syzbot


UBSAN: shift-out-of-bounds in hash_mac_create

Status: fixed on 2021/03/10 01:48
Subsystems: netfilter
[Documentation on labels]
Reported-by: syzbot+d66bfadebca46cf61a2b@syzkaller.appspotmail.com
Fix commit: 5c8193f568ae netfilter: ipset: fix shift-out-of-bounds in htable_bits()
First crash: 1195d, last: 1171d
Cause bisection: introduced by (bisect log) [release commit]:
commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun Sep 15 21:19:32 2019 +0000

  Linux 5.3

Crash: UBSAN: undefined-behaviour in hash_mac_create (log)
Repro: C syz .config
  
Duplicate bugs (1)
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
UBSAN: shift-out-of-bounds in hash_ipmark_create netfilter C unreliable 19 1169d 1189d 0/26 closed as dup on 2020/12/15 16:06
Discussions (9)
Title Replies (including bot) Last reply
[PATCH 4.19 00/77] 4.19.167-rc1 review 87 (87) 2021/01/14 01:43
[PATCH 4.4 00/38] 4.4.251-rc1 review 43 (43) 2021/01/12 09:04
[PATCH 4.9 00/45] 4.9.251-rc1 review 49 (49) 2021/01/12 08:16
[PATCH 4.14 00/57] 4.14.215-rc1 review 60 (60) 2021/01/12 07:36
[PATCH 5.4 00/92] 5.4.89-rc1 review 96 (96) 2021/01/12 06:54
[PATCH 5.10 000/145] 5.10.7-rc1 review 152 (152) 2021/01/11 19:59
[PATCH net 0/4] Netfilter fixes for net 6 (6) 2020/12/19 02:20
[PATCH v2] netfilter: ipset: fix shift-out-of-bounds in htable_bits() 3 (3) 2020/12/17 18:44
UBSAN: shift-out-of-bounds in hash_mac_create 0 (1) 2020/12/13 22:13
Last patch testing requests (3)
Created Duration User Patch Repo Result
2020/12/17 10:18 16m vvs@virtuozzo.com patch https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git master OK
2020/12/17 06:02 0m vvs@virtuozzo.com patch https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git master error OK
2020/12/16 07:24 16m vvs@virtuozzo.com patch https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git master OK

Sample crash report:
================================================================================
UBSAN: shift-out-of-bounds in net/netfilter/ipset/ip_set_hash_gen.h:151:6
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 0 PID: 8498 Comm: syz-executor519 Not tainted 5.10.0-rc7-next-20201208-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
 htable_bits net/netfilter/ipset/ip_set_hash_gen.h:151 [inline]
 hash_mac_create.cold+0x58/0x9b net/netfilter/ipset/ip_set_hash_gen.h:1524
 ip_set_create+0x610/0x1380 net/netfilter/ipset/ip_set_core.c:1115
 nfnetlink_rcv_msg+0xecc/0x1180 net/netfilter/nfnetlink.c:252
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
 nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:600
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440419
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd29571ba8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440419
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000009 R09: 00000000004002c8
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000401c20
R13: 0000000000401cb0 R14: 0000000000000000 R15: 0000000000000000
================================================================================

Crashes (29):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/10 02:32 linux-next a9e26cb5f261 c090b4da .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/12/27 01:21 upstream 40f78232f973 821e0b09 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/27 00:13 upstream 40f78232f973 821e0b09 .config console log report info ci-upstream-kasan-gce
2020/12/26 04:19 upstream 5814bc2d4cc2 821e0b09 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/25 23:44 upstream 71c5f03154ac b982b3ea .config console log report info ci-upstream-kasan-gce
2020/12/25 15:49 upstream 71c5f03154ac b982b3ea .config console log report info ci-upstream-kasan-gce
2020/12/22 21:48 upstream 8653b778e454 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/22 21:40 upstream 8653b778e454 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/22 21:40 upstream 8653b778e454 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/22 15:47 upstream 8653b778e454 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/22 14:37 upstream 8653b778e454 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/18 23:34 upstream a409ed156a90 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/18 23:33 upstream a409ed156a90 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/16 19:43 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/16 16:55 upstream 5e60366d56c6 f213e07e .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/26 05:34 upstream 5814bc2d4cc2 821e0b09 .config console log report info ci-upstream-kasan-gce-386
2020/12/25 08:00 upstream 3913d00ac51a c2c1d1dd .config console log report info ci-upstream-kasan-gce-386
2020/12/22 21:49 upstream 8653b778e454 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/22 21:44 upstream 8653b778e454 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/22 15:25 upstream 8653b778e454 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/19 00:26 upstream a409ed156a90 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/16 22:42 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/16 19:34 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/18 17:29 net-old d64c6f96ba86 04201c06 .config console log report info ci-upstream-net-this-kasan-gce
2020/12/18 16:54 net-old d64c6f96ba86 04201c06 .config console log report info ci-upstream-net-this-kasan-gce
2021/01/02 09:08 net-next-old 3db1a3fa9880 79264ae3 .config console log report info ci-upstream-net-kasan-gce
2020/12/27 14:54 net-next-old 3db1a3fa9880 2242f77f .config console log report info ci-upstream-net-kasan-gce
2020/12/27 13:50 net-next-old 3db1a3fa9880 2242f77f .config console log report info ci-upstream-net-kasan-gce
2020/12/09 22:08 linux-next a9e26cb5f261 c090b4da .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.