syzbot

 sign-in | mailing list | source | docs
🐞 Open [124] 🐞 Fixed [269] 🐞 Invalid [574] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

panic: sbdrop

Status: fixed on 2020/08/05 06:16
Reported-by: syzbot+b6a3447070ae8ffcb125@syzkaller.appspotmail.com
Fix commit: efa3c3dd644f Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does. Fixes a bunch of panics reported by syzkaller.
First crash: 1653d, last: 1353d

Sample crash report:
panic: sbdrop
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
* 32567  25525      0     0x14000      0x200    0  softnet
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff8220e8ba) at panic+0x15c sys/kern/subr_prf.c:207
sbdrop(fffffd806eb7b968,fffffd806eb7ba60,54) at sbdrop+0x3c6 sys/kern/uipc_socket2.c:950
tcp_input(ffff800020a49ca8,ffff800020a49cb4,6,2) at tcp_input+0x3d73 sys/netinet/tcp_input.c:1725
ip_deliver(ffff800020a49ca8,ffff800020a49cb4,6,2) at ip_deliver+0x353 sys/netinet/ip_input.c:668
ip_ours(ffff800020a49ca8,ffff800020a49cb4,8b,0) at ip_ours+0x412
ip_input_if(ffff800020a49ca8,ffff800020a49cb4,4,0,ffff80000017b2a8) at ip_input_if+0x6ce
ipv4_input(ffff80000017b2a8,fffffd806f2f1c00) at ipv4_input+0x48 sys/netinet/ip_input.c:215
ether_input(ffff80000017b2a8,fffffd806f2f1c00,0) at ether_input+0x345 sys/net/if_ethersubr.c:461
if_input_process(ffff80000017b2a8,ffff800020a49dd8) at if_input_process+0xfb if_ih_input sys/net/if.c:909 [inline]
if_input_process(ffff80000017b2a8,ffff800020a49dd8) at if_input_process+0xfb sys/net/if.c:943
ifiq_process(ffff80000017b6a0) at ifiq_process+0x80 sys/net/ifq.c:646
taskq_thread(ffff80000002b080) at taskq_thread+0x9c sys/kern/kern_task.c:369
end trace frame: 0x0, count: 3
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{0}> 
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
sbdrop
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff8220e8ba) at panic+0x15c sys/kern/subr_prf.c:207
sbdrop(fffffd806eb7b968,fffffd806eb7ba60,54) at sbdrop+0x3c6 sys/kern/uipc_socket2.c:950
tcp_input(ffff800020a49ca8,ffff800020a49cb4,6,2) at tcp_input+0x3d73 sys/netinet/tcp_input.c:1725
ip_deliver(ffff800020a49ca8,ffff800020a49cb4,6,2) at ip_deliver+0x353 sys/netinet/ip_input.c:668
ip_ours(ffff800020a49ca8,ffff800020a49cb4,8b,0) at ip_ours+0x412
ip_input_if(ffff800020a49ca8,ffff800020a49cb4,4,0,ffff80000017b2a8) at ip_input_if+0x6ce
ipv4_input(ffff80000017b2a8,fffffd806f2f1c00) at ipv4_input+0x48 sys/netinet/ip_input.c:215
ether_input(ffff80000017b2a8,fffffd806f2f1c00,0) at ether_input+0x345 sys/net/if_ethersubr.c:461
if_input_process(ffff80000017b2a8,ffff800020a49dd8) at if_input_process+0xfb if_ih_input sys/net/if.c:909 [inline]
if_input_process(ffff80000017b2a8,ffff800020a49dd8) at if_input_process+0xfb sys/net/if.c:943
ifiq_process(ffff80000017b6a0) at ifiq_process+0x80 sys/net/ifq.c:646
taskq_thread(ffff80000002b080) at taskq_thread+0x9c sys/kern/kern_task.c:369
end trace frame: 0x0, count: -12
ddb{0}> show registers
rdi                                0
rsi                              0x1
rbp               0xffff800020a49830
rbx               0xffff800020a498e0
rdx                             0x8b
rcx                              0x2
rax                              0x1
r8                0xffffffff8164a22f    kprintf+0x16f
r9                               0x1
r10               0x675e029446f9bb88
r11               0x33ad3585d97afecd
r12                     0x3000000008
r13               0xffff800020a49840
r14                            0x100
r15                              0x1
rip               0xffffffff81030db8    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff800020a49820
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb{0}> show proc
PROC (softnet) pid=32567 stat=onproc
    flags process=14000<NOZOMBIE,SYSTEM> proc=200<SYSTEM>
    pri=32, usrpri=50, nice=20
    forw=0xffffffffffffffff, list=0xffff800020a284e0,0xffff800020a28280
    process=0xffff800020a2a000 user=0xffff800020a44000, vmspace=0xffffffff82639c28
    estcpu=0, cpticks=0, pctcpu=0.0
    user=0, sys=0, intr=0
ddb{0}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 41559  182627  19087      0  3        0x82  nanosleep     syz-executor.0
 19087    7529  71358      0  3        0x82  thrsleep      syz-execprog
