syzbot


KASAN: stack-out-of-bounds Read in xfrm_state_find (3)

Status: fixed on 2018/01/31 00:24
Reported-by: syzbot+68bf59b49142965d6454163d7341e617a90139dc@syzkaller.appspotmail.com
Fix commit: 732706afe1cc xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies.
First crash: 1844d, last: 1775d
similar bugs (10):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-44 KASAN: stack-out-of-bounds Read in xfrm_state_find C 842 1102d 1335d 0/2 public: reported C repro on 2019/04/12 00:00
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (5) C done 654 1408d 1710d 14/24 fixed on 2019/11/11 16:48
upstream KMSAN: uninit-value in xfrm_state_find C 193 46d 1636d 0/24 upstream: reported C repro on 2018/06/15 07:30
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find C 365 1871d 1943d 0/24 closed as invalid on 2017/10/23 16:19
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find 1 394d 394d 0/2 closed as invalid on 2022/02/03 13:56
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find C 4151 1436d 1947d 0/3 closed as invalid on 2019/01/01 20:10
android-414 KASAN: stack-out-of-bounds Read in xfrm_state_find C 137 1409d 1336d 0/1 public: reported C repro on 2019/04/11 00:00
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (2) C 93 1853d 1861d 3/24 fixed on 2017/11/18 01:42
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find (2) C 392 1099d 1336d 0/3 public: reported C repro on 2019/04/11 08:44
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (4) C 102 1719d 1770d 4/24 fixed on 2018/03/23 18:14

Sample crash report:
audit: type=1400 audit(1514150976.800:7): avc:  denied  { map } for  pid=3139 comm="syzkaller283615" path="/root/syzkaller283615371" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30de/0x3210 net/xfrm/xfrm_state.c:1050
Read of size 4 at addr ffff8801c862f740 by task syzkaller283615/3139

