syzbot |
sign-in | mailing list | source | docs |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| linux-4.14 | KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user | C | done | 1 | 1706d | 1706d | 1/1 | fixed on 2020/04/21 23:14 | |
| upstream | KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user selinux | C | done | 1 | 1699d | 1698d | 15/28 | fixed on 2020/05/10 10:42 |
kauditd_printk_skb: 3 callbacks suppressed
audit: type=1400 audit(1584298507.132:36): avc: denied { map } for pid=8027 comm="syz-executor559" path="/root/syz-executor559645294" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline]
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102
Read of size 768 at addr ffff888097bcf334 by task syz-executor559/8027
CPU: 1 PID: 8027 Comm: syz-executor559 Not tainted 4.19.109-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
memcpy+0x20/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:348 [inline]
selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102
security_xfrm_policy_alloc+0x6c/0xb0 security/security.c:1631
copy_from_user_sec_ctx net/xfrm/xfrm_user.c:1461 [inline]
xfrm_policy_construct+0x2a8/0x660 net/xfrm/xfrm_user.c:1626
xfrm_add_acquire+0x215/0x9f0 net/xfrm/xfrm_user.c:2279
xfrm_user_rcv_msg+0x40c/0x6b0 net/xfrm/xfrm_user.c:2677
netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2685
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4406e9
Code: 23 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff605be978 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004406e9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 0000000000000000 R09: 6c616b7a79732f2e
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f10
R13: 0000000000401fa0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 8027:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703
__kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:137
__alloc_skb+0xef/0x5b0 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:995 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1190 [inline]
netlink_sendmsg+0x8d6/0xcd0 net/netlink/af_netlink.c:1884
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff888097bcf200
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 308 bytes inside of
1024-byte region [ffff888097bcf200, ffff888097bcf600)
The buggy address belongs to the page:
page:ffffea00025ef380 count:1 mapcount:0 mapping:ffff88812c3dcac0 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0001f7a688 ffffea0002976608 ffff88812c3dcac0
raw: 0000000000000000 ffff888097bce000 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888097bcf500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888097bcf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888097bcf600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888097bcf680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888097bcf700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2020/03/15 18:57 | linux-4.19.y | 569209711609 | 749688d2 | .config | console log | report | syz | C | ci2-linux-4-19 | |||
| 2020/03/11 03:20 | linux-4.19.y | 7472c4028e23 | 35f53e45 | .config | console log | report | syz | C | ci2-linux-4-19 | |||
| 2020/03/11 03:06 | linux-4.19.y | 7472c4028e23 | 35f53e45 | .config | console log | report | ci2-linux-4-19 |