 19087  503350  71358      0  3   0x4000082  nanosleep     syz-execprog
 19087  191251  71358      0  3   0x4000082  thrsleep      syz-execprog
 19087   19845  71358      0  3   0x4000082  thrsleep      syz-execprog
 19087  268681  71358      0  3   0x4000082  kqread        syz-execprog
 19087  156361  71358      0  3   0x4000082  thrsleep      syz-execprog
 19087  237300  71358      0  3   0x4000082  thrsleep      syz-execprog
 19087  327756  71358      0  3   0x4000082  nanosleep     syz-execprog
 19087  292175  71358      0  3   0x4000082  thrsleep      syz-execprog
 71358  513810  83847      0  3    0x10008a  pause         ksh
 83847  341905   4590      0  3        0x92  select        sshd
 30733  342262      1      0  3    0x100083  ttyin         getty
  4590   54783      1      0  3        0x80  select        sshd
 35653  312849  53160     74  3    0x100092  bpf           pflogd
 53160   43569      1      0  3        0x80  netio         pflogd
   126  210653  67115     73  3    0x100090  kqread        syslogd
 67115  228114      1      0  3    0x100082  netio         syslogd
 33804    9144      1     77  3    0x100090  poll          dhclient
 98840   17027      1      0  3        0x80  poll          dhclient
 70765  412286      0      0  3     0x14200  bored         smr
 50082  461378      0      0  3     0x14200  pgzero        zerothread
 16814  420407      0      0  3     0x14200  aiodoned      aiodoned
 30627  433218      0      0  3     0x14200  syncer        update
 89464   37713      0      0  3     0x14200  cleaner       cleaner
 77005   90243      0      0  3     0x14200  reaper        reaper
 17783  364880      0      0  3     0x14200  pgdaemon      pagedaemon
 29773  523456      0      0  3     0x14200  bored         crynlk
  3410  115791      0      0  3     0x14200  bored         crypto
 77645  199860      0      0  3  0x40014200  acpi0         acpi0
 74547   23530      0      0  7  0x40014200                idle1
*25525   32567      0      0  7     0x14200                softnet
 29925   68248      0      0  3     0x14200  bored         systqmp
 26449  234261      0      0  3     0x14200  bored         systq
  2540  458798      0      0  3  0x40014200  bored         softclock
 74522  130537      0      0  3  0x40014200                idle0
     1  450701      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{0}> show all locks
Process 25525 (softnet) thread 0xffff800020a28000 (32567)
shared rwlock netlock r = 0 (0xffffffff8249c838)
#0  witness_lock+0x52e sys/kern/subr_witness.c:1164
#1  if_input_process+0x84 sys/net/if.c:941
#2  ifiq_process+0x80 sys/net/ifq.c:646
#3  taskq_thread+0x9c sys/kern/kern_task.c:369
#4  proc_trampoline+0x1c
shared rwlock softnet r = 0 (0xffff80000002b0e0)
#0  witness_lock+0x52e sys/kern/subr_witness.c:1164
#1  taskq_thread+0x8f sys/kern/kern_task.c:368
#2  proc_trampoline+0x1c
ddb{0}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf  9466   6395K    6395K  78643K     10557        0
            pcb    13      8K       8K  78643K        13        0
         rtable    83      2K       2K  78643K       163        0
         ifaddr    37      9K       9K  78643K       284        0
       counters    41     33K      33K  78643K        41        0
       ioctlops     0      0K       4K  78643K      1468        0
          mount     1      1K       1K  78643K         1        0
         vnodes  1183     74K      75K  78643K      1188        0
      UFS quota     1     32K      32K  78643K         1        0
      UFS mount     5     36K      36K  78643K         5        0
            shm     2      1K       1K  78643K         2        0
         VM map     2      1K       1K  78643K         2        0
            sem     2      0K       0K  78643K         2        0
        dirhash    12      2K       2K  78643K        12        0
           ACPI  1809    196K     290K  78643K     12766        0
      file desc     2      4K      12K  78643K       263        0
           proc    59     63K      83K  78643K       398        0
    NFS srvsock     1      0K       0K  78643K         1        0
     NFS daemon     1     16K      16K  78643K         1        0
       in_multi    22      1K       1K  78643K        22        0