CPU: 1 PID: 3139 Comm: syzkaller283615 Not tainted 4.15.0-rc5+ #237
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 xfrm_state_find+0x30de/0x3210 net/xfrm/xfrm_state.c:1050
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:1388 [inline]
 xfrm_tmpl_resolve+0x30e/0xc10 net/xfrm/xfrm_policy.c:1432
 xfrm_resolve_and_create_bundle+0x123/0x25f0 net/xfrm/xfrm_policy.c:1821
 xfrm_lookup+0x1574/0x23f0 net/xfrm/xfrm_policy.c:2146
 xfrm_lookup_route+0x39/0x1a0 net/xfrm/xfrm_policy.c:2264
 ip_route_output_flow+0x7c/0xa0 net/ipv4/route.c:2559
 udp_sendmsg+0x19d3/0x2cf0 net/ipv4/udp.c:1019
 udpv6_sendmsg+0x762/0x33a0 net/ipv6/udp.c:1186
 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
 sock_sendmsg_nosec net/socket.c:636 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:646
 SYSC_sendto+0x361/0x5c0 net/socket.c:1727
 SyS_sendto+0x40/0x50 net/socket.c:1695
 entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x43ff29
RSP: 002b:00007ffedf6b1308 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 000000000043ff29
RDX: 0000000000000000 RSI: 000000002028a000 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000020999000 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401890
R13: 0000000000401920 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:0000000076c3f3ba count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c862f600: f1 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2
 ffff8801c862f680: f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2
>ffff8801c862f700: f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00
                                           ^
 ffff8801c862f780: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00
 ffff8801c862f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (10353):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2017/12/24 21:31 upstream 464e1d5f23cc 73aba437 .config log report syz C
ci-upstream-kasan-gce 2017/12/09 17:56 upstream f335195adf04 5ad0ce95 .config log report syz C
ci-upstream-kasan-gce-386 2017/12/24 18:43 upstream 464e1d5f23cc 73aba437 .config log report syz C
ci-upstream-kasan-gce-386 2017/12/09 11:54 upstream f335195adf04 5ad0ce95 .config log report syz C
ci-upstream-kasan-gce-386 2017/11/22 18:18 net-next 0c86a6bd85ff ddf7b3e0 .config log report syz C
ci-upstream-net-kasan-gce 2017/12/24 16:00 net-next fba961ab29e5 73aba437 .config log report syz C
ci-upstream-net-kasan-gce 2017/12/09 11:47 net-next 5e54b3c12027 5ad0ce95 .config log report syz C
ci-upstream-net-kasan-gce 2017/11/22 16:04 net-next 0c86a6bd85ff ddf7b3e0 .config log report syz C
ci-upstream-next-kasan-gce 2017/11/22 20:20 linux-next 1efc584c7106 31af2ce0 .config log report syz C
ci-upstream-mmots-kasan-gce 2017/11/22 17:26 mmots 1ea8d039f9ed deb5f6ae .config log report syz C
ci-upstream-net-kasan-gce 2017/11/22 16:22 net-next 0c86a6bd85ff ddf7b3e0 .config log report syz
ci-upstream-kasan-gce 2018/01/15 07:29 upstream 9443c168505d 66d492a6 .config log report
ci-upstream-kasan-gce 2018/01/14 04:54 upstream 2c1cfa499018 c9e7aeae .config log report
ci-upstream-kasan-gce 2018/01/13 09:40 upstream c92a9a461dff 9dc808a6 .config log report
ci-upstream-kasan-gce 2018/01/12 16:47 upstream 1545dec46db3 9dc808a6 .config log report
ci-upstream-kasan-gce 2018/01/12 06:42 upstream 1545dec46db3 9dc808a6 .config log report
ci-upstream-kasan-gce-386 2018/01/12 05:22 upstream 1545dec46db3 9dc808a6 .config log report
ci-upstream-net-kasan-gce 2018/01/24 05:56 net-next 43df215d99e6 a5b7566c .config log report
ci-upstream-net-kasan-gce 2018/01/26 23:30 net-next 6bb46bc57c8e 1d18b112 .config log report
ci-upstream-net-kasan-gce 2018/01/15 12:53 net-next 564737f981fb 66d492a6 .config log report
ci-upstream-net-kasan-gce 2018/01/15 01:24 net-next 1988c7957881 66d492a6 .config log report
ci-upstream-net-kasan-gce 2018/01/14 22:39 net-next 1988c7957881 66d492a6 .config log report
ci-upstream-net-kasan-gce 2018/01/14 16:23 net-next 6bd39bc3da0f 66d492a6 .config log report
ci-upstream-net-kasan-gce 2018/01/14 14:32 net-next 6bd39bc3da0f c9e7aeae .config log report
ci-upstream-net-kasan-gce 2018/01/14 08:04 net-next 6bd39bc3da0f c9e7aeae .config log report
ci-upstream-net-kasan-gce 2018/01/14 03:11 net-next 6bd39bc3da0f c9e7aeae .config log report
ci-upstream-net-kasan-gce 2018/01/13 22:05 net-next 6bd39bc3da0f c9e7aeae .config log report
ci-upstream-net-kasan-gce 2018/01/13 17:08 net-next 6bd39bc3da0f c9e7aeae .config log report
ci-upstream-net-kasan-gce 2018/01/13 13:35 net-next 6bd39bc3da0f c9e7aeae .config log report
ci-upstream-net-kasan-gce 2018/01/13 07:11 net-next 6bd39bc3da0f 9dc808a6 .config log report
ci-upstream-net-kasan-gce 2018/01/13 05:39 net-next 6bd39bc3da0f 9dc808a6 .config log report
ci-upstream-net-kasan-gce 2018/01/12 08:33 net-next 8c2e6c904fd8 9dc808a6 .config log report
ci-upstream-net-kasan-gce 2018/01/11 20:38 net-next c5e62a24278a 9dc808a6 .config log report
ci-upstream-net-kasan-gce 2018/01/11 18:36 net-next c5e62a24278a 9dc808a6 .config log report
ci-upstream-net-kasan-gce 2018/01/11 11:29 net-next c5e62a24278a 9dc808a6 .config log report
ci-upstream-net-kasan-gce 2018/01/11 00:41 net-next e2b3b35eb989 02a19b64 .config log report
ci-upstream-net-kasan-gce 2018/01/10 22:50 net-next e2b3b35eb989 02a19b64 .config log report
ci-upstream-net-kasan-gce 2018/01/10 21:44 net-next e2b3b35eb989 02a19b64 .config log report
ci-upstream-next-kasan-gce 2018/01/15 19:18 linux-next b625c1ff8227 66d492a6 .config log report
ci-upstream-mmots-kasan-gce 2018/01/15 10:12 mmots ce3c209f6733 66d492a6 .config log report
ci-upstream-mmots-kasan-gce 2018/01/14 17:30 mmots ce3c209f6733 66d492a6 .config log report
ci-upstream-mmots-kasan-gce 2018/01/14 11:30 mmots ce3c209f6733 c9e7aeae .config log report
ci-upstream-next-kasan-gce 2018/01/14 09:31 linux-next 3e53c7415294 c9e7aeae .config log report
ci-upstream-mmots-kasan-gce 2018/01/14 00:19 mmots ce3c209f6733 c9e7aeae .config log report
ci-upstream-mmots-kasan-gce 2018/01/13 02:26 mmots ce3c209f6733 9dc808a6 .config log report
ci-upstream-mmots-kasan-gce 2018/01/12 10:17 mmots 2c405fa05106 9dc808a6 .config log report
ci-upstream-mmots-kasan-gce 2018/01/12 03:15 mmots 2c405fa05106 9dc808a6 .config log report
ci-upstream-next-kasan-gce 2018/01/12 01:35 linux-next 8418f8876404 9dc808a6 .config log report
ci-upstream-mmots-kasan-gce 2018/01/11 23:29 mmots 4147d50978df 9dc808a6 .config log report
ci-upstream-next-kasan-gce 2018/01/11 16:27 linux-next 8418f8876404 9dc808a6 .config log report
ci-upstream-next-kasan-gce 2018/01/11 15:13 linux-next 8418f8876404 9dc808a6 .config log report
* Struck through repros no longer work on HEAD.