syzbot


KASAN: use-after-free Read in ip6_fragment

Status: public: reported C repro on 2019/08/18 06:34
Reported-by: syzbot+f80f56cb7b8d07aa3c40@syzkaller.appspotmail.com
First crash: 1743d, last: 1693d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in ip6_fragment (2) net 1 550d 545d 22/26 fixed on 2023/02/24 13:50
upstream KASAN: use-after-free Read in ip6_fragment net 1 1835d 1835d 12/26 fixed on 2019/06/18 17:49

Sample crash report:
hrtimer: interrupt took 36333 ns
==================================================================
BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:147 [inline]
BUG: KASAN: use-after-free in ip6_fragment+0x2d4a/0x2f30 net/ipv6/ip6_output.c:768
Read of size 8 at addr ffff8881c57c7118 by task syz-executor742/2396

CPU: 1 PID: 2396 Comm: syz-executor742 Not tainted 4.14.147+ #0
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xca/0x134 lib/dump_stack.c:53
 print_address_description+0x60/0x226 mm/kasan/report.c:187
 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
 ip6_dst_idev include/net/ip6_fib.h:147 [inline]
 ip6_fragment+0x2d4a/0x2f30 net/ipv6/ip6_output.c:768
 ip6_finish_output+0x66d/0xb40 net/ipv6/ip6_output.c:152
 NF_HOOK_COND include/linux/netfilter.h:239 [inline]
 ip6_output+0x1dc/0x680 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:462 [inline]
 ip6_local_out+0x98/0x170 net/ipv6/output_core.c:178
 ip6_send_skb+0x9b/0x2f0 net/ipv6/ip6_output.c:1688
 udp_v6_send_skb+0x4e2/0xe80 net/ipv6/udp.c:1081
 udp_v6_push_pending_frames+0x224/0x330 net/ipv6/udp.c:1114
 udpv6_sendmsg+0x194b/0x2500 net/ipv6/udp.c:1380
 inet_sendmsg+0x15b/0x520 net/ipv4/af_inet.c:760
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb7/0x100 net/socket.c:656
 SYSC_sendto net/socket.c:1763 [inline]
 SyS_sendto+0x1de/0x2f0 net/socket.c:1731
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x447c79
RSP: 002b:00007f983ea1bda8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000006ddc28 RCX: 0000000000447c79
RDX: 000000000000ffb3 RSI: 00000000200003c0 RDI: 0000000000000004
RBP: 00000000006ddc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000004000000 R11: 0000000000000246 R12: 00000000006ddc2c
R13: 00007ffca1d278ff R14: 00007f983ea1c9c0 R15: 00000000006ddc2c

Allocated by task 2396:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:501
 slab_post_alloc_hook mm/slab.h:439 [inline]
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2800 [inline]
 kmem_cache_alloc+0xee/0x360 mm/slub.c:2805
 dst_alloc+0xe6/0x1a0 net/core/dst.c:107
 __ip6_dst_alloc+0x2e/0x50 net/ipv6/route.c:355
 ip6_rt_pcpu_alloc net/ipv6/route.c:1034 [inline]
 rt6_make_pcpu_route net/ipv6/route.c:1064 [inline]
 ip6_pol_route+0xfed/0x26d0 net/ipv6/route.c:1189
 fib6_rule_lookup+0xdb/0x420 net/ipv6/fib6_rules.c:83
 ip6_route_output include/net/ip6_route.h:81 [inline]
 ip6_dst_lookup_tail+0xdab/0x16f0 net/ipv6/ip6_output.c:975
 ip6_dst_lookup_flow+0xac/0x210 net/ipv6/ip6_output.c:1098
 ip6_sk_dst_lookup_flow+0x397/0x540 net/ipv6/ip6_output.c:1129
 udpv6_sendmsg+0x1833/0x2500 net/ipv6/udp.c:1329
 inet_sendmsg+0x15b/0x520 net/ipv4/af_inet.c:760
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb7/0x100 net/socket.c:656
 SYSC_sendto net/socket.c:1763 [inline]
 SyS_sendto+0x1de/0x2f0 net/socket.c:1731
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
 0xffffffffffffffff

Freed by task 7:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x164/0x210 mm/kasan/common.c:463
 slab_free_hook mm/slub.c:1407 [inline]
 slab_free_freelist_hook mm/slub.c:1458 [inline]
 slab_free mm/slub.c:3039 [inline]
 kmem_cache_free+0xd7/0x3b0 mm/slub.c:3055
 dst_destroy+0x1cc/0x2d0 net/core/dst.c:138
 __rcu_reclaim kernel/rcu/rcu.h:195 [inline]
 rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 rcu_process_callbacks+0x59f/0xf60 kernel/rcu/tree.c:2946
 __do_softirq+0x234/0x9ec kernel/softirq.c:288

The buggy address belongs to the object at ffff8881c57c6fc0
 which belongs to the cache ip6_dst_cache of size 384
The buggy address is located 344 bytes inside of
 384-byte region [ffff8881c57c6fc0, ffff8881c57c7140)
The buggy address belongs to the page:
page:ffffea000715f180 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 0000000000000000 0000000000000000 0000000180120012
raw: dead000000000100 dead000000000200 ffff8881d1947c00 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881c57c7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881c57c7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881c57c7100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                            ^
 ffff8881c57c7180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881c57c7200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/07 08:20 android-4.14 9674240fb29c f3f7d9c8 .config console log report syz C ci-android-414-kasan-gce-root
2019/10/07 07:31 android-4.14 9674240fb29c f3f7d9c8 .config console log report ci-android-414-kasan-gce-root
2019/08/18 08:34 android-4.14 5d8bfdf81cde 55bf8926 .config console log report ci-android-414-kasan-gce-root
2019/08/18 05:33 android-4.14 5d8bfdf81cde 55bf8926 .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.