syzbot


KASAN: vmalloc-out-of-bounds Read in compat_copy_entries

Status: fixed on 2020/02/14 01:19
Subsystems: netfilter bridge
[Documentation on labels]
Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com
Fix commit: e608f631f0ba netfilter: ebtables: compat: reject all padding in matches/watchers
First crash: 1627d, last: 1626d
Cause bisection: introduced by (bisect log) :
commit 0609ae011deb41c9629b7f5fd626dfa1ac9d16b0
Author: Daniel Axtens <dja@axtens.net>
Date: Sun Dec 1 01:55:00 2019 +0000

  x86/kasan: support KASAN_VMALLOC

Crash: KASAN: vmalloc-out-of-bounds Read in compat_copy_entries (log)
Repro: C syz .config
  
Discussions (9)
Title Replies (including bot) Last reply
[PATCH 3.16 000/245] 3.16.83-rc1 review 260 (260) 2020/04/24 17:54
[PATCH 4.19 000/114] 4.19.93-stable review 134 (134) 2020/02/07 10:19
[PATCH 5.4 000/191] 5.4.8-stable review 215 (215) 2020/01/06 09:03
[PATCH 4.4 000/137] 4.4.208-stable review 143 (143) 2020/01/04 12:32
[PATCH 4.14 00/91] 4.14.162-stable review 99 (99) 2020/01/03 22:01
[PATCH 4.9 000/171] 4.9.208-stable review 176 (176) 2020/01/03 21:51
[PATCH 0/4] Netfilter fixes for net 6 (6) 2019/12/26 21:11
[PATCH nf] netfilter: ebtables: compat: reject all padding in matches/watchers 2 (2) 2019/12/20 01:11
KASAN: vmalloc-out-of-bounds Read in compat_copy_entries 0 (2) 2019/12/15 06:31

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
Read of size 4 at addr ffffc90000d461f4 by task syz-executor640/9086

CPU: 0 PID: 9086 Comm: syz-executor640 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:639
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134
 size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
 compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
 compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249
 compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333
 compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
 compat_nf_setsockopt+0x98/0x140 net/netfilter/nf_sockopt.c:156
 compat_ip_setsockopt net/ipv4/ip_sockglue.c:1286 [inline]
 compat_ip_setsockopt+0x106/0x140 net/ipv4/ip_sockglue.c:1267
 compat_udp_setsockopt+0x68/0xb0 net/ipv4/udp.c:2649
 compat_sock_common_setsockopt+0xb2/0x140 net/core/sock.c:3160
 __compat_sys_setsockopt+0x185/0x380 net/compat.c:384
 __do_compat_sys_setsockopt net/compat.c:397 [inline]
 __se_compat_sys_setsockopt net/compat.c:394 [inline]
 __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:394
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7feca39
Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000ff8a607c EFLAGS: 00000296 ORIG_RAX: 000000000000016e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000080 RSI: 0000000020000240 RDI: 0000000000000212
RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000


Memory state around the buggy address:
 ffffc90000d46080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000d46100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90000d46180: 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
                                                             ^
 ffffc90000d46200: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffffc90000d46280: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/12/14 21:25 upstream e31736d9fae8 eef6e580 .config console log report syz C ci-upstream-kasan-gce-386
2019/12/14 21:03 upstream e31736d9fae8 eef6e580 .config console log report syz C ci-qemu-upstream-386
2019/12/14 14:41 upstream e31736d9fae8 eef6e580 .config console log report ci-qemu-upstream-386
* Struck through repros no longer work on HEAD.