syzbot


KASAN: stack-out-of-bounds Read in xfrm_state_find (4)

Status: fixed on 2018/03/23 18:14
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+e1a1577ca8bcb47b769a@syzkaller.appspotmail.com
Fix commit: 19d7df69fdb2 xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems
First crash: 2444d, last: 2392d
Discussions (7)
Title Replies (including bot) Last reply
[PATCH 4.4 00/72] 4.4.127-stable review 83 (83) 2018/05/17 08:56
[PATCH 4.9 000/102] 4.9.93-stable review 111 (111) 2018/04/12 16:56
[PATCH 3.18 00/93] 3.18.103-stable review 102 (102) 2018/04/09 08:13
[PATCH 4.15 00/72] 4.15.16-stable review 78 (78) 2018/04/07 06:10
[PATCH 4.14 00/67] 4.14.33-stable review 71 (71) 2018/04/06 22:10
[PATCH 1/9] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems 1 (1) 2018/03/13 07:09
KASAN: stack-out-of-bounds Read in xfrm_state_find (4) 5 (8) 2018/02/02 08:23
Similar bugs (13)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (3) net C 10353 2448d 2515d 4/28 fixed on 2018/01/31 00:24
android-44 KASAN: stack-out-of-bounds Read in xfrm_state_find C 842 1776d 2008d 0/2 public: reported C repro on 2019/04/12 00:00
android-54 KASAN: stack-out-of-bounds Read in xfrm_state_find C 1 648d 648d 0/2 upstream: reported C repro on 2023/01/01 01:05
android-5-15 KASAN: stack-out-of-bounds Read in xfrm_state_find origin:upstream missing-backport C error error 2 163d 648d 0/2 upstream: reported C repro on 2023/01/01 00:40
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (5) net C done 654 2081d 2383d 13/28 fixed on 2019/11/11 16:48
upstream KMSAN: uninit-value in xfrm_state_find net C error done 215 509d 2309d 22/28 fixed on 2023/07/01 16:05
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find (2) syz error error 1 648d 648d 0/2 auto-obsoleted due to no activity on 2023/05/14 02:28
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find net C 365 2544d 2616d 0/28 closed as invalid on 2017/10/23 16:19
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find 1 1067d 1067d 0/2 closed as invalid on 2022/02/03 13:56
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find C 4151 2109d 2620d 0/3 closed as invalid on 2019/01/01 20:10
android-414 KASAN: stack-out-of-bounds Read in xfrm_state_find C 137 2082d 2009d 0/1 public: reported C repro on 2019/04/11 00:00
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (2) net C 93 2526d 2534d 3/28 fixed on 2017/11/18 01:42
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find (2) C 392 1772d 2009d 0/3 public: reported C repro on 2019/04/11 08:44

Sample crash report:
audit: type=1400 audit(1519699153.102:6): avc:  denied  { map } for  pid=4224 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1519699167.021:7): avc:  denied  { map } for  pid=4240 comm="syzkaller703456" path="/root/syzkaller703456610" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30de/0x3210 net/xfrm/xfrm_state.c:1051
Read of size 4 at addr ffff8801b01b7480 by task syzkaller703456/4240

CPU: 0 PID: 4240 Comm: syzkaller703456 Not tainted 4.16.0-rc3+ #330
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:412
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 xfrm_state_find+0x30de/0x3210 net/xfrm/xfrm_state.c:1051
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:1393 [inline]
 xfrm_tmpl_resolve+0x2ee/0xc40 net/xfrm/xfrm_policy.c:1437
 xfrm_resolve_and_create_bundle+0x184/0x28d0 net/xfrm/xfrm_policy.c:1830
 xfrm_lookup+0xfcb/0x25c0 net/xfrm/xfrm_policy.c:2160
 xfrm_lookup_route+0x39/0x1a0 net/xfrm/xfrm_policy.c:2280
 ip_route_output_flow+0x7c/0xa0 net/ipv4/route.c:2558
 udp_sendmsg+0x19bd/0x2f70 net/ipv4/udp.c:1012
 udpv6_sendmsg+0x757/0x3400 net/ipv6/udp.c:1156
 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:640
 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
 __sys_sendmsg+0xe5/0x210 net/socket.c:2080
 SYSC_sendmsg net/socket.c:2091 [inline]
 SyS_sendmsg+0x2d/0x50 net/socket.c:2087
 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4402a9
RSP: 002b:00007ffdde36c7b8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402a9
RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000000e8 R11: 0000000000000217 R12: 0000000000401bd0
R13: 0000000000401c60 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea0006c06dc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 ffffea0006c00101 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801b01b7380: f2 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2
 ffff8801b01b7400: f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00
>ffff8801b01b7480: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2
                   ^
 ffff8801b01b7500: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801b01b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
==================================================================

