syzbot


KASAN: use-after-free Read in tipc_nl_node_dump_monitor_peer (2)

Status: fixed on 2020/07/20 08:03
Subsystems: tipc
[Documentation on labels]
Reported-by: syzbot+c96e4dfb32f8987fdeed@syzkaller.appspotmail.com
Fix commit: bf64ff4c2aac genetlink: get rid of family->attrbuf
First crash: 1625d, last: 1609d
Discussions (3)
Title Replies (including bot) Last reply
[PATCH 5.7 000/244] 5.7.10-rc1 review 256 (256) 2020/07/27 17:31
KASAN: use-after-free Read in tipc_nl_node_dump_monitor_peer (2) 2 (4) 2020/06/30 03:57
[Patch net] genetlink: get rid of family->attrbuf 2 (2) 2020/06/30 00:16
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in tipc_nl_node_dump_monitor_peer tipc C done 3 1886d 1886d 15/28 fixed on 2019/12/13 00:31
Last patch testing requests (1)
Created Duration User Patch Repo Result
2020/06/27 03:38 17m xiyou.wangcong@gmail.com https://github.com/congwang/linux.git net OK

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in nla_len include/net/netlink.h:1135 [inline]
BUG: KASAN: use-after-free in nla_parse_nested_deprecated include/net/netlink.h:1218 [inline]
BUG: KASAN: use-after-free in tipc_nl_node_dump_monitor_peer+0x4da/0x590 net/tipc/node.c:2788
Read of size 2 at addr ffff8880a3850814 by task syz-executor767/6869

