syzbot


KASAN: stack-out-of-bounds Read in timerqueue_add

Status: fixed on 2018/08/07 13:43
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+b680e42077a0d7c9a0c4@syzkaller.appspotmail.com
Fix commit: 99ba2b5aba24 bpf: sockhash, disallow bpf_tcp_close and update in parallel
First crash: 2350d, last: 2334d
Duplicate bugs (13)
duplicates (13):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
KASAN: stack-out-of-bounds Read in __hrtimer_run_queues kernel 2 2348d 2350d 0/28 closed as dup on 2018/07/05 16:20
KASAN: stack-out-of-bounds Read in __neigh_create net C 1 2350d 2349d 0/28 closed as dup on 2018/07/05 16:18
KASAN: stack-out-of-bounds Read in vmalloc_fault bridge netfilter C 1 2348d 2348d 0/28 closed as dup on 2018/07/07 07:00
KASAN: use-after-scope Read in __hrtimer_run_queues kernel C 2 2347d 2350d 0/28 closed as dup on 2018/07/05 16:20
KASAN: stack-out-of-bounds Read in move_expired_inodes fs C 1 2350d 2349d 0/28 closed as dup on 2018/07/05 16:19
KASAN: stack-out-of-bounds Read in switch_mm_irqs_off kernel 3 2333d 2350d 0/28 closed as dup on 2018/07/05 16:21
WARNING in handle_irq (2) kernel C 29 2333d 2350d 0/28 closed as dup on 2018/07/05 16:21
KASAN: stack-out-of-bounds Read in __netif_receive_skb_core net virt C 1 2350d 2349d 0/28 closed as dup on 2018/07/05 16:18
KASAN: stack-out-of-bounds Read in update_cfs_group kernel 1 2350d 2350d 0/28 closed as dup on 2018/07/05 16:21
general protection fault in smap_list_map_remove bpf C 9 2334d 2349d 0/28 closed as dup on 2018/07/05 16:17
KASAN: stack-out-of-bounds Read in rb_erase (3) kernel C 2 2343d 2347d 0/28 closed as dup on 2018/07/07 16:47
KASAN: stack-out-of-bounds Read in __run_timers kernel C 1 2350d 2349d 0/28 closed as dup on 2018/07/05 16:19
KASAN: slab-out-of-bounds Read in shrink_slab mm 84 2338d 2347d 0/28 closed as dup on 2018/07/07 16:48
Discussions (3)
Title Replies (including bot) Last reply
[bpf PATCH v2 0/4] sockhash/sockmap fixes 6 (6) 2018/07/07 22:24
[bpf PATCH 0/4] sockhash/sockmap fixes 6 (6) 2018/07/05 15:48
KASAN: stack-out-of-bounds Read in timerqueue_add 2 (3) 2018/07/04 16:59
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: stack-out-of-bounds Read in timerqueue_add (2) kernel C 4 2160d 2166d 0/28 closed as dup on 2019/01/04 16:39

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: stack-out-of-bounds in timerqueue_add+0x249/0x2b0 lib/timerqueue.c:52
Read of size 8 at addr ffff8801af537cf8 by task syz-executor591/7178

CPU: 0 PID: 7178 Comm: syz-executor591 Not tainted 4.18.0-rc3+ #130
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 timerqueue_add+0x249/0x2b0 lib/timerqueue.c:52
 enqueue_hrtimer+0x18e/0x540 kernel/time/hrtimer.c:960
 __run_hrtimer kernel/time/hrtimer.c:1413 [inline]
 __hrtimer_run_queues+0xc07/0x10c0 kernel/time/hrtimer.c:1460
 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x165/0x730 arch/x86/kernel/apic/apic.c:1050
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
 </IRQ>

The buggy address belongs to the page:
page:ffffea0006bd4dc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 ffffffff06bd0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801af537b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801af537c00: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2
>ffff8801af537c80: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2
                                                                ^
 ffff8801af537d00: f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00
 ffff8801af537d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/04 14:56 upstream fc36def997cf 317fc8ea .config console log report syz C ci-upstream-kasan-gce-root
2018/07/20 18:20 net-next-old a3eed83a1895 49f35839 .config console log report syz C ci-upstream-net-kasan-gce
2018/07/06 07:06 bpf-next 6fcf9b1d4d6c d3b2a0e2 .config console log report ci-upstream-bpf-next-kasan-gce
2018/07/05 18:23 bpf-next 6fcf9b1d4d6c d3b2a0e2 .config console log report ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.