syzbot


KASAN: slab-out-of-bounds Write in decode_data

Status: fixed on 2021/11/10 00:50
Subsystems: hams
[Documentation on labels]
Reported-by: syzbot+fc8cd9a673d4577fb2e4@syzkaller.appspotmail.com
Fix commit: 19d1532a1876 net: 6pack: fix slab-out-of-bounds in decode_data
First crash: 1802d, last: 1647d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING: ODEBUG bug in corrupted (log)
Repro: C syz .config
  
Fix bisection: failed (error log, bisect log)
  
Duplicate bugs (1)
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
UBSAN: array-index-out-of-bounds in decode_data hams syz unreliable 2 1215d 1388d 0/28 closed as dup on 2021/07/19 20:22
Discussions (9)
Title Replies (including bot) Last reply
[PATCH 5.13 000/127] 5.13.13-rc1 review 143 (143) 2021/09/02 13:39
[PATCH 5.10 00/98] 5.10.61-rc1 review 114 (114) 2021/08/26 12:54
[PATCH 4.4 00/31] 4.4.282-rc1 review 38 (38) 2021/08/26 12:31
[PATCH 4.14 00/64] 4.14.245-rc1 review 68 (68) 2021/08/26 01:01
[PATCH 4.19 00/84] 4.19.205-rc1 review 91 (91) 2021/08/26 01:01
[PATCH 4.9 00/43] 4.9.281-rc1 review 47 (47) 2021/08/25 22:37
[PATCH 5.4 00/61] 5.4.143-rc1 review 67 (67) 2021/08/25 22:36
[PATCH] net: 6pack: fix slab-out-of-bounds in decode_data 10 (10) 2021/08/16 10:10
KASAN: slab-out-of-bounds Write in decode_data 0 (1) 2019/12/05 06:35
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: slab-out-of-bounds Write in decode_data C done 1 1175d 1722d 1/1 fixed on 2021/09/22 10:07
linux-4.14 KASAN: slab-out-of-bounds Write in decode_data C inconclusive 2 1633d 1723d 0/1 upstream: reported C repro on 2020/02/22 08:09
Last patch testing requests (4)
Created Duration User Patch Repo Result
2021/07/19 20:20 16m paskripkin@gmail.com patch upstream OK
2021/04/24 00:14 10m alaaemadhossney.ae@gmail.com upstream report log
2021/04/15 14:08 9m alaaemadhossney.ae@gmail.com upstream report log
2020/10/11 21:05 10m anant.thazhemadam@gmail.com upstream report log
Fix bisection attempts (4)
Created Duration User Patch Repo Result
2020/06/07 13:10 0m (2) bisect fix upstream error job log
2020/05/08 12:42 27m bisect fix upstream OK (0) job log log
2020/04/08 11:11 19m bisect fix upstream OK (0) job log log
2020/01/26 11:28 20m bisect fix upstream OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in decode_data.part.0+0x23b/0x270 drivers/net/hamradio/6pack.c:843
Write of size 1 at addr ffff888087c5544e by task kworker/u4:0/7

CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_unbound flush_to_ldisc
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:641
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/generic_report.c:137
 decode_data.part.0+0x23b/0x270 drivers/net/hamradio/6pack.c:843
 decode_data drivers/net/hamradio/6pack.c:965 [inline]
 sixpack_decode drivers/net/hamradio/6pack.c:968 [inline]
 sixpack_receive_buf drivers/net/hamradio/6pack.c:458 [inline]
 sixpack_receive_buf+0xde4/0x1420 drivers/net/hamradio/6pack.c:435
 tty_ldisc_receive_buf+0x15f/0x1c0 drivers/tty/tty_buffer.c:465
 tty_port_default_receive_buf+0x7d/0xb0 drivers/tty/tty_port.c:38
 receive_buf drivers/tty/tty_buffer.c:481 [inline]
 flush_to_ldisc+0x222/0x390 drivers/tty/tty_buffer.c:533
 process_one_work+0xa05/0x17a0 kernel/workqueue.c:2264
 worker_thread+0x98/0xe40 kernel/workqueue.c:2410
 kthread+0x361/0x430 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 10835:
 save_stack+0x23/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc mm/kasan/common.c:515 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
 __do_kmalloc_node mm/slab.c:3616 [inline]
 __kmalloc_node+0x4e/0x70 mm/slab.c:3623
 kmalloc_node include/linux/slab.h:578 [inline]
 kvmalloc_node+0x68/0x100 mm/util.c:574
 kvmalloc include/linux/mm.h:645 [inline]
 kvzalloc include/linux/mm.h:653 [inline]
 alloc_netdev_mqs+0x98/0xe40 net/core/dev.c:9785
 sixpack_open+0x104/0xaaf drivers/net/hamradio/6pack.c:563
 tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:464
 tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:591
 tiocsetd drivers/tty/tty_io.c:2337 [inline]
 tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x123/0x180 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 10612:
 save_stack+0x23/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:476
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x2c0 mm/slab.c:3757
 tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_number_perm+0x1dd/0x520 security/tomoyo/file.c:723
 tomoyo_file_ioctl+0x23/0x30 security/tomoyo/tomoyo.c:335
 security_file_ioctl+0x77/0xc0 security/security.c:1441
 ksys_ioctl+0x56/0x180 fs/ioctl.c:757
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888087c54000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 1102 bytes to the right of
 4096-byte region [ffff888087c54000, ffff888087c55000)
The buggy address belongs to the page:
page:ffffea00021f1500 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea0002515008 ffffea00025e1708 ffff8880aa402000
raw: 0000000000000000 ffff888087c54000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888087c55300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888087c55380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888087c55400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                              ^
 ffff888087c55480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888087c55500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/02/27 14:36 upstream f8788d86ab28 59b57593 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/26 17:43 upstream f8788d86ab28 59b57593 .config console log report syz C ci-upstream-kasan-gce-root
2019/12/07 02:42 upstream 7ada90eb9c7a 85f26751 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/12/04 23:27 upstream 63de37476ebd b2088328 .config console log report syz C ci-upstream-kasan-gce-root
2020/03/09 11:11 linux-next 770fbb32d34e 2e9971bb .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/12/19 02:00 linux-next b9c5ef25038d 79b211f7 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/12/04 22:44 upstream 63de37476ebd b2088328 .config console log report ci-upstream-kasan-gce-root
* Struck through repros no longer work on HEAD.