CPU: 1 PID: 6869 Comm: syz-executor767 Not tainted 5.8.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 nla_len include/net/netlink.h:1135 [inline]
 nla_parse_nested_deprecated include/net/netlink.h:1218 [inline]
 tipc_nl_node_dump_monitor_peer+0x4da/0x590 net/tipc/node.c:2788
 genl_lock_dumpit+0x7f/0xb0 net/netlink/genetlink.c:575
 netlink_dump+0x4cd/0xf60 net/netlink/af_netlink.c:2245
 __netlink_dump_start+0x643/0x900 net/netlink/af_netlink.c:2353
 genl_family_rcv_msg_dumpit+0x2ac/0x310 net/netlink/genetlink.c:638
 genl_family_rcv_msg net/netlink/genetlink.c:733 [inline]
 genl_rcv_msg+0x797/0x9e0 net/netlink/genetlink.c:753
 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2469
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:764
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2352
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2406
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4452b9
Code: Bad RIP value.
RSP: 002b:00007ffd7a70e518 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004452b9
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 0000000000011f82 R08: 0000000000000000 R09: 00000000004002e0
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004023d0
R13: 0000000000402460 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 6871:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:494
 __kmalloc_reserve net/core/skbuff.c:142 [inline]
 __alloc_skb+0xae/0x550 net/core/skbuff.c:210
 alloc_skb include/linux/skbuff.h:1083 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1175 [inline]
 netlink_sendmsg+0x94f/0xd90 net/netlink/af_netlink.c:1893
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2352
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2406
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 6871:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0xf5/0x140 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x103/0x2c0 mm/slab.c:3757
 skb_free_head net/core/skbuff.c:590 [inline]
 skb_release_data+0x6d9/0x910 net/core/skbuff.c:610
 skb_release_all net/core/skbuff.c:664 [inline]
 __kfree_skb net/core/skbuff.c:678 [inline]
 consume_skb net/core/skbuff.c:837 [inline]
 consume_skb+0xc2/0x160 net/core/skbuff.c:831
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x53b/0x7d0 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2352
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2406
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff8880a3850800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 20 bytes inside of
 512-byte region [ffff8880a3850800, ffff8880a3850a00)
The buggy address belongs to the page:
page:ffffea00028e1400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002899908 ffffea00023c6388 ffff8880aa000a80
raw: 0000000000000000 ffff8880a3850000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a3850700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a3850780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a3850800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff8880a3850880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a3850900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (54):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/07/10 20:10 upstream 42f82040ee66 edf162e8 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/07/09 12:21 upstream 0bddd227f3dc bc238812 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/07/09 10:42 upstream 0bddd227f3dc bc238812 .config console log report syz C ci-upstream-kasan-gce
2020/07/07 15:32 upstream 7cc2a8ea1048 51095195 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/07/06 16:39 upstream 7cc2a8ea1048 51095195 .config console log report syz C ci-upstream-kasan-gce
2020/07/06 15:30 upstream 7cc2a8ea1048 51095195 .config console log report syz C ci-upstream-kasan-gce-root
2020/07/06 15:28 upstream 7cc2a8ea1048 51095195 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/06/27 02:54 upstream 4a21185cda0f aea82c00 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/07/09 12:10 upstream 0bddd227f3dc bc238812 .config console log report syz C ci-upstream-kasan-gce-386
2020/07/06 15:30 upstream 7cc2a8ea1048 51095195 .config console log report syz C ci-upstream-kasan-gce-386
2020/06/27 03:27 upstream 4a21185cda0f aea82c00 .config console log report syz C ci-upstream-kasan-gce-386
2020/06/27 06:27 net-old 4a21185cda0f ffec44b5 .config console log report syz C ci-upstream-net-this-kasan-gce
2020/07/09 10:18 net-next-old e80a07b244dd bc238812 .config console log report syz C ci-upstream-net-kasan-gce
2020/07/06 15:05 net-next-old e44f65fd666c 51095195 .config console log report syz C ci-upstream-net-kasan-gce
2020/06/27 20:15 linux-next 36e3135df4d4 ffec44b5 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/07/12 02:28 upstream a581387e415b 18d18b59 .config console log report ci-upstream-kasan-gce-root
2020/07/11 11:33 upstream a581387e415b 18d18b59 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/10 12:55 upstream 42f82040ee66 edf162e8 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/10 05:13 upstream 0bddd227f3dc bc238812 .config console log report ci-upstream-kasan-gce-root
2020/07/09 08:00 upstream 0bddd227f3dc bc238812 .config console log report ci-upstream-kasan-gce
2020/07/08 13:08 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce
2020/07/05 11:18 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce
2020/07/01 09:24 upstream 9ebcfadb0610 917afeaa .config console log report ci-upstream-kasan-gce-root
2020/06/30 10:53 upstream 4e99b32169e8 a2cdad9d .config console log report ci-upstream-kasan-gce
2020/06/29 23:16 upstream 4e99b32169e8 a2cdad9d .config console log report ci-upstream-kasan-gce-root
2020/06/29 13:42 upstream 4e99b32169e8 a2cdad9d .config console log report ci-upstream-kasan-gce-root
2020/06/28 18:46 upstream 4e99b32169e8 a2cdad9d .config console log report ci-upstream-kasan-gce-selinux-root
2020/06/28 00:45 upstream 1590a2e1c681 ffec44b5 .config console log report ci-upstream-kasan-gce-selinux-root
2020/06/27 02:25 upstream 4a21185cda0f aea82c00 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/09 19:03 upstream 0bddd227f3dc bc238812 .config console log report ci-upstream-kasan-gce-386
2020/07/01 12:21 upstream 7c30b859a947 39acb39d .config console log report ci-upstream-kasan-gce-386
2020/06/30 05:44 upstream 4e99b32169e8 a2cdad9d .config console log report ci-upstream-kasan-gce-386
2020/06/28 07:09 upstream 1590a2e1c681 ffec44b5 .config console log report ci-upstream-kasan-gce-386
2020/06/28 00:19 upstream 1590a2e1c681 ffec44b5 .config console log report ci-upstream-kasan-gce-386
2020/06/26 12:12 upstream 4a21185cda0f aea82c00 .config console log report ci-upstream-kasan-gce-386
2020/06/28 13:24 net-old 0574e2000fc3 ffec44b5 .config console log report ci-upstream-net-this-kasan-gce
2020/07/12 04:04 net-next-old a594920f8747 18d18b59 .config console log report ci-upstream-net-kasan-gce
2020/07/12 01:21 net-next-old a594920f8747 18d18b59 .config console log report ci-upstream-net-kasan-gce
2020/07/11 15:22 net-next-old a594920f8747 18d18b59 .config console log report ci-upstream-net-kasan-gce
2020/07/11 06:39 net-next-old a594920f8747 18d18b59 .config console log report ci-upstream-net-kasan-gce
2020/07/09 23:20 net-next-old e80a07b244dd bc238812 .config console log report ci-upstream-net-kasan-gce
2020/07/08 17:58 net-next-old e44f65fd666c 51095195 .config console log report ci-upstream-net-kasan-gce
2020/07/07 13:41 net-next-old e44f65fd666c 51095195 .config console log report ci-upstream-net-kasan-gce
2020/07/07 03:00 net-next-old e44f65fd666c 51095195 .config console log report ci-upstream-net-kasan-gce
2020/07/06 12:00 net-next-old e44f65fd666c 51095195 .config console log report ci-upstream-net-kasan-gce
2020/07/06 07:20 net-next-old e44f65fd666c 51095195 .config console log report ci-upstream-net-kasan-gce
2020/07/05 18:32 net-next-old e44f65fd666c 51095195 .config console log report ci-upstream-net-kasan-gce
2020/07/04 15:30 net-next-old e44f65fd666c 51095195 .config console log report ci-upstream-net-kasan-gce
2020/07/02 21:03 net-next-old 23212a700773 bed10395 .config console log report ci-upstream-net-kasan-gce
2020/06/30 13:27 net-next-old b08866f42a87 a2cdad9d .config console log report ci-upstream-net-kasan-gce
2020/06/29 06:21 net-next-old b08866f42a87 a2cdad9d .config console log report ci-upstream-net-kasan-gce
2020/06/28 00:43 net-next-old 7bed14551659 ffec44b5 .config console log report ci-upstream-net-kasan-gce
2020/06/27 10:36 net-next-old 7bed14551659 ffec44b5 .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.