syzbot


KASAN: use-after-free Read in ip_cmsg_recv_offset

Status: public: reported C repro on 2019/04/14 08:51
Reported-by: syzbot+d5f4e8be573ee763ff82@syzkaller.appspotmail.com
First crash: 2245d, last: 2233d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in ip_cmsg_recv_offset net C 9 2242d 2245d 11/28 fixed on 2018/10/11 14:33
android-414 KASAN: use-after-free Read in ip_cmsg_recv_offset C 11 2227d 2050d 0/1 public: reported C repro on 2019/04/12 00:00

Sample crash report:
raw_sendmsg: syz-executor859 forgot to set AF_INET. Fix it!
==================================================================
BUG: KASAN: use-after-free in ip_cmsg_recv_dstaddr net/ipv4/ip_sockglue.c:152 [inline]
BUG: KASAN: use-after-free in ip_cmsg_recv_offset+0xc59/0xdd0 net/ipv4/ip_sockglue.c:215
Read of size 4 at addr ffff8801d2557420 by task syz-executor859/2056

CPU: 1 PID: 2056 Comm: syz-executor859 Not tainted 4.9.129+ #45
 ffff8801ce8875a8 ffffffff81b36939 ffffea0007495580 ffff8801d2557420
 0000000000000000 ffff8801d2557420 ffff8801d2590a24 ffff8801ce8875e0
 ffffffff8150072d ffff8801d2557420 0000000000000004 0000000000000000
Call Trace:
 [<ffffffff81b36939>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b36939>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8150072d>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff81500b37>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff81500b37>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff814f2d24>] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 [<ffffffff824a95c9>] ip_cmsg_recv_dstaddr net/ipv4/ip_sockglue.c:152 [inline]
 [<ffffffff824a95c9>] ip_cmsg_recv_offset+0xc59/0xdd0 net/ipv4/ip_sockglue.c:215
 [<ffffffff82549117>] ip_cmsg_recv include/net/ip.h:612 [inline]
 [<ffffffff82549117>] raw_recvmsg+0x577/0x660 net/ipv4/raw.c:769
 [<ffffffff825824ee>] inet_recvmsg+0x23e/0x4c0 net/ipv4/af_inet.c:801
 [<ffffffff8228ddd6>] sock_recvmsg_nosec net/socket.c:750 [inline]
 [<ffffffff8228ddd6>] sock_recvmsg+0xc6/0x110 net/socket.c:757
 [<ffffffff8228e06a>] sock_read_iter+0x24a/0x360 net/socket.c:834
 [<ffffffff815073a8>] do_iter_readv_writev+0x2f8/0x4b0 fs/read_write.c:693
 [<ffffffff8150af9a>] do_readv_writev+0x2fa/0x7b0 fs/read_write.c:871
 [<ffffffff8150b4d4>] vfs_readv+0x84/0xc0 fs/read_write.c:897
 [<ffffffff8150b5f6>] do_readv+0xe6/0x260 fs/read_write.c:923
 [<ffffffff8150ee57>] SYSC_readv fs/read_write.c:1010 [inline]
 [<ffffffff8150ee57>] SyS_readv+0x27/0x30 fs/read_write.c:1007
 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 [<ffffffff82802d13>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 2056:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 __kmalloc_track_caller+0xf0/0x2d0 mm/slub.c:4232
 __kmalloc_reserve.isra.5+0x33/0xc0 net/core/skbuff.c:138
 __alloc_skb+0x11a/0x5b0 net/core/skbuff.c:231
 alloc_skb include/linux/skbuff.h:919 [inline]
 sock_wmalloc+0x9e/0xe0 net/core/sock.c:1772
 __ip_append_data.isra.2+0x20e7/0x2930 net/ipv4/ip_output.c:1039
 ip_append_data.part.4+0xe4/0x150 net/ipv4/ip_output.c:1231
 ip_append_data+0x68/0x80 net/ipv4/ip_output.c:1220
 raw_sendmsg+0xb74/0x2480 net/ipv4/raw.c:652
 inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770
 sock_sendmsg_nosec net/socket.c:648 [inline]
 sock_sendmsg+0xbb/0x110 net/socket.c:658
 SYSC_sendto net/socket.c:1683 [inline]
 SyS_sendto+0x220/0x370 net/socket.c:1651
 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 2056:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xfb/0x310 mm/slub.c:3878
 skb_free_head+0x8b/0xb0 net/core/skbuff.c:580
 pskb_expand_head+0x457/0x8a0 net/core/skbuff.c:1246
 __pskb_pull_tail+0xc7/0x1240 net/core/skbuff.c:1615
 pskb_may_pull include/linux/skbuff.h:1966 [inline]
 ip_cmsg_recv_dstaddr net/ipv4/ip_sockglue.c:142 [inline]
 ip_cmsg_recv_offset+0xbb0/0xdd0 net/ipv4/ip_sockglue.c:215
 ip_cmsg_recv include/net/ip.h:612 [inline]
 raw_recvmsg+0x577/0x660 net/ipv4/raw.c:769
 inet_recvmsg+0x23e/0x4c0 net/ipv4/af_inet.c:801
 sock_recvmsg_nosec net/socket.c:750 [inline]
 sock_recvmsg+0xc6/0x110 net/socket.c:757
 sock_read_iter+0x24a/0x360 net/socket.c:834
 do_iter_readv_writev+0x2f8/0x4b0 fs/read_write.c:693
 do_readv_writev+0x2fa/0x7b0 fs/read_write.c:871
 vfs_readv+0x84/0xc0 fs/read_write.c:897
 do_readv+0xe6/0x260 fs/read_write.c:923
 SYSC_readv fs/read_write.c:1010 [inline]
 SyS_readv+0x27/0x30 fs/read_write.c:1007
 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

The buggy address belongs to the object at ffff8801d2557400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 32 bytes inside of
 512-byte region [ffff8801d2557400, ffff8801d2557600)
The buggy address belongs to the page:
page:ffffea0007495580 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d2557300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801d2557380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801d2557400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff8801d2557480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801d2557500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/09/29 11:00 https://android.googlesource.com/kernel/common android-4.9 4fc79c48d27f 41e4b329 .config console log report syz C ci-android-49-kasan-gce-root
2018/10/11 04:57 https://android.googlesource.com/kernel/common android-4.9 38f2b4a8c277 5f818b4b .config console log report ci-android-49-kasan-gce-root
* Struck through repros no longer work on HEAD.