    ether_multi     1      0K       0K  78643K         1        0
    ISOFS mount     1     32K      32K  78643K         1        0
  MSDOSFS mount     1     16K      16K  78643K         1        0
           ttys    19     95K      95K  78643K        19        0
           exec     0      0K       1K  78643K       197        0
        pagedep     1      8K       8K  78643K         1        0
       inodedep     1     32K      32K  78643K         1        0
         newblk     1      0K       0K  78643K         1        0
        VM swap     7     26K      26K  78643K         7        0
       UVM amap    78     12K      12K  78643K      1202        0
       UVM aobj     2      2K       2K  78643K         2        0
        memdesc     1      4K       4K  78643K         1        0
    crypto data     1      1K       1K  78643K         1        0
            NDP     5      0K       0K  78643K         7        0
           temp    29   3009K    3073K  78643K      2401        0
         kqueue     3      4K       4K  78643K         3        0
      SYN cache     2     16K      16K  78643K         2        0
ddb{0}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp         64        4    0        0     1     0     1     1     0     8    0
plcache    128       20    0        0     1     0     1     1     0     8    0
rtpcb       80       17    0       15     1     0     1     1     0     8    0
rtentry    112       34    0        1     1     0     1     1     0     8    0
unpcb      120       29    0       19     1     0     1     1     0     8    0
syncache   264        5    0        5     2     2     0     1     0     8    0
tcpqe       32       10    0       10     1     1     0     1     0     8    0
tcpcb      544        8    0        5     1     0     1     1     0     8    0
inpcb      280      279    0      273     1     0     1     1     0     8    0
nd6         48        3    0        0     1     0     1     1     0     8    0
pfosfp      40      846    0      423     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfstitem    24       10    0        0     1     0     1     1     0     8    0
pfstkey    112       10    0        0     1     0     1     1     0     8    0
pfstate    328       10    0        0     1     0     1     1     0     8    0
pfrule     1360      21    0       16     2     1     1     2     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      145    0        0    10     0    10    10     0     8    0
art_table   32      146    0        0     2     0     2     2     0     8    0
art_node    16       33    0        3     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino1pl    128     1668    0      265    46     0    46    46     0     8    0
ffsino     272     1668    0      265    94     0    94    94     0     8    0
nchpl      144     2139    0      529    60     0    60    60     0     8    0
uvmvnodes   72     1678    0        0    31     0    31    31     0     8    0
vnodes     208     1678    0        0    89     0    89    89     0     8    0
namei      1024    5105    0     5105     1     0     1     1     0     8    1
percpumem   16       31    0        0     1     0     1     1     0     8    0
scxspl     192     6141    0     6141     8     1     7     7     0     8    7
plimitpl   152       15    0        8     1     0     1     1     0     8    0
sigapl     424      486    0      457     4     0     4     4     0     8    0
knotepl    112       39    0       28     1     0     1     1     0     8    0
kqueuepl   144        2    0        0     1     0     1     1     0     8    0
pipelkpl    48       74    0       67     2     1     1     1     0     8    0
pipepl     120      148    0      135     2     1     1     1     0     8

Crashes (183):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/03/02 15:49 openbsd 23a32f86e8aa 4a4e0509 .config console log report syz ci-openbsd-multicore
2020/02/25 20:23 openbsd 96fd820db6d5 4c886d6a .config console log report syz ci-openbsd-multicore
2020/01/31 04:52 openbsd 11cb4e50e9ae 5ed23f9a .config console log report syz ci-openbsd-multicore
2020/01/04 20:39 openbsd 8761fbd57358 68256974 .config console log report syz ci-openbsd-multicore