Crashes (102):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/02/27 02:41 upstream 4a3928c6f8a5 b370d4a7 .config console log report syz C ci-upstream-kasan-gce
2018/01/31 09:11 upstream 72906f38934a 02553e22 .config console log report syz C ci-upstream-kasan-gce
2018/01/31 09:12 upstream 72906f38934a 02553e22 .config console log report syz C ci-upstream-kasan-gce-386
2018/02/27 03:00 net-next-old ba6056a41cb0 b370d4a7 .config console log report syz C ci-upstream-net-kasan-gce
2018/01/31 09:00 net-next-old 91e6dd828425 02553e22 .config console log report syz C ci-upstream-net-kasan-gce
2018/02/27 02:41 upstream 4a3928c6f8a5 b370d4a7 .config console log report syz ci-upstream-kasan-gce-386
2018/03/23 14:09 upstream f36b7534b833 2e9d9054 .config console log report ci-upstream-kasan-gce
2018/03/22 13:06 upstream 3215b9d57a2c 2e9d9054 .config console log report ci-upstream-kasan-gce
2018/03/21 07:04 upstream 3215b9d57a2c 113a43ff .config console log report ci-upstream-kasan-gce
2018/03/22 08:16 upstream 3215b9d57a2c 95c88d7a .config console log report ci-upstream-kasan-gce-386
2018/03/14 12:26 net-next-old a870a02cc963 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/14 07:46 net-next-old be9fc0971a5c 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/14 02:17 net-next-old be9fc0971a5c 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/13 21:16 net-next-old 9ba32046fc2d 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/12 23:46 net-next-old 129cf5f7f196 f505ca4b .config console log report ci-upstream-net-kasan-gce
2018/03/12 20:54 net-next-old 129cf5f7f196 f505ca4b .config console log report ci-upstream-net-kasan-gce
2018/03/12 19:27 net-next-old 129cf5f7f196 f505ca4b .config console log report ci-upstream-net-kasan-gce
2018/03/12 13:54 net-next-old 8b4c6ed2ed0e f505ca4b .config console log report ci-upstream-net-kasan-gce
2018/03/12 09:19 net-next-old 8b4c6ed2ed0e 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/12 05:27 net-next-old 8b4c6ed2ed0e 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/12 03:22 net-next-old f44b1886a5f8 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/11 22:41 net-next-old f44b1886a5f8 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/11 06:26 net-next-old f44b1886a5f8 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/11 03:46 net-next-old f44b1886a5f8 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/10 23:41 net-next-old f44b1886a5f8 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/10 05:53 net-next-old f44b1886a5f8 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/10 04:01 net-next-old f44b1886a5f8 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/10 02:06 net-next-old cf29bded91f9 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/09 21:22 net-next-old cf29bded91f9 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/09 19:30 net-next-old cf29bded91f9 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/09 16:20 net-next-old cf29bded91f9 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/09 10:13 net-next-old fd372a7a9e5e 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/09 04:35 net-next-old fd372a7a9e5e 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/09 02:08 net-next-old fd372a7a9e5e 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/03/08 22:57 net-next-old 67ae686b3e14 acd0caa5 .config console log report ci-upstream-net-kasan-gce
2018/03/08 13:02 net-next-old a366e300ae9f acd0caa5 .config console log report ci-upstream-net-kasan-gce
2018/03/08 07:19 net-next-old a366e300ae9f d50edb7e .config console log report ci-upstream-net-kasan-gce
2018/03/08 02:49 net-next-old a366e300ae9f d50edb7e .config console log report ci-upstream-net-kasan-gce
2018/03/08 00:39 net-next-old 30855ffc29b9 a5e76540 .config console log report ci-upstream-net-kasan-gce
2018/03/07 17:14 net-next-old 30855ffc29b9 a5e76540 .config console log report ci-upstream-net-kasan-gce
2018/03/07 15:25 net-next-old 0f3e9c97eb5a a5e76540 .config console log report ci-upstream-net-kasan-gce
2018/03/07 08:57 net-next-old 0f3e9c97eb5a c8a18476 .config console log report ci-upstream-net-kasan-gce
2018/03/06 22:37 net-next-old 0f3e9c97eb5a c8a18476 .config console log report ci-upstream-net-kasan-gce
2018/03/06 19:13 net-next-old 0f3e9c97eb5a c8a18476 .config console log report ci-upstream-net-kasan-gce
2018/03/06 17:16 net-next-old 0f3e9c97eb5a aef0b792 .config console log report ci-upstream-net-kasan-gce
2018/03/06 16:46 net-next-old 0f3e9c97eb5a aef0b792 .config console log report ci-upstream-net-kasan-gce
2018/03/06 16:21 net-next-old 0f3e9c97eb5a aef0b792 .config console log report ci-upstream-net-kasan-gce
2018/03/06 16:07 net-next-old 0f3e9c97eb5a aef0b792 .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.