KASAN: slab-out-of-bounds Read in bpf_skb_change

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: slab-out-of-bounds Read in bpf_skb_change_proto bpf net	C			2	2358d	2357d	8/28	fixed on 2018/07/09 18:05
android-414	KASAN: slab-out-of-bounds Read in bpf_skb_change_proto	C			11	1832d	2052d	0/1	public: reported C repro on 2019/04/12 00:01

upstream

KASAN: slab-out-of-bounds Read in bpf_skb_change_proto bpf net

2358d

2357d

8/28

fixed on 2018/07/09 18:05

android-414

KASAN: slab-out-of-bounds Read in bpf_skb_change_proto

1832d

2052d

0/1

public: reported C repro on 2019/04/12 00:01


Created	Duration	User	Repo	Result
2020/02/02 23:25	3h25m	bisect fix	linux-4.14.y	OK (1) job log
2020/01/03 23:01	24m	bisect fix	linux-4.14.y	OK (0) job log log
2019/12/04 22:36	23m	bisect fix	linux-4.14.y	OK (0) job log log

audit: type=1400 audit(1567423021.113:36): avc: denied { map } for pid=6903 comm="sh" path="/bin/dash" dev="sda1" ino=1473 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 random: sshd: uninitialized urandom read (32 bytes read) audit: type=1400 audit(1567423025.043:37): avc: denied { map } for pid=6907 comm="syz-executor057" path="/root/syz-executor057000940" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 ================================================================== BUG: KASAN: slab-out-of-bounds in bpf_skb_proto_xlat net/core/filter.c:2151 [inline] BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_proto net/core/filter.c:2189 [inline] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xdbc/0x10f0 net/core/filter.c:2164 Read of size 2 at addr ffff8880a55bc300 by task syz-executor057/6907 CPU: 1 PID: 6907 Comm: syz-executor057 Not tainted 4.14.141 #37 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x138/0x197 lib/dump_stack.c:53 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428 bpf_skb_proto_xlat net/core/filter.c:2151 [inline] ____bpf_skb_change_proto net/core/filter.c:2189 [inline] bpf_skb_change_proto+0xdbc/0x10f0 net/core/filter.c:2164 bpf_prog_4b4d9be662d00a7e+0xcfd/0x1000 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8880a55bc300 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 0 bytes inside of 232-byte region [ffff8880a55bc300, ffff8880a55bc3e8) The buggy address belongs to the page: page:ffffea0002956f00 count:1 mapcount:0 mapping:ffff8880a55bc080 index:0x0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffff8880a55bc080 0000000000000000 000000010000000c raw: ffffea0002829fe0 ffffea0002783ae0 ffff88821b7203c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a55bc200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a55bc280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880a55bc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880a55bc380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a55bc400: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ==================================================================

Crashes (2):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2019/09/02 11:20	linux-4.14.y	01fd1694b93c	db7c31ca	.config	console log	report	syz	C			ci2-linux-4-14
2019/08/09 21:41	linux-4.14.y	3ffe1e79c174	aff9e255	.config	console log	report	syz	C			ci2-linux-4-14

Crashes (2):

Assets (help?)