syzbot

 sign-in | mailing list | source | docs
🐞 Open [9]
🐞 Fixed [562]
🐞 Invalid [423]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

DATA RACE in header.ICMPv6Checksum

Status: fixed on 2020/12/30 01:06
Fix commit: 946cb909e62e Don't modify a packet header when it can be used by other endpoints
First crash: 1909d, last: 1909d

Sample crash report:
WARNING: DATA RACE
Write at 0x00c0002b28ca by goroutine 274:
  gvisor.dev/gvisor/pkg/tcpip/header.ICMPv6Checksum()
      pkg/tcpip/header/icmpv6.go:281 +0x331
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).handleICMP()
      pkg/tcpip/network/ipv6/icmp.go:149 +0x573
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).handlePacket()
      pkg/tcpip/network/ipv6/ipv6.go:1130 +0xa89
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).HandlePacket()
      pkg/tcpip/network/ipv6/ipv6.go:782 +0x1c4
  gvisor.dev/gvisor/pkg/tcpip/stack.(*NIC).DeliverNetworkPacket()
      pkg/tcpip/stack/nic.go:681 +0xd47
  gvisor.dev/gvisor/pkg/tcpip/link/nested.(*Endpoint).DeliverNetworkPacket()
      pkg/tcpip/link/nested/nested.go:59 +0xef
  gvisor.dev/gvisor/pkg/tcpip/link/sniffer.(*endpoint).DeliverNetworkPacket()
      pkg/tcpip/link/sniffer/sniffer.go:143 +0xae
  gvisor.dev/gvisor/pkg/tcpip/link/loopback.(*endpoint).WritePacket()
      pkg/tcpip/link/loopback/loopback.go:89 +0x221
  gvisor.dev/gvisor/pkg/tcpip/link/nested.(*Endpoint).WritePacket()
      pkg/tcpip/link/nested/nested.go:117 +0xb0
  gvisor.dev/gvisor/pkg/tcpip/link/sniffer.(*endpoint).WritePacket()
      pkg/tcpip/link/sniffer/sniffer.go:192 +0x65
  gvisor.dev/gvisor/pkg/tcpip/stack.(*NIC).writePacket()
      pkg/tcpip/stack/nic.go:296 +0xba
  gvisor.dev/gvisor/pkg/tcpip/stack.(*NIC).WritePacket()
      pkg/tcpip/stack/nic.go:280 +0x172
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).writePacket()
      pkg/tcpip/network/ipv6/ipv6.go:579 +0x201
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).WritePacket()
      pkg/tcpip/network/ipv6/ipv6.go:542 +0x2e4
  gvisor.dev/gvisor/pkg/tcpip/stack.(*Route).WritePacket()
      pkg/tcpip/stack/route.go:389 +0x132
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*protocol).returnError()
      pkg/tcpip/network/ipv6/icmp.go:947 +0xebe
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).handlePacket()
      pkg/tcpip/network/ipv6/ipv6.go:1141 +0xb64
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).HandlePacket()
      pkg/tcpip/network/ipv6/ipv6.go:782 +0x1c4
  gvisor.dev/gvisor/pkg/tcpip/stack.(*NIC).DeliverNetworkPacket()
      pkg/tcpip/stack/nic.go:681 +0xd47
  gvisor.dev/gvisor/pkg/tcpip/link/nested.(*Endpoint).DeliverNetworkPacket()
      pkg/tcpip/link/nested/nested.go:59 +0xef
  gvisor.dev/gvisor/pkg/tcpip/link/sniffer.(*endpoint).DeliverNetworkPacket()
      pkg/tcpip/link/sniffer/sniffer.go:143 +0xae
  gvisor.dev/gvisor/pkg/tcpip/link/loopback.(*endpoint).WritePacket()
      pkg/tcpip/link/loopback/loopback.go:89 +0x221
  gvisor.dev/gvisor/pkg/tcpip/link/nested.(*Endpoint).WritePacket()
      pkg/tcpip/link/nested/nested.go:117 +0xb0
  gvisor.dev/gvisor/pkg/tcpip/link/sniffer.(*endpoint).WritePacket()
      pkg/tcpip/link/sniffer/sniffer.go:192 +0x65
  gvisor.dev/gvisor/pkg/tcpip/stack.(*NIC).writePacket()
      pkg/tcpip/stack/nic.go:296 +0xba
  gvisor.dev/gvisor/pkg/tcpip/stack.(*NIC).WritePacket()
      pkg/tcpip/stack/nic.go:280 +0x172
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).writePacket()
      pkg/tcpip/network/ipv6/ipv6.go:579 +0x201
  gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).WritePacket()
      pkg/tcpip/network/ipv6/ipv6.go:542 +0x2e4
  gvisor.dev/gvisor/pkg/tcpip/stack.(*Route).WritePacket()
      pkg/tcpip/stack/route.go:389 +0x132
  gvisor.dev/gvisor/pkg/tcpip/transport/udp.sendUDP()
      pkg/tcpip/transport/udp/endpoint.go:888 +0x6d7
  gvisor.dev/gvisor/pkg/tcpip/transport/udp.(*endpoint).write()
      pkg/tcpip/transport/udp/endpoint.go:543 +0x45a
  gvisor.dev/gvisor/pkg/tcpip/transport/udp.(*endpoint).Write()
      pkg/tcpip/transport/udp/endpoint.go:401 +0x84
  gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*socketOpsCommon).SendMsg()
      pkg/sentry/socket/netstack/netstack.go:2895 +0x23c
  gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*SocketVFS2).SendMsg()
      <autogenerated>:1 +0x177
  gvisor.dev/gvisor/pkg/sentry/syscalls/linux/vfs2.sendTo()
      pkg/sentry/syscalls/linux/vfs2/socket.go:1118 +0x4d5
  gvisor.dev/gvisor/pkg/sentry/syscalls/linux/vfs2.SendTo()
      pkg/sentry/syscalls/linux/vfs2/socket.go:1131 +0x87
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).executeSyscall()
      pkg/sentry/kernel/task_syscall.go:104 +0x452
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallInvoke()
      pkg/sentry/kernel/task_syscall.go:239 +0xb9
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallEnter()
      pkg/sentry/kernel/task_syscall.go:199 +0x10e
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscall()
      pkg/sentry/kernel/task_syscall.go:174 +0x1e9
  gvisor.dev/gvisor/pkg/sentry/kernel.(*runApp).execute()
      pkg/sentry/kernel/task_run.go:282 +0x12a6
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).run()
      pkg/sentry/kernel/task_run.go:97 +0x397

