Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|
UBSAN: array-index-out-of-bounds in decode_data hams | syz | unreliable | 2 | 1215d | 1388d | 0/28 | closed as dup on 2021/07/19 20:22 |
syzbot |
sign-in | mailing list | source | docs |
Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|
UBSAN: array-index-out-of-bounds in decode_data hams | syz | unreliable | 2 | 1215d | 1388d | 0/28 | closed as dup on 2021/07/19 20:22 |
Title | Replies (including bot) | Last reply |
---|---|---|
[PATCH 5.13 000/127] 5.13.13-rc1 review | 143 (143) | 2021/09/02 13:39 |
[PATCH 5.10 00/98] 5.10.61-rc1 review | 114 (114) | 2021/08/26 12:54 |
[PATCH 4.4 00/31] 4.4.282-rc1 review | 38 (38) | 2021/08/26 12:31 |
[PATCH 4.14 00/64] 4.14.245-rc1 review | 68 (68) | 2021/08/26 01:01 |
[PATCH 4.19 00/84] 4.19.205-rc1 review | 91 (91) | 2021/08/26 01:01 |
[PATCH 4.9 00/43] 4.9.281-rc1 review | 47 (47) | 2021/08/25 22:37 |
[PATCH 5.4 00/61] 5.4.143-rc1 review | 67 (67) | 2021/08/25 22:36 |
[PATCH] net: 6pack: fix slab-out-of-bounds in decode_data | 10 (10) | 2021/08/16 10:10 |
KASAN: slab-out-of-bounds Write in decode_data | 0 (1) | 2019/12/05 06:35 |
Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|---|
linux-4.19 | KASAN: slab-out-of-bounds Write in decode_data | C | done | 1 | 1175d | 1722d | 1/1 | fixed on 2021/09/22 10:07 | |
linux-4.14 | KASAN: slab-out-of-bounds Write in decode_data | C | inconclusive | 2 | 1633d | 1723d | 0/1 | upstream: reported C repro on 2020/02/22 08:09 |
Created | Duration | User | Patch | Repo | Result |
---|---|---|---|---|---|
2021/07/19 20:20 | 16m | paskripkin@gmail.com | patch | upstream | OK |
2021/04/24 00:14 | 10m | alaaemadhossney.ae@gmail.com | upstream | report log | |
2021/04/15 14:08 | 9m | alaaemadhossney.ae@gmail.com | upstream | report log | |
2020/10/11 21:05 | 10m | anant.thazhemadam@gmail.com | upstream | report log |
================================================================== BUG: KASAN: slab-out-of-bounds in decode_data.part.0+0x23b/0x270 drivers/net/hamradio/6pack.c:843 Write of size 1 at addr ffff888087c5544e by task kworker/u4:0/7 CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound flush_to_ldisc Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 __asan_report_store1_noabort+0x17/0x20 mm/kasan/generic_report.c:137 decode_data.part.0+0x23b/0x270 drivers/net/hamradio/6pack.c:843 decode_data drivers/net/hamradio/6pack.c:965 [inline] sixpack_decode drivers/net/hamradio/6pack.c:968 [inline] sixpack_receive_buf drivers/net/hamradio/6pack.c:458 [inline] sixpack_receive_buf+0xde4/0x1420 drivers/net/hamradio/6pack.c:435 tty_ldisc_receive_buf+0x15f/0x1c0 drivers/tty/tty_buffer.c:465 tty_port_default_receive_buf+0x7d/0xb0 drivers/tty/tty_port.c:38 receive_buf drivers/tty/tty_buffer.c:481 [inline] flush_to_ldisc+0x222/0x390 drivers/tty/tty_buffer.c:533 process_one_work+0xa05/0x17a0 kernel/workqueue.c:2264 worker_thread+0x98/0xe40 kernel/workqueue.c:2410 kthread+0x361/0x430 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 10835: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:515 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 __do_kmalloc_node mm/slab.c:3616 [inline] __kmalloc_node+0x4e/0x70 mm/slab.c:3623 kmalloc_node include/linux/slab.h:578 [inline] kvmalloc_node+0x68/0x100 mm/util.c:574 kvmalloc include/linux/mm.h:645 [inline] kvzalloc include/linux/mm.h:653 [inline] alloc_netdev_mqs+0x98/0xe40 net/core/dev.c:9785 sixpack_open+0x104/0xaaf drivers/net/hamradio/6pack.c:563 tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:464 tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:591 tiocsetd drivers/tty/tty_io.c:2337 [inline] tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0x123/0x180 fs/ioctl.c:763 __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl fs/ioctl.c:770 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 10612: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:476 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_number_perm+0x1dd/0x520 security/tomoyo/file.c:723 tomoyo_file_ioctl+0x23/0x30 security/tomoyo/tomoyo.c:335 security_file_ioctl+0x77/0xc0 security/security.c:1441 ksys_ioctl+0x56/0x180 fs/ioctl.c:757 __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl fs/ioctl.c:770 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888087c54000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 1102 bytes to the right of 4096-byte region [ffff888087c54000, ffff888087c55000) The buggy address belongs to the page: page:ffffea00021f1500 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 flags: 0xfffe0000010200(slab|head) raw: 00fffe0000010200 ffffea0002515008 ffffea00025e1708 ffff8880aa402000 raw: 0000000000000000 ffff888087c54000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888087c55300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888087c55380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888087c55400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888087c55480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888087c55500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2020/02/27 14:36 | upstream | f8788d86ab28 | 59b57593 | .config | console log | report | syz | C | ci-upstream-kasan-gce-selinux-root | |||
2020/02/26 17:43 | upstream | f8788d86ab28 | 59b57593 | .config | console log | report | syz | C | ci-upstream-kasan-gce-root | |||
2019/12/07 02:42 | upstream | 7ada90eb9c7a | 85f26751 | .config | console log | report | syz | C | ci-upstream-kasan-gce-selinux-root | |||
2019/12/04 23:27 | upstream | 63de37476ebd | b2088328 | .config | console log | report | syz | C | ci-upstream-kasan-gce-root | |||
2020/03/09 11:11 | linux-next | 770fbb32d34e | 2e9971bb | .config | console log | report | syz | C | ci-upstream-linux-next-kasan-gce-root | |||
2019/12/19 02:00 | linux-next | b9c5ef25038d | 79b211f7 | .config | console log | report | syz | C | ci-upstream-linux-next-kasan-gce-root | |||
2019/12/04 22:44 | upstream | 63de37476ebd | b2088328 | .config | console log | report | ci-upstream-kasan-gce-root |