syzbot


KASAN: use-after-free Read in __skb_flow_dissect (2)

Status: closed as invalid on 2023/03/21 17:25
Subsystems: net
[Documentation on labels]
First crash: 794d, last: 616d
Cause bisection: introduced by (bisect log) :
commit 3c9b84f044a9e54cf56d1b2c9b80a2d2ce56d70a
Author: Gavin Shan <gshan@redhat.com>
Date: Thu Sep 2 21:52:19 2021 +0000

  mm/debug_vm_pgtable: introduce struct pgtable_debug_args

Crash: KASAN: use-after-free Read in __skb_flow_dissect (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) [merge commit]:
commit ee8d72a157ebb4b8c4b8b664f5a78a341fede2ef
Author: Jakub Kicinski <kuba@kernel.org>
Date: Mon Feb 20 23:38:41 2023 +0000

  Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next

  
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in __skb_flow_dissect net 3 1250d 1348d 0/28 auto-closed as invalid on 2021/08/03 02:14
upstream KASAN: use-after-free Read in __skb_flow_dissect (3) net C 1 269d 279d 25/28 fixed on 2024/03/26 00:54
upstream Internal error in __skb_flow_dissect net 1 516d 512d 0/28 auto-obsoleted due to no activity on 2023/08/07 05:35
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2023/02/28 22:56 4h45m bisect fix upstream OK (1) job log
2023/01/29 22:09 28m bisect fix upstream OK (0) job log log
2022/11/26 21:43 25m bisect fix upstream OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __skb_flow_dissect+0x5969/0x7660 net/core/flow_dissector.c:1090
Read of size 1 at addr ffff888173b2000e by task syz-executor190/3615

CPU: 0 PID: 3615 Comm: syz-executor190 Not tainted 6.1.0-rc2-syzkaller-00078-g98555239e4c3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description+0x74/0x340 mm/kasan/report.c:284
 print_report+0x107/0x220 mm/kasan/report.c:395
 kasan_report+0x139/0x170 mm/kasan/report.c:495
 __skb_flow_dissect+0x5969/0x7660 net/core/flow_dissector.c:1090
 skb_flow_dissect_flow_keys include/linux/skbuff.h:1495 [inline]
 ___skb_get_hash+0x55/0x800 net/core/flow_dissector.c:1698
 __skb_get_hash+0xae/0x340 net/core/flow_dissector.c:1764
 skb_get_hash include/linux/skbuff.h:1537 [inline]
 ip_tunnel_xmit+0x8ef/0x2dc0 net/ipv4/ip_tunnel.c:733
 ipip_tunnel_xmit+0x31d/0x4a0 net/ipv4/ipip.c:307
 __netdev_start_xmit include/linux/netdevice.h:4840 [inline]
 netdev_start_xmit include/linux/netdevice.h:4854 [inline]
 xmit_one net/core/dev.c:3590 [inline]
 dev_hard_start_xmit+0x1af/0x3e0 net/core/dev.c:3606
 __dev_queue_xmit+0x1cbb/0x3af0 net/core/dev.c:4256
 neigh_output include/net/neighbour.h:546 [inline]
 ip_finish_output2+0xdca/0x11c0 net/ipv4/ip_output.c:228
 iptunnel_xmit+0x4cb/0x8a0 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x206b/0x2dc0 net/ipv4/ip_tunnel.c:813
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x764/0xa50 net/ipv4/ip_gre.c:661
 __netdev_start_xmit include/linux/netdevice.h:4840 [inline]
 netdev_start_xmit include/linux/netdevice.h:4854 [inline]
 xmit_one net/core/dev.c:3590 [inline]
 dev_hard_start_xmit+0x1af/0x3e0 net/core/dev.c:3606
 __dev_queue_xmit+0x1cbb/0x3af0 net/core/dev.c:4256
 dev_queue_xmit include/linux/netdevice.h:3008 [inline]
 __bpf_tx_skb net/core/filter.c:2116 [inline]
 __bpf_redirect_no_mac net/core/filter.c:2141 [inline]
 __bpf_redirect+0x799/0x1030 net/core/filter.c:2164
 ____bpf_clone_redirect net/core/filter.c:2431 [inline]
 bpf_clone_redirect+0x243/0x350 net/core/filter.c:2403
 bpf_prog_801cabf80fc815cd+0x59/0x5e
 bpf_dispatcher_nop_func include/linux/bpf.h:964 [inline]
 __bpf_prog_run include/linux/filter.h:600 [inline]
 bpf_prog_run include/linux/filter.h:607 [inline]
 bpf_test_run+0x4bc/0x8e0 net/bpf/test_run.c:402
 bpf_prog_test_run_skb+0xad8/0x1380 net/bpf/test_run.c:1182
 bpf_prog_test_run+0x32c/0x3a0 kernel/bpf/syscall.c:3630
 __sys_bpf+0x3fe/0x6d0 kernel/bpf/syscall.c:4983
 __do_sys_bpf kernel/bpf/syscall.c:5069 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5067 [inline]
 __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5067
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f55e1ebbe69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff0d662d28 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f55e1ebbe69
RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 000000000000000d R11: 0000000000000246 R12: 00007fff0d662d40
R13: 00000000000f4240 R14: 000000000000a195 R15: 00007fff0d662d34
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0005cec800 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x173b20
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000000 ffffea0005cec808 ffffea0005cec808 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff888173b1ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888173b1ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888173b20000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff888173b20080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888173b20100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/10/27 12:23 upstream 98555239e4c3 86777b7f .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in __skb_flow_dissect
2022/08/19 12:07 upstream 3b06a2755758 26a13b38 .config strace log report syz C ci-upstream-kasan-gce-root KASAN: use-after-free Read in __skb_flow_dissect
2022/08/04 21:56 net-old 8eaa1d110800 1c9013ac .config strace log report syz C ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __skb_flow_dissect
2022/08/04 21:56 net-next-old 3c47fb2f4c4d 1c9013ac .config strace log report syz C ci-upstream-net-kasan-gce KASAN: use-after-free Read in __skb_flow_dissect
2022/10/02 20:21 linux-next aaa11ce2ffc8 feb56351 .config strace log report syz C [disk image] [vmlinux] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in __skb_flow_dissect
2022/12/04 15:01 upstream 97ee9d1c1696 e080de16 .config strace log report syz C ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in __skb_flow_dissect
* Struck through repros no longer work on HEAD.