Previous read at 0x00c0002b28c8 by goroutine 303:
  runtime.slicecopy()
      GOROOT/src/runtime/slice.go:246 +0x0
  gvisor.dev/gvisor/pkg/tcpip/buffer.(*VectorisedView).ToOwnedView()
      pkg/tcpip/buffer/view.go:235 +0x1b1
  gvisor.dev/gvisor/pkg/tcpip/buffer.(*VectorisedView).ToView()
      pkg/tcpip/buffer/view.go:227 +0x327
  gvisor.dev/gvisor/pkg/tcpip/transport/packet.(*endpoint).ReadPacket()
      pkg/tcpip/transport/packet/endpoint.go:193 +0x228
  gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*socketOpsCommon).fetchReadView()
      pkg/sentry/socket/netstack/netstack.go:401 +0x54c
  gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*socketOpsCommon).nonBlockingRead()
      pkg/sentry/socket/netstack/netstack.go:2680 +0x15d
  gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*socketOpsCommon).RecvMsg()
      pkg/sentry/socket/netstack/netstack.go:2837 +0x717
  gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*SocketVFS2).RecvMsg()
      <autogenerated>:1 +0x149
  gvisor.dev/gvisor/pkg/sentry/syscalls/linux/vfs2.recvFrom()
      pkg/sentry/syscalls/linux/vfs2/socket.go:872 +0x366
  gvisor.dev/gvisor/pkg/sentry/syscalls/linux/vfs2.RecvFrom()
      pkg/sentry/syscalls/linux/vfs2/socket.go:897 +0x88
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).executeSyscall()
      pkg/sentry/kernel/task_syscall.go:104 +0x452
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallInvoke()
      pkg/sentry/kernel/task_syscall.go:239 +0xb9
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallEnter()
      pkg/sentry/kernel/task_syscall.go:199 +0x10e
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscall()
      pkg/sentry/kernel/task_syscall.go:174 +0x1e9
  gvisor.dev/gvisor/pkg/sentry/kernel.(*runApp).execute()
      pkg/sentry/kernel/task_run.go:282 +0x12a6
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).run()
      pkg/sentry/kernel/task_run.go:97 +0x397

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/15 18:22 gvisor b2a697334890 b22a7ec3 .config console log report syz C ci-gvisor-ptrace-2-race
* Struck through repros no longer work on HEAD.