2019/12/22 21:22 openbsd 3367dcf595ba 8b967267 .config console log report syz ci-openbsd-multicore
2020/08/03 04:00 openbsd 84e8f3e59749 63a73341 .config console log report ci-openbsd-main
2020/08/01 01:42 openbsd d7a9fa610752 d895b3be .config console log report ci-openbsd-multicore
2020/07/30 00:07 openbsd 25f2901d1c23 233283a1 .config console log report ci-openbsd-multicore
2020/07/11 17:12 openbsd b1f788244d72 7ba05d2d .config console log report ci-openbsd-main
2020/07/11 14:10 openbsd b1f788244d72 7ba05d2d .config console log report ci-openbsd-main
2020/07/07 19:52 openbsd 448c5a95e201 f7b01f08 .config console log report ci-openbsd-main
2020/07/03 17:36 openbsd e62bf3fe2c47 bed10395 .config console log report ci-openbsd-main
2020/06/27 11:32 openbsd a72c50bce973 ffec44b5 .config console log report ci-openbsd-multicore
2020/06/24 17:58 openbsd e9c5ed46e587 41694dbf .config console log report ci-openbsd-multicore
2020/06/22 03:59 openbsd 45dd89a788b7 eabcced4 .config console log report ci-openbsd-main
2020/06/18 23:29 openbsd e8105163f17b 3ea11d3f .config console log report ci-openbsd-main
2020/06/17 13:30 openbsd d3ae5f180d22 b6c46f43 .config console log report ci-openbsd-main
2020/06/12 19:54 openbsd 50f19d1942a4 d1c1c849 .config console log report ci-openbsd-main
2020/06/08 15:08 openbsd c349dbc7938c 7604bb03 .config console log report ci-openbsd-main
2020/06/08 10:15 openbsd 957dfd9fbe6a 7751efd0 .config console log report ci-openbsd-main
2020/06/06 19:07 openbsd d3d7dc897d09 e6b89e4e .config console log report ci-openbsd-main
2020/06/06 08:32 openbsd b0e77709c0dd c3e9afb3 .config console log report ci-openbsd-multicore
2020/06/04 18:29 openbsd 4f408d0e7207 6720fdef .config console log report ci-openbsd-main
2020/06/02 05:01 openbsd 0cd4ba86ab5d a0331e89 .config console log report ci-openbsd-main
2020/06/02 00:04 openbsd 235b1081ef99 a0331e89 .config console log report ci-openbsd-multicore
2020/06/01 11:00 openbsd 33ca237a0cbf a0331e89 .config console log report ci-openbsd-multicore
2020/06/01 06:23 openbsd 33ca237a0cbf a0331e89 .config console log report ci-openbsd-multicore
2020/05/31 00:31 openbsd 2ffcc9827297 6f3e1c7c .config console log report ci-openbsd-main
2020/05/27 23:18 openbsd 4d5cbc65b3f2 fdf90f62 .config console log report ci-openbsd-main
2020/05/25 19:21 openbsd 7454d7ca9035 73964a9b .config console log report ci-openbsd-main
2020/05/24 18:28 openbsd 12bad2091a27 ce7ca010 .config console log report ci-openbsd-multicore
2020/05/24 04:11 openbsd 0e6fb2a1b110 96c92ad3 .config console log report ci-openbsd-main
2020/05/23 09:32 openbsd d957eea850e2 9682898d .config console log report ci-openbsd-main
2020/05/23 05:26 openbsd d957eea850e2 9682898d .config console log report ci-openbsd-main
2020/05/22 03:24 openbsd abbe6f26473c 5afa2ddd .config console log report ci-openbsd-main
2020/05/21 22:07 openbsd 2061a77758dc 1f30020f .config console log report ci-openbsd-main
2020/05/20 22:40 openbsd de9f819d5d1b 1255f02a .config console log report ci-openbsd-main
2020/05/19 20:27 openbsd 9289be61e36b 6d882fd2 .config console log report ci-openbsd-main
2020/05/19 18:33 openbsd 9289be61e36b 6d882fd2 .config console log report ci-openbsd-main
2020/05/18 01:42 openbsd 557f50bebc15 37bccd4e .config console log report ci-openbsd-main
2020/05/17 09:04 openbsd 487c6a4bcac2 37bccd4e .config console log report ci-openbsd-main
2020/05/16 03:44 openbsd e3568ce26f9d 37bccd4e .config console log report ci-openbsd-multicore
2020/05/15 22:30 openbsd 435df7980549 d7f9fffa .config console log report ci-openbsd-main
2020/05/13 06:31 openbsd 4a72491bea18 a44eb8f7 .config console log report ci-openbsd-main
2020/05/10 19:51 openbsd a78f83ce721c 8742a2b9 .config console log report ci-openbsd-multicore
2020/05/09 17:44 openbsd 7752f9fda662 88cb3e92 .config console log report ci-openbsd-multicore
2020/05/09 15:05 openbsd 7752f9fda662 88cb3e92 .config console log report ci-openbsd-main
2020/05/08 09:38 openbsd 30e1cf84d14e 6c70a1c2 .config console log report ci-openbsd-main
2020/05/08 08:13 openbsd 30e1cf84d14e 6c70a1c2 .config console log report ci-openbsd-main
2019/10/09 00:07 openbsd 70f1de17401b b1ebbfef .config console log report ci-openbsd-main
* Struck through repros no longer work on HEAD.