syzbot |
sign-in | mailing list | source | docs |
| Kernel | Title | Rank 🛈 | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: use-after-free Read in ip_cmsg_recv_offset net | 19 | C | 9 | 2633d | 2636d | 11/29 | fixed on 2018/10/11 14:33 | ||
| android-414 | KASAN: use-after-free Read in ip_cmsg_recv_offset | 19 | C | 11 | 2618d | 2441d | 0/1 | public: reported C repro on 2019/04/12 00:00 |
raw_sendmsg: syz-executor859 forgot to set AF_INET. Fix it! ================================================================== BUG: KASAN: use-after-free in ip_cmsg_recv_dstaddr net/ipv4/ip_sockglue.c:152 [inline] BUG: KASAN: use-after-free in ip_cmsg_recv_offset+0xc59/0xdd0 net/ipv4/ip_sockglue.c:215 Read of size 4 at addr ffff8801d2557420 by task syz-executor859/2056 CPU: 1 PID: 2056 Comm: syz-executor859 Not tainted 4.9.129+ #45 ffff8801ce8875a8 ffffffff81b36939 ffffea0007495580 ffff8801d2557420 0000000000000000 ffff8801d2557420 ffff8801d2590a24 ffff8801ce8875e0 ffffffff8150072d ffff8801d2557420 0000000000000004 0000000000000000 Call Trace: [<ffffffff81b36939>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81b36939>] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [<ffffffff8150072d>] print_address_description+0x6c/0x234 mm/kasan/report.c:256 [<ffffffff81500b37>] kasan_report_error mm/kasan/report.c:355 [inline] [<ffffffff81500b37>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412 [<ffffffff814f2d24>] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 [<ffffffff824a95c9>] ip_cmsg_recv_dstaddr net/ipv4/ip_sockglue.c:152 [inline] [<ffffffff824a95c9>] ip_cmsg_recv_offset+0xc59/0xdd0 net/ipv4/ip_sockglue.c:215 [<ffffffff82549117>] ip_cmsg_recv include/net/ip.h:612 [inline] [<ffffffff82549117>] raw_recvmsg+0x577/0x660 net/ipv4/raw.c:769 [<ffffffff825824ee>] inet_recvmsg+0x23e/0x4c0 net/ipv4/af_inet.c:801 [<ffffffff8228ddd6>] sock_recvmsg_nosec net/socket.c:750 [inline] [<ffffffff8228ddd6>] sock_recvmsg+0xc6/0x110 net/socket.c:757 [<ffffffff8228e06a>] sock_read_iter+0x24a/0x360 net/socket.c:834 [<ffffffff815073a8>] do_iter_readv_writev+0x2f8/0x4b0 fs/read_write.c:693 [<ffffffff8150af9a>] do_readv_writev+0x2fa/0x7b0 fs/read_write.c:871 [<ffffffff8150b4d4>] vfs_readv+0x84/0xc0 fs/read_write.c:897 [<ffffffff8150b5f6>] do_readv+0xe6/0x260 fs/read_write.c:923 [<ffffffff8150ee57>] SYSC_readv fs/read_write.c:1010 [inline] [<ffffffff8150ee57>] SyS_readv+0x27/0x30 fs/read_write.c:1007 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 [<ffffffff82802d13>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Allocated by task 2056: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:505 [inline] set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xf0/0x2d0 mm/slub.c:4232 __kmalloc_reserve.isra.5+0x33/0xc0 net/core/skbuff.c:138 __alloc_skb+0x11a/0x5b0 net/core/skbuff.c:231 alloc_skb include/linux/skbuff.h:919 [inline] sock_wmalloc+0x9e/0xe0 net/core/sock.c:1772 __ip_append_data.isra.2+0x20e7/0x2930 net/ipv4/ip_output.c:1039 ip_append_data.part.4+0xe4/0x150 net/ipv4/ip_output.c:1231 ip_append_data+0x68/0x80 net/ipv4/ip_output.c:1220 raw_sendmsg+0xb74/0x2480 net/ipv4/raw.c:652 inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:648 [inline] sock_sendmsg+0xbb/0x110 net/socket.c:658 SYSC_sendto net/socket.c:1683 [inline] SyS_sendto+0x220/0x370 net/socket.c:1651 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 entry_SYSCALL_64_after_swapgs+0x5d/0xdb Freed by task 2056: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:505 [inline] set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xfb/0x310 mm/slub.c:3878 skb_free_head+0x8b/0xb0 net/core/skbuff.c:580 pskb_expand_head+0x457/0x8a0 net/core/skbuff.c:1246 __pskb_pull_tail+0xc7/0x1240 net/core/skbuff.c:1615 pskb_may_pull include/linux/skbuff.h:1966 [inline] ip_cmsg_recv_dstaddr net/ipv4/ip_sockglue.c:142 [inline] ip_cmsg_recv_offset+0xbb0/0xdd0 net/ipv4/ip_sockglue.c:215 ip_cmsg_recv include/net/ip.h:612 [inline] raw_recvmsg+0x577/0x660 net/ipv4/raw.c:769 inet_recvmsg+0x23e/0x4c0 net/ipv4/af_inet.c:801 sock_recvmsg_nosec net/socket.c:750 [inline] sock_recvmsg+0xc6/0x110 net/socket.c:757 sock_read_iter+0x24a/0x360 net/socket.c:834 do_iter_readv_writev+0x2f8/0x4b0 fs/read_write.c:693 do_readv_writev+0x2fa/0x7b0 fs/read_write.c:871 vfs_readv+0x84/0xc0 fs/read_write.c:897 do_readv+0xe6/0x260 fs/read_write.c:923 SYSC_readv fs/read_write.c:1010 [inline] SyS_readv+0x27/0x30 fs/read_write.c:1007 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 entry_SYSCALL_64_after_swapgs+0x5d/0xdb The buggy address belongs to the object at ffff8801d2557400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 32 bytes inside of 512-byte region [ffff8801d2557400, ffff8801d2557600) The buggy address belongs to the page: page:ffffea0007495580 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000004080(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d2557300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d2557380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801d2557400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801d2557480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d2557500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018/09/29 11:00 | https://android.googlesource.com/kernel/common android-4.9 | 4fc79c48d27f | 41e4b329 | .config | console log | report | syz | C | ci-android-49-kasan-gce-root | |||
| 2018/10/11 04:57 | https://android.googlesource.com/kernel/common android-4.9 | 38f2b4a8c277 | 5f818b4b | .config | console log | report | ci-android-49-kasan-gce-root |