv6/udp.c:1273
 [<00000000d568c061>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766
 [<00000000dbb9d027>] sock_sendmsg_nosec net/socket.c:649 [inline]
 [<00000000dbb9d027>] sock_sendmsg+0xbe/0x110 net/socket.c:659
 [<0000000041ae27c7>] ___sys_sendmsg+0x387/0x8b0 net/socket.c:1983
 [<000000005803d8e7>] __sys_sendmmsg+0x164/0x3d0 net/socket.c:2073
 [<0000000059eb1f4b>] SYSC_sendmmsg net/socket.c:2104 [inline]
 [<0000000059eb1f4b>] SyS_sendmmsg+0x35/0x60 net/socket.c:2099
 [<00000000578f7694>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
 [<000000007bba6546>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

The buggy address belongs to the page:
page:ffffea0007156d00 count:0 mapcount:-127 mapping:          (null) index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c55b3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801c55b3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8801c55b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8801c55b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801c55b4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (18):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/14 02:43 https://android.googlesource.com/kernel/common android-4.9 7fe05eede1c8 2f661ec4 .config console log report syz C ci-android-49-kasan-gce-root
2019/11/22 06:55 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 8098ea0f .config console log report syz C ci-android-49-kasan-gce-386
2019/10/30 16:41 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 5ea87a66 .config console log report syz C ci-android-49-kasan-gce-386
2019/11/22 03:10 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 8098ea0f .config console log report syz ci-android-49-kasan-gce
2019/10/30 17:06 https://android.googlesource.com/kernel/common android-4.9 7fe05eede1c8 5ea87a66 .config console log report syz ci-android-49-kasan-gce-root
2019/11/26 11:36 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 f746151a .config console log report ci-android-49-kasan-gce
2019/11/24 18:25 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 598ca6c8 .config console log report ci-android-49-kasan-gce
2019/11/23 21:13 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 598ca6c8 .config console log report ci-android-49-kasan-gce
2019/11/20 18:35 android-4.9 258971b8e1ac f4b7ed07 .config console log report ci-android-49-kasan-gce-root
2019/10/30 03:23 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 5ea87a66 .config console log report ci-android-49-kasan-gce
2019/10/30 02:23 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 5ea87a66 .config console log report ci-android-49-kasan-gce
2019/10/29 17:40 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 5ea87a66 .config console log report ci-android-49-kasan-gce
2019/10/26 23:54 https://android.googlesource.com/kernel/common android-4.9 7fe05eede1c8 25bb509e .config console log report ci-android-49-kasan-gce-root
2019/10/17 03:53 https://android.googlesource.com/kernel/common android-4.9 7fe05eede1c8 8c88c9c1 .config console log report ci-android-49-kasan-gce-root
2019/10/12 02:55 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 426631dd .config console log report ci-android-49-kasan-gce
2019/11/18 21:36 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 1daed50a .config console log report ci-android-49-kasan-gce-386
2019/11/01 07:55 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 a41ca8fa .config console log report ci-android-49-kasan-gce-386
2019/11/01 01:30 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 a41ca8fa .config console log report ci-android-49-kasan-gce-386
* Struck through repros no longer work on